From a1a1e62012111e562dd2b1aabd0d6af3817eb307 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Wed, 22 Jul 2020 15:16:15 +0900
Subject: [PATCH] Unset public_endpoint by default

When public_endpoint is set but different urls are used for endpoints
(especially for admin endpoint and public endpoint), it can cause
problem with self-url detection in keystone because it always assumes
that the url should be directed to that public_endpoint even when
a request comes from admin endpoint.

This patch makes public_endpoint unset by default to avoid issues in
the deployment where admin endpoint and public endpoint are still
separated.

Related-bug: #1889017
Change-Id: Ia43e9dcd8085bbb0954b64873504398a85771032
---
 manifests/init.pp                             | 47 +++----------------
 ...nset-public_endpoint-1f28429335f3d0d7.yaml |  6 +++
 spec/classes/keystone_init_spec.rb            | 44 +----------------
 3 files changed, 14 insertions(+), 83 deletions(-)
 create mode 100644 releasenotes/notes/unset-public_endpoint-1f28429335f3d0d7.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index f30e8a3dd..49a24f8f2 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -211,10 +211,7 @@
 #   (Optional) The base public endpoint URL for keystone that are
 #   advertised to clients (NOTE: this does NOT affect how
 #   keystone listens for connections) (string value)
-#   If set to false, public_endpoint will be set from public_bind_host and
-#   public_port, or default to http://127.0.0.1:5000
-#   Sample value: 'http://localhost:5000/'
-#   Defaults to undef
+#   Defaults to $::os_service_default
 #
 # [*enable_ssl*]
 #   (Optional) Toggle for SSL support on the keystone eventlet servers.
@@ -565,7 +562,7 @@ class keystone(
   $revoke_driver                        = $::os_service_default,
   $revoke_by_id                         = true,
   $admin_endpoint                       = $::os_service_default,
-  $public_endpoint                      = undef,
+  $public_endpoint                      = $::os_service_default,
   $enable_ssl                           = false,
   $ssl_certfile                         = '/etc/keystone/ssl/certs/keystone.pem',
   $ssl_keyfile                          = '/etc/keystone/ssl/private/keystonekey.pem',
@@ -683,43 +680,13 @@ class keystone(
   }
 
   if $public_bind_host {
-    warning('keystone::public_bind_host is deprecated, and will have no effect and be removed in a later release.')
-    case $public_bind_host {
-      '0.0.0.0': {
-        $public_host = '127.0.0.1'
-      }
-      '::0': {
-        $public_host = '[::1]'
-      }
-      default: {
-        $public_host = normalize_ip_for_uri($public_bind_host)
-      }
-    }
-  } else {
-    $public_host = '127.0.0.1'
+    warning('keystone::public_bind_host is deprecated. This parameter has no effect and \
+will be removed in a later release.')
   }
 
   if $public_port {
-    warning('keystone::public_port is deprecated, and will have no effect and be removed in a later release')
-    $public_port_real = $public_port
-  } else {
-    $public_port_real = '5000'
-  }
-
-  if ! $public_endpoint {
-    warning('keystone::public_endpoint is not set, but will be required in a later release')
-
-    if $enable_ssl {
-      $public_protocol = 'https'
-    } else {
-      $public_protocol = 'http'
-    }
-    $public_endpoint_real = "${public_protocol}://${public_host}:${$public_port_real}"
-  } else {
-    if ('v2.0' in $public_endpoint) {
-      warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
-    }
-    $public_endpoint_real = $public_endpoint
+    warning('keystone::public_port is deprecated. This parameter has no effect and \
+will be removed in a later release')
   }
 
   if $manage_policyrcd {
@@ -762,7 +729,7 @@ class keystone(
 
   # Endpoint configuration
   keystone_config {
-    'DEFAULT/public_endpoint': value => $public_endpoint_real;
+    'DEFAULT/public_endpoint': value => $public_endpoint;
   }
 
   keystone_config {
diff --git a/releasenotes/notes/unset-public_endpoint-1f28429335f3d0d7.yaml b/releasenotes/notes/unset-public_endpoint-1f28429335f3d0d7.yaml
new file mode 100644
index 000000000..882c89fdc
--- /dev/null
+++ b/releasenotes/notes/unset-public_endpoint-1f28429335f3d0d7.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    The ``default/public_endpiint`` parameter is no longer set by default
+    because of known issue with different hosts/protocol used for each
+    endpoints (especially for admin endpoint and public endpoint)
diff --git a/spec/classes/keystone_init_spec.rb b/spec/classes/keystone_init_spec.rb
index 05734e73c..68b01fe87 100644
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@@ -164,7 +164,7 @@ describe 'keystone' do
       if param_hash['public_endpoint']
         is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value(param_hash['public_endpoint'])
       else
-        is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('http://127.0.0.1:5000')
+        is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('<SERVICE DEFAULT>')
       end
     end
 
@@ -265,45 +265,6 @@ describe 'keystone' do
     ) }
   end
 
-  describe 'when public_bind_host or public_bind_port are set' do
-    describe 'when ipv6 loopback is set' do
-      let :params do
-        {
-          :public_bind_host => '::0'
-        }
-      end
-      it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://[::1]:5000') }
-    end
-
-    describe 'when ipv4 address is set' do
-      let :params do
-        {
-          :public_bind_host => '192.168.0.1',
-          :public_port      => '15000'
-        }
-      end
-      it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://192.168.0.1:15000') }
-    end
-
-    describe 'when unenclosed ipv6 address is set' do
-      let :params do
-        {
-          :public_bind_host => '2001:db8::1'
-        }
-      end
-      it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://[2001:db8::1]:5000') }
-    end
-
-    describe 'when enclosed ipv6 address is set' do
-      let :params do
-        {
-          :public_bind_host => '[2001:db8::1]'
-        }
-      end
-      it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://[2001:db8::1]:5000') }
-    end
-  end
-
   describe 'when using invalid service name for keystone' do
     let (:params) { {'service_name' => 'foo'}.merge(default_params) }
 
@@ -384,7 +345,6 @@ describe 'keystone' do
     let :params do
       {
         'enable_ssl'      => true,
-        'public_endpoint' => 'https://localhost:5000',
       }
     end
     it {is_expected.to contain_keystone_config('ssl/enable').with_value(true)}
@@ -393,7 +353,6 @@ describe 'keystone' do
     it {is_expected.to contain_keystone_config('ssl/ca_certs').with_value('/etc/keystone/ssl/certs/ca.pem')}
     it {is_expected.to contain_keystone_config('ssl/ca_key').with_value('/etc/keystone/ssl/private/cakey.pem')}
     it {is_expected.to contain_keystone_config('ssl/cert_subject').with_value('/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')}
-    it {is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('https://localhost:5000')}
   end
 
   describe 'when disabling SSL' do
@@ -403,7 +362,6 @@ describe 'keystone' do
       }
     end
     it {is_expected.to contain_keystone_config('ssl/enable').with_value(false)}
-    it {is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('http://127.0.0.1:5000')}
   end
 
   describe 'not setting notification settings by default' do