openstack/puppet-keystone
Code Issues Proposed changes

Unset public_endpoint by default

Browse Source 
When public_endpoint is set but different urls are used for endpoints
(especially for admin endpoint and public endpoint), it can cause
problem with self-url detection in keystone because it always assumes
that the url should be directed to that public_endpoint even when
a request comes from admin endpoint.

This patch makes public_endpoint unset by default to avoid issues in
the deployment where admin endpoint and public endpoint are still
separated.

Related-bug: #1889017
Change-Id: Ia43e9dcd8085bbb0954b64873504398a85771032
This commit is contained in:
Takashi Kajinami 2020-07-22 15:16:15 +09:00
parent 4d0889a3dd
commit a1a1e62012
3 changed files with 14 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
manifests/init.pp
View File

@ -211,10 +211,7 @@
# (Optional) The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value)
# If set to false, public_endpoint will be set from public_bind_host and
# public_port, or default to http://127.0.0.1:5000
# Sample value: 'http://localhost:5000/'
# Defaults to undef
# Defaults to $::os_service_default
#
# [*enable_ssl*]
# (Optional) Toggle for SSL support on the keystone eventlet servers.
@ -565,7 +562,7 @@ class keystone(
$revoke_driver = $::os_service_default,
$revoke_by_id = true,
$admin_endpoint = $::os_service_default,
$public_endpoint = undef,
$public_endpoint = $::os_service_default,
$enable_ssl = false,
$ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem',
$ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem',
@ -683,43 +680,13 @@ class keystone(
}
if $public_bind_host {
warning('keystone::public_bind_host is deprecated, and will have no effect and be removed in a later release.')
case $public_bind_host {
'0.0.0.0': {
$public_host = '127.0.0.1'
}
'::0': {
$public_host = '[::1]'
}
default: {
$public_host = normalize_ip_for_uri($public_bind_host)
}
}
} else {
$public_host = '127.0.0.1'
warning('keystone::public_bind_host is deprecated. This parameter has no effect and \
will be removed in a later release.')
}
if $public_port {
warning('keystone::public_port is deprecated, and will have no effect and be removed in a later release')
$public_port_real = $public_port
} else {
$public_port_real = '5000'
}
if ! $public_endpoint {
warning('keystone::public_endpoint is not set, but will be required in a later release')
if $enable_ssl {
$public_protocol = 'https'
} else {
$public_protocol = 'http'
}
$public_endpoint_real = "${public_protocol}://${public_host}:${$public_port_real}"
} else {
if ('v2.0' in $public_endpoint) {
warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
}
$public_endpoint_real = $public_endpoint
warning('keystone::public_port is deprecated. This parameter has no effect and \
will be removed in a later release')
}
if $manage_policyrcd {
@ -762,7 +729,7 @@ class keystone(
# Endpoint configuration
keystone_config {
'DEFAULT/public_endpoint': value => $public_endpoint_real;
'DEFAULT/public_endpoint': value => $public_endpoint;
}
keystone_config {

6
releasenotes/notes/unset-public_endpoint-1f28429335f3d0d7.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
The ``default/public_endpiint`` parameter is no longer set by default
because of known issue with different hosts/protocol used for each
endpoints (especially for admin endpoint and public endpoint)

44
spec/classes/keystone_init_spec.rb
View File

@ -164,7 +164,7 @@ describe 'keystone' do
if param_hash['public_endpoint']
is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value(param_hash['public_endpoint'])
else
is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('http://127.0.0.1:5000')
is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('<SERVICE DEFAULT>')
end
end
@ -265,45 +265,6 @@ describe 'keystone' do
) }
end
describe 'when public_bind_host or public_bind_port are set' do
describe 'when ipv6 loopback is set' do
let :params do
{
:public_bind_host => '::0'
}
end
it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://[::1]:5000') }
end
describe 'when ipv4 address is set' do
let :params do
{
:public_bind_host => '192.168.0.1',
:public_port => '15000'
}
end
it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://192.168.0.1:15000') }
end
describe 'when unenclosed ipv6 address is set' do
let :params do
{
:public_bind_host => '2001:db8::1'
}
end
it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://[2001:db8::1]:5000') }
end
describe 'when enclosed ipv6 address is set' do
let :params do
{
:public_bind_host => '[2001:db8::1]'
}
end
it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://[2001:db8::1]:5000') }
end
end
describe 'when using invalid service name for keystone' do
let (:params) { {'service_name' => 'foo'}.merge(default_params) }
@ -384,7 +345,6 @@ describe 'keystone' do
let :params do
{
'enable_ssl' => true,
'public_endpoint' => 'https://localhost:5000',
}
end
it {is_expected.to contain_keystone_config('ssl/enable').with_value(true)}
@ -393,7 +353,6 @@ describe 'keystone' do
it {is_expected.to contain_keystone_config('ssl/ca_certs').with_value('/etc/keystone/ssl/certs/ca.pem')}
it {is_expected.to contain_keystone_config('ssl/ca_key').with_value('/etc/keystone/ssl/private/cakey.pem')}
it {is_expected.to contain_keystone_config('ssl/cert_subject').with_value('/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')}
it {is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('https://localhost:5000')}
end
describe 'when disabling SSL' do
@ -403,7 +362,6 @@ describe 'keystone' do
}
end
it {is_expected.to contain_keystone_config('ssl/enable').with_value(false)}
it {is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('http://127.0.0.1:5000')}
end
describe 'not setting notification settings by default' do