2.4 KiB
Stop generating admin endpoints in the keystone catalog
The admin endpoints offer no special functionality, users may talk to the public endpoints instead. The only historic use case has been the keystone v2 admin endpoint, but with keystone v3 API, even that is no longer needed.
Problem description
Currently we generate admin endpoints for almost all services. As the service catalog is sent to the API user for every transaction, this generates some amount of overhead, as these endpoints aren't really needed anymore. Dropping them will also reduce the time needed for chef runs.
Proposed change
Drop the admin endpoints from all identity_registration recipes in our cookbooks. This will affect:
- cookbook-openstack-block-storage
- cookbook-openstack-compute
- cookbook-openstack-identity
- cookbook-openstack-image
- cookbook-openstack-networking
- cookbook-openstack-orchestration
- cookbook-openstack-telemetry
Alternatives
Stick to the status quo.
Data model impact
None
REST API impact
None
Security impact
Deployments that have been using a different admin endpoint with restricted access may need to switch to using the internal endpoint instead.
Notifications impact
None
Other end user impact
None
Performance Impact
The size of the service catalog will be reduced, as well as the duration of chef runs, both with positively impact performance.
Other deployer impact
Deployments that in some way make unexpected use of the admin endpoints will need to be adapted.
Developer impact
None
Implementation
Assignee(s)
- Primary assignee:
-
<j-rosenboom-j>
- Other contributors:
-
<jklare>
Work Items
- Update identity_registration recipes
- Check for unknown dependencies
Dependencies
None
Testing
Our integration tests should have sufficient coverage in order to make sure that this change doesn't have any negative impact.
Documentation Impact
None
References
None