aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Prince <dprince@redhat.com>2015-07-23 22:19:25 -0400
committerDan Prince <dprince@redhat.com>2015-09-05 07:29:13 -0400
commitffd071417f1ab5f610847d254f03811b4a3ad3b7 (patch)
treeb28b46d96b2f50b61a80ed19ddcbfa253164c692
parentf498e7f3c05f1d7df34251a2c16d870f7d12d521 (diff)
Keystone network isolation fixes
This patch adds explicit nested stack parameters to help manage use of the Keystone Admin API vs. the Keystone Public API. We also add a new output parameter specifically for the Keystone admin API VIP. This can be useful when configuring keystone endpoints with network isolation. Change-Id: I2bd3e61570151e2faeee14ee09b03ad0b3208cc1
-rw-r--r--compute.yaml7
-rw-r--r--controller.yaml3
-rw-r--r--overcloud-without-mergepy.yaml7
-rw-r--r--puppet/compute-puppet.yaml9
-rw-r--r--puppet/controller-puppet.yaml7
5 files changed, 25 insertions, 8 deletions
diff --git a/compute.yaml b/compute.yaml
index 933639ce..169e9cf2 100644
--- a/compute.yaml
+++ b/compute.yaml
@@ -102,7 +102,10 @@ parameters:
default: default
constraints:
- custom_constraint: nova.keypair
- KeystoneHost:
+ KeystoneAdminApiVirtualIP:
+ type: string
+ default: ''
+ KeystonePublicApiVirtualIP:
type: string
default: ''
NeutronBridgeMappings:
@@ -409,7 +412,7 @@ resources:
glance_host: {get_param: GlanceHost}
glance_port: {get_param: GlancePort}
glance_protocol: {get_param: GlanceProtocol}
- keystone_host: {get_param: KeystoneHost}
+ keystone_host: {get_param: KeystonePublicApiVirtualIP}
neutron_flat_networks: {get_param: NeutronFlatNetworks}
neutron_host: {get_param: NeutronHost}
neutron_local_ip: {get_attr: [NovaCompute, networks, ctlplane, 0]}
diff --git a/controller.yaml b/controller.yaml
index 8b57fa0f..5156be59 100644
--- a/controller.yaml
+++ b/controller.yaml
@@ -515,6 +515,9 @@ parameters:
MysqlVirtualIP:
type: string
default: ''
+ KeystoneAdminApiVirtualIP:
+ type: string
+ default: ''
KeystonePublicApiVirtualIP:
type: string
default: ''
diff --git a/overcloud-without-mergepy.yaml b/overcloud-without-mergepy.yaml
index fcc7cc80..89db939a 100644
--- a/overcloud-without-mergepy.yaml
+++ b/overcloud-without-mergepy.yaml
@@ -826,6 +826,7 @@ resources:
HeatApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, HeatApiNetwork]}]}
GlanceApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, GlanceApiNetwork]}]}
MysqlVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
+ KeystoneAdminApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
KeystonePublicApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
NeutronApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]}
UpdateIdentifier: {get_param: UpdateIdentifier}
@@ -858,7 +859,8 @@ resources:
Image: {get_param: NovaImage}
ImageUpdatePolicy: {get_param: ImageUpdatePolicy}
KeyName: {get_param: KeyName}
- KeystoneHost: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
+ KeystoneAdminApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
+ KeystonePublicApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
NeutronBridgeMappings: {get_param: NeutronBridgeMappings}
NeutronEnableTunnelling: {get_param: NeutronEnableTunnelling}
NeutronFlatNetworks: {get_param: NeutronFlatNetworks}
@@ -1297,6 +1299,9 @@ outputs:
- - http://
- {get_attr: [PublicVirtualIP, ip_address]}
- :5000/v2.0/
+ KeystoneAdminVip:
+ description: Keystone Admin VIP endpoint
+ value: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
PublicVip:
description: Controller VIP for public API endpoints
value: {get_attr: [PublicVirtualIP, ip_address]}
diff --git a/puppet/compute-puppet.yaml b/puppet/compute-puppet.yaml
index 3d5c9345..0e6db3d6 100644
--- a/puppet/compute-puppet.yaml
+++ b/puppet/compute-puppet.yaml
@@ -70,9 +70,12 @@ parameters:
default: default
constraints:
- custom_constraint: nova.keypair
- KeystoneHost:
+ KeystoneAdminApiVirtualIP:
type: string
default: ''
+ KeystonePublicApiVirtualIP:
+ type: string
+ default: ''
NeutronBridgeMappings:
description: >
The OVS logical->physical bridge mappings to use. See the Neutron
@@ -411,7 +414,7 @@ resources:
list_join:
- ''
- - 'http://'
- - {get_param: KeystoneHost}
+ - {get_param: KeystonePublicApiVirtualIP}
- ':5000/v2.0'
snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
@@ -472,7 +475,7 @@ resources:
list_join:
- ''
- - 'http://'
- - {get_param: NeutronHost}
+ - {get_param: KeystoneAdminApiVirtualIP}
- ':35357/v2.0'
admin_password: {get_param: AdminPassword}
rabbit_username: {get_param: RabbitUserName}
diff --git a/puppet/controller-puppet.yaml b/puppet/controller-puppet.yaml
index b59bcfc7..a69c22e4 100644
--- a/puppet/controller-puppet.yaml
+++ b/puppet/controller-puppet.yaml
@@ -491,6 +491,9 @@ parameters:
MysqlVirtualIP:
type: string
default: ''
+ KeystoneAdminApiVirtualIP:
+ type: string
+ default: ''
KeystonePublicApiVirtualIP:
type: string
default: ''
@@ -697,7 +700,7 @@ resources:
list_join:
- ''
- - 'http://'
- - {get_param: KeystonePublicApiVirtualIP}
+ - {get_param: KeystoneAdminApiVirtualIP}
- ':35357/'
keystone_auth_uri:
list_join:
@@ -783,7 +786,7 @@ resources:
list_join:
- ''
- - 'http://'
- - {get_param: KeystonePublicApiVirtualIP}
+ - {get_param: KeystoneAdminApiVirtualIP}
- ':35357/v2.0'
ceilometer_backend: {get_param: CeilometerBackend}
ceilometer_metering_secret: {get_param: CeilometerMeteringSecret}