openstack/puppet-keystone
Code Issues Proposed changes

Unset public_endpoint by default

Browse Source 
When public_endpoint is set but different urls are used for endpoints
(especially for admin endpoint and public endpoint), it can cause
problem with self-url detection in keystone because it always assumes
that the url should be directed to that public_endpoint even when
a request comes from admin endpoint.

This patch makes public_endpoint unset by default to avoid issues in
the deployment where admin endpoint and public endpoint are still
separated.

Related-bug: #1889017
Change-Id: Ia43e9dcd8085bbb0954b64873504398a85771032
This commit is contained in:
Takashi Kajinami 2020-07-22 15:16:15 +09:00
parent 4d0889a3dd
commit a1a1e62012
3 changed files with 14 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
manifests/init.pp
View File

@ -211,10 +211,7 @@
# (Optional) The base public endpoint URL for keystone that are # (Optional) The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how # advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value) # keystone listens for connections) (string value)
# If set to false, public_endpoint will be set from public_bind_host and # Defaults to $::os_service_default
# public_port, or default to http://127.0.0.1:5000
# Sample value: 'http://localhost:5000/'
# Defaults to undef
# #
# [*enable_ssl*] # [*enable_ssl*]
# (Optional) Toggle for SSL support on the keystone eventlet servers. # (Optional) Toggle for SSL support on the keystone eventlet servers.
@ -565,7 +562,7 @@ class keystone(
$revoke_driver = $::os_service_default, $revoke_driver = $::os_service_default,
$revoke_by_id = true, $revoke_by_id = true,
$admin_endpoint = $::os_service_default, $admin_endpoint = $::os_service_default,
$public_endpoint = undef, $public_endpoint = $::os_service_default,
$enable_ssl = false, $enable_ssl = false,
$ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem', $ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem',
$ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem', $ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem',
@ -683,43 +680,13 @@ class keystone(
} }
if $public_bind_host { if $public_bind_host {
warning('keystone::public_bind_host is deprecated, and will have no effect and be removed in a later release.') warning('keystone::public_bind_host is deprecated. This parameter has no effect and \
case $public_bind_host { will be removed in a later release.')
'0.0.0.0': {
$public_host = '127.0.0.1'
}
'::0': {
$public_host = '[::1]'
}
default: {
$public_host = normalize_ip_for_uri($public_bind_host)
}
}
} else {
$public_host = '127.0.0.1'
} }
if $public_port { if $public_port {
warning('keystone::public_port is deprecated, and will have no effect and be removed in a later release') warning('keystone::public_port is deprecated. This parameter has no effect and \
$public_port_real = $public_port will be removed in a later release')
} else {
$public_port_real = '5000'
}
if ! $public_endpoint {
warning('keystone::public_endpoint is not set, but will be required in a later release')
if $enable_ssl {
$public_protocol = 'https'
} else {
$public_protocol = 'http'
}
$public_endpoint_real = "${public_protocol}://${public_host}:${$public_port_real}"
} else {
if ('v2.0' in $public_endpoint) {
warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
}
$public_endpoint_real = $public_endpoint
} }
if $manage_policyrcd { if $manage_policyrcd {
@ -762,7 +729,7 @@ class keystone(
# Endpoint configuration # Endpoint configuration
keystone_config { keystone_config {
'DEFAULT/public_endpoint': value => $public_endpoint_real; 'DEFAULT/public_endpoint': value => $public_endpoint;
} }
keystone_config { keystone_config {

6
releasenotes/notes/unset-public_endpoint-1f28429335f3d0d7.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
The ``default/public_endpiint`` parameter is no longer set by default
because of known issue with different hosts/protocol used for each
endpoints (especially for admin endpoint and public endpoint)

44
spec/classes/keystone_init_spec.rb
View File

@ -164,7 +164,7 @@ describe 'keystone' do
if param_hash['public_endpoint'] if param_hash['public_endpoint']
is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value(param_hash['public_endpoint']) is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value(param_hash['public_endpoint'])
else else
is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('http://127.0.0.1:5000') is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('<SERVICE DEFAULT>')
end end
end end
@ -265,45 +265,6 @@ describe 'keystone' do
) } ) }
end end
describe 'when public_bind_host or public_bind_port are set' do
describe 'when ipv6 loopback is set' do
let :params do
{
:public_bind_host => '::0'
}
end
it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://[::1]:5000') }
end
describe 'when ipv4 address is set' do
let :params do
{
:public_bind_host => '192.168.0.1',
:public_port => '15000'
}
end
it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://192.168.0.1:15000') }
end
describe 'when unenclosed ipv6 address is set' do
let :params do
{
:public_bind_host => '2001:db8::1'
}
end
it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://[2001:db8::1]:5000') }
end
describe 'when enclosed ipv6 address is set' do
let :params do
{
:public_bind_host => '[2001:db8::1]'
}
end
it { is_expected.to contain_keystone_config("DEFAULT/public_endpoint").with_value('http://[2001:db8::1]:5000') }
end
end
describe 'when using invalid service name for keystone' do describe 'when using invalid service name for keystone' do
let (:params) { {'service_name' => 'foo'}.merge(default_params) } let (:params) { {'service_name' => 'foo'}.merge(default_params) }
@ -384,7 +345,6 @@ describe 'keystone' do
let :params do let :params do
{ {
'enable_ssl' => true, 'enable_ssl' => true,
'public_endpoint' => 'https://localhost:5000',
} }
end end
it {is_expected.to contain_keystone_config('ssl/enable').with_value(true)} it {is_expected.to contain_keystone_config('ssl/enable').with_value(true)}
@ -393,7 +353,6 @@ describe 'keystone' do
it {is_expected.to contain_keystone_config('ssl/ca_certs').with_value('/etc/keystone/ssl/certs/ca.pem')} it {is_expected.to contain_keystone_config('ssl/ca_certs').with_value('/etc/keystone/ssl/certs/ca.pem')}
it {is_expected.to contain_keystone_config('ssl/ca_key').with_value('/etc/keystone/ssl/private/cakey.pem')} it {is_expected.to contain_keystone_config('ssl/ca_key').with_value('/etc/keystone/ssl/private/cakey.pem')}
it {is_expected.to contain_keystone_config('ssl/cert_subject').with_value('/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')} it {is_expected.to contain_keystone_config('ssl/cert_subject').with_value('/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')}
it {is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('https://localhost:5000')}
end end
describe 'when disabling SSL' do describe 'when disabling SSL' do
@ -403,7 +362,6 @@ describe 'keystone' do
} }
end end
it {is_expected.to contain_keystone_config('ssl/enable').with_value(false)} it {is_expected.to contain_keystone_config('ssl/enable').with_value(false)}
it {is_expected.to contain_keystone_config('DEFAULT/public_endpoint').with_value('http://127.0.0.1:5000')}
end end
describe 'not setting notification settings by default' do describe 'not setting notification settings by default' do