From 2de73e76243948036bb1bdcaec5b805ddb26676d Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Fri, 10 Jun 2022 13:50:57 +0900
Subject: [PATCH] Keystone: Remove unnecessary binds for admin endpoint

In the past Keystone required a separate instance for admin endpoint.
However that requirement was removed and current TripleO deploys only
a single keystone instance, which listens on tcp/5000 in
KeystonePublicApiNetwork [1].

Now haproxy forwards all keystone api access to tcp/5000 in
KeystonePublicApiNetwork and no longer uses backend on tcp/35357 in
KeystoneAdminApiNetwork.

[1] 5bd82e9ef051e732c0f991eaf4f9e3572aac87f6

Closes-Bug: #1978131
Change-Id: I9daaf69463e74f0f7fb63586ff6464194391da30
---
 .../keystone/keystone-container-puppet.yaml   | 20 +++++--------------
 1 file changed, 5 insertions(+), 15 deletions(-)

diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml
index 44b0d38776..94d2aaaac8 100644
--- a/deployment/keystone/keystone-container-puppet.yaml
+++ b/deployment/keystone/keystone-container-puppet.yaml
@@ -499,7 +499,6 @@ outputs:
         '111 keystone':
           dport:
             - 5000
-            - {get_param: [EndpointMap, KeystoneAdmin, port]}
       firewall_frontend_rules:
         '100 keystone_public_haproxy_frontend':
           dport:
@@ -582,9 +581,6 @@ outputs:
             keystone::service_name: 'httpd'
             keystone::enable_ssl: {get_param: EnableInternalTLS}
             keystone::wsgi::apache::access_log_format: 'forwarded'
-            keystone::wsgi::apache::api_port:
-              - 5000
-              - {get_param: [EndpointMap, KeystoneAdmin, port]}
             keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             keystone::wsgi::apache::servername:
               str_replace:
@@ -603,18 +599,12 @@ outputs:
             # internal_api -> IP
             # internal_api_uri -> [IP]
             # internal_api_subnet - > IP/CIDR
-            # NOTE: this applies to all 2 bind IP settings below...
             keystone::wsgi::apache::bind_host:
-              - str_replace:
-                  template:
-                    "%{lookup('$NETWORK')}"
-                  params:
-                    $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
-              - str_replace:
-                  template:
-                    "%{lookup('$NETWORK')}"
-                  params:
-                    $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+              str_replace:
+                template:
+                  "%{lookup('$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
           - keystone::cache::enabled: {get_param: EnableCache}
             keystone::cache::tls_enabled: {get_param: MemcachedTLS}
           - if: