Set region in authtoken middleware settings

While we can specify keystone region where all keystone resources are created, currently we don't set the specified region correctly in credential configurations used for authtoken middleware. Configure region parameter for authtoken according to the parameter KeystoneRegion so that we're consistent about the region where we expect to have service users created. Change-Id: Icc0ee9a859c2c67cae92339c6b4102946150269f
2020-01-18 21:34:55 +09:00 · 2020-01-18 21:34:55 +09:00 · 26305fae91
parent fe56b682c3
commit 26305fae91
13 changed files with 22 additions and 1 deletions
--- a/deployment/aodh/aodh-base.yaml
+++ b/deployment/aodh/aodh-base.yaml
@ -107,6 +107,7 @@ outputs:
        aodh::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
        aodh::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
        aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+        aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}
        aodh::auth::auth_password: {get_param: AodhPassword}
        aodh::auth::auth_region: {get_param: KeystoneRegion}
        aodh::auth::auth_tenant_name: 'service'
--- a/deployment/barbican/barbican-api-container-puppet.yaml
+++ b/deployment/barbican/barbican-api-container-puppet.yaml
@ -216,8 +216,9 @@ outputs:
            barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
            barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-            barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::project_name: 'service'
+            barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            barbican::keystone::notification::enable_keystone_notification: True
            barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
            barbican::policy::policies: {get_param: BarbicanPolicies}
--- a/deployment/ceilometer/ceilometer-base-container-puppet.yaml
+++ b/deployment/ceilometer/ceilometer-base-container-puppet.yaml
@ -148,6 +148,7 @@ outputs:
            ceilometer::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            ceilometer::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+            ceilometer::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            ceilometer::agent::auth::auth_password: {get_param: CeilometerPassword}
            ceilometer::agent::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            ceilometer::agent::notification::manage_event_pipeline: {get_param: ManageEventPipeline}
--- a/deployment/experimental/designate/designate-api-container-puppet.yaml
+++ b/deployment/experimental/designate/designate-api-container-puppet.yaml
@ -103,6 +103,7 @@ outputs:
            designate::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            designate::keystone::authtoken::project_name: 'service'
            designate::keystone::authtoken::password: {get_param: DesignatePassword}
+            designate::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            tripleo::profile::base::designate::api::listen_ip:
              str_replace:
                template:
--- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml
+++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml
@ -180,6 +180,7 @@ outputs:
            gnocchi::keystone::authtoken::project_name: 'service'
            gnocchi::keystone::authtoken::user_domain_name: 'Default'
            gnocchi::keystone::authtoken::project_domain_name: 'Default'
+            gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
            gnocchi::wsgi::apache::servername:
              str_replace:
--- a/deployment/ironic/ironic-api-container-puppet.yaml
+++ b/deployment/ironic/ironic-api-container-puppet.yaml
@ -133,6 +133,7 @@ outputs:
            ironic::api::authtoken::username: 'ironic'
            ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            ironic::api::authtoken::region_name: {get_param: KeystoneRegion }
            # NOTE: bind IP is found in hiera replacing the network name with the
            # local node IP for the given network; replacement examples
            # (eg. for internal_api):
--- a/deployment/ironic/ironic-inspector-container-puppet.yaml
+++ b/deployment/ironic/ironic-inspector-container-puppet.yaml
@ -256,6 +256,7 @@ outputs:
            ironic::inspector::authtoken::project_name: 'service'
            ironic::inspector::authtoken::user_domain_name: 'Default'
            ironic::inspector::authtoken::project_domain_name: 'Default'
+            ironic::inspector::authtoken::region_name: {get_param: KeystoneRegion}
            ironic::inspector::cors::allowed_origin: '*'
            ironic::inspector::cors::max_age: 3600
            ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
--- a/deployment/manila/manila-api-container-puppet.yaml
+++ b/deployment/manila/manila-api-container-puppet.yaml
@ -131,6 +131,7 @@ outputs:
            manila::keystone::authtoken::project_name: 'service'
            manila::keystone::authtoken::user_domain_name: 'Default'
            manila::keystone::authtoken::project_domain_name: 'Default'
+            manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            # NOTE: bind IP is found in hiera replacing the network name with the
            # local node IP for the given network; replacement examples
            # (eg. for internal_api):
--- a/deployment/mistral/mistral-base.yaml
+++ b/deployment/mistral/mistral-base.yaml
@ -54,6 +54,10 @@ parameters:
    type: string
    default: 'messagingv2'
    description: Driver or drivers to handle sending notifications.
+  KeystoneRegion:
+    type: string
+    default: 'regionOne'
+    description: Keystone region for endpoint

 conditions:
  service_debug_unset: {equals : [{get_param: MistralDebug}, '']}
@ -99,6 +103,7 @@ outputs:
        mistral::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
        mistral::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
        mistral::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+        mistral::keystone::authtoken::region_name: {get_param: KeystoneRegion}
        mistral::keystone_ec2_uri:
          list_join:
          - ''
--- a/deployment/nova/novajoin-container-puppet.yaml
+++ b/deployment/nova/novajoin-container-puppet.yaml
@ -133,6 +133,7 @@ outputs:
        nova::metadata::novajoin::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
        nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
        nova::metadata::novajoin::authtoken::project_name: 'service'
+        nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion}
        nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
      service_config_settings:
        nova_metadata: &nova_vendordata
--- a/deployment/octavia/octavia-api-container-puppet.yaml
+++ b/deployment/octavia/octavia-api-container-puppet.yaml
@ -154,6 +154,7 @@ outputs:
            octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
            octavia::keystone::authtoken::user_domain_name: 'Default'
            octavia::keystone::authtoken::project_domain_name: 'Default'
+            octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
            octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
            octavia::api::sync_db: true
--- a/deployment/sahara/sahara-base.yaml
+++ b/deployment/sahara/sahara-base.yaml
@ -63,6 +63,10 @@ parameters:
                 in order to have a sane default for Pacemaker deployments when
                 not configuring this parameter by default.
    type: comma_delimited_list
+  KeystoneRegion:
+    type: string
+    default: 'regionOne'
+    description: Keystone region for endpoint

 conditions:
  service_debug_unset: {equals : [{get_param: SaharaDebug}, '']}
@ -115,3 +119,4 @@ outputs:
        sahara::keystone::authtoken::project_name: 'service'
        sahara::keystone::authtoken::user_domain_name: 'Default'
        sahara::keystone::authtoken::project_domain_name: 'Default'
+        sahara::keystone::authtoken::region_name: {get_param: KeystoneRegion}
--- a/deployment/zaqar/zaqar-container-puppet.yaml
+++ b/deployment/zaqar/zaqar-container-puppet.yaml
@ -153,6 +153,7 @@ outputs:
            zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
            zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
+            zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            zaqar::logging::debug:
              if: