Merge "post-2023.1: Remove keystone admin endpoint bits" into stable/2023.2

2024-04-15 07:52:32 +00:00 · 2024-04-15 07:52:32 +00:00 · b19715f8fb
commit b19715f8fb
parent 25891aa6ce 1b6c1cb3db
6 changed files with 28 additions and 5 deletions
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@ -195,18 +195,15 @@ keystone_enabled_notification_topics: "{{ keystone_notification_topics | selecta
 # Keystone
 ####################
 keystone_service_endpoints:
+  - {'interface': 'admin', 'url': '{{ keystone_internal_url }}', 'state': 'absent'}
  - {'interface': 'internal', 'url': '{{ keystone_internal_url }}'}
  - {'interface': 'public', 'url': '{{ keystone_public_url }}'}

-# TODO(yoctozepto): Remove admin_endpoint leftovers in Antelope (2023.1).
-keystone_service_admin_endpoint: {'interface': 'admin', 'url': '{{ keystone_internal_url }}'}
-keystone_create_admin_endpoint: false
-
 keystone_ks_services:
  - name: "keystone"
    type: "identity"
    description: "Openstack Identity Service"
-    endpoints: "{{ keystone_service_endpoints + ([keystone_service_admin_endpoint] if kolla_action == 'upgrade' or keystone_create_admin_endpoint | bool else []) }}"
+    endpoints: "{{ keystone_service_endpoints }}"

 keystone_ks_roles:
  - service
--- a/ansible/roles/keystone/tasks/upgrade.yml
+++ b/ansible/roles/keystone/tasks/upgrade.yml
@ -56,3 +56,11 @@
  run_once: True
  when:
    - not use_preconfigured_databases | bool
+
+# NOTE(mgoddard): Remove the admin endpoint.
+- import_role:
+    name: service-ks-register
+  vars:
+    service_ks_register_auth: "{{ openstack_keystone_auth }}"
+    service_ks_register_services: "{{ keystone_ks_services }}"
+  run_once: True
--- a/ansible/roles/service-ks-register/defaults/main.yml
+++ b/ansible/roles/service-ks-register/defaults/main.yml
@ -15,6 +15,7 @@ service_ks_register_domain: "default"
 # fields:
 # 'url'
 # 'interface'
+# 'state' (optional)
 service_ks_register_services: []
 # A list of users and associated roles for this service to register with
 # Keystone. Each item should provide the following fields:
--- a/ansible/roles/service-ks-register/tasks/main.yml
+++ b/ansible/roles/service-ks-register/tasks/main.yml
@ -34,6 +34,7 @@
          auth: "{{ service_ks_register_auth }}"
          interface: "{{ service_ks_register_interface }}"
          cacert: "{{ service_ks_cacert }}"
+          state: "{{ item.1.state | default(omit) }}"
      with_subelements:
        - "{{ service_ks_register_services }}"
        - endpoints
--- a/releasenotes/notes/remove-keystone-admin-endpoint-cb3b224e9e7a892f.yaml
+++ b/releasenotes/notes/remove-keystone-admin-endpoint-cb3b224e9e7a892f.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue where the Keystone admin endpoint would be recreated when
+    upgrading Keystone. The endpoint is now explicitly removed during the
+    upgrade process.
--- a/tests/test-core-openstack.sh
+++ b/tests/test-core-openstack.sh
@ -407,12 +407,22 @@ function test_instance_boot {
    fi
 }

+function test_keystone_admin_endpoint {
+    echo "TESTING: Keystone admin endpoint removal"
+    if [[ $(openstack endpoint list --service keystone --interface admin -f value | wc -l) -ne 0 ]]; then
+        echo "ERROR: Found Keystone admin endpoint"
+        exit 1
+    fi
+    echo "SUCCESS: Keystone admin endpoint removal"
+}
+
 function test_openstack_logged {
    . /etc/kolla/admin-openrc.sh
    . ~/openstackclient-venv/bin/activate
    test_smoke
    test_neutron_modules
    test_instance_boot
+    test_keystone_admin_endpoint

    # Check for x86_64 architecture to run q35 tests
    if [[ $(uname -m) == "x86_64" ]]; then