Keystone network isolation fixes

This patch adds explicit nested stack parameters to help manage use of the Keystone Admin API vs. the Keystone Public API. We also add a new output parameter specifically for the Keystone admin API VIP. This can be useful when configuring keystone endpoints with network isolation. Change-Id: I2bd3e61570151e2faeee14ee09b03ad0b3208cc1
2015-07-23 22:19:25 -04:00 · 2015-07-23 22:19:25 -04:00 · ffd071417f
commit ffd071417f
parent f498e7f3c0
5 changed files with 25 additions and 8 deletions
--- a/compute.yaml
+++ b/compute.yaml
@ -102,7 +102,10 @@ parameters:
    default: default
    constraints:
      - custom_constraint: nova.keypair
-  KeystoneHost:
+  KeystoneAdminApiVirtualIP:
+    type: string
+    default: ''
+  KeystonePublicApiVirtualIP:
    type: string
    default: ''
  NeutronBridgeMappings:
@ -409,7 +412,7 @@ resources:
        glance_host: {get_param: GlanceHost}
        glance_port: {get_param: GlancePort}
        glance_protocol: {get_param: GlanceProtocol}
-        keystone_host: {get_param: KeystoneHost}
+        keystone_host: {get_param: KeystonePublicApiVirtualIP}
        neutron_flat_networks: {get_param: NeutronFlatNetworks}
        neutron_host: {get_param: NeutronHost}
        neutron_local_ip: {get_attr: [NovaCompute, networks, ctlplane, 0]}
--- a/controller.yaml
+++ b/controller.yaml
@ -515,6 +515,9 @@ parameters:
  MysqlVirtualIP:
    type: string
    default: ''
+  KeystoneAdminApiVirtualIP:
+    type: string
+    default: ''
  KeystonePublicApiVirtualIP:
    type: string
    default: ''
--- a/overcloud-without-mergepy.yaml
+++ b/overcloud-without-mergepy.yaml
@ -826,6 +826,7 @@ resources:
          HeatApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, HeatApiNetwork]}]}
          GlanceApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, GlanceApiNetwork]}]}
          MysqlVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
+          KeystoneAdminApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
          KeystonePublicApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
          NeutronApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]}
          UpdateIdentifier: {get_param: UpdateIdentifier}
@ -858,7 +859,8 @@ resources:
          Image: {get_param: NovaImage}
          ImageUpdatePolicy: {get_param: ImageUpdatePolicy}
          KeyName: {get_param: KeyName}
-          KeystoneHost: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
+          KeystoneAdminApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
+          KeystonePublicApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
          NeutronBridgeMappings: {get_param: NeutronBridgeMappings}
          NeutronEnableTunnelling: {get_param: NeutronEnableTunnelling}
          NeutronFlatNetworks: {get_param: NeutronFlatNetworks}
@ -1297,6 +1299,9 @@ outputs:
      - - http://
        - {get_attr: [PublicVirtualIP, ip_address]}
        - :5000/v2.0/
+  KeystoneAdminVip:
+    description: Keystone Admin VIP endpoint
+    value: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
  PublicVip:
    description: Controller VIP for public API endpoints
    value: {get_attr: [PublicVirtualIP, ip_address]}
--- a/puppet/compute-puppet.yaml
+++ b/puppet/compute-puppet.yaml
@ -70,9 +70,12 @@ parameters:
    default: default
    constraints:
      - custom_constraint: nova.keypair
-  KeystoneHost:
+  KeystoneAdminApiVirtualIP:
    type: string
    default: ''
+  KeystonePublicApiVirtualIP:
+     type: string
+     default: ''
  NeutronBridgeMappings:
    description: >
      The OVS logical->physical bridge mappings to use. See the Neutron
@ -411,7 +414,7 @@ resources:
          list_join:
            - ''
            - - 'http://'
-              - {get_param: KeystoneHost}
+              - {get_param: KeystonePublicApiVirtualIP}
              - ':5000/v2.0'
        snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
        snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
@ -472,7 +475,7 @@ resources:
          list_join:
            - ''
            - - 'http://'
-              - {get_param: NeutronHost}
+              - {get_param: KeystoneAdminApiVirtualIP}
              - ':35357/v2.0'
        admin_password: {get_param: AdminPassword}
        rabbit_username: {get_param: RabbitUserName}
--- a/puppet/controller-puppet.yaml
+++ b/puppet/controller-puppet.yaml
@ -491,6 +491,9 @@ parameters:
  MysqlVirtualIP:
    type: string
    default: ''
+  KeystoneAdminApiVirtualIP:
+    type: string
+    default: ''
  KeystonePublicApiVirtualIP:
    type: string
    default: ''
@ -697,7 +700,7 @@ resources:
          list_join:
            - ''
            - - 'http://'
-              - {get_param: KeystonePublicApiVirtualIP}
+              - {get_param: KeystoneAdminApiVirtualIP}
              - ':35357/'
        keystone_auth_uri:
          list_join:
@ -783,7 +786,7 @@ resources:
          list_join:
            - ''
            - - 'http://'
-              - {get_param: KeystonePublicApiVirtualIP}
+              - {get_param: KeystoneAdminApiVirtualIP}
              - ':35357/v2.0'
        ceilometer_backend: {get_param: CeilometerBackend}
        ceilometer_metering_secret: {get_param: CeilometerMeteringSecret}