From ffd071417f1ab5f610847d254f03811b4a3ad3b7 Mon Sep 17 00:00:00 2001 From: Dan Prince Date: Thu, 23 Jul 2015 22:19:25 -0400 Subject: Keystone network isolation fixes This patch adds explicit nested stack parameters to help manage use of the Keystone Admin API vs. the Keystone Public API. We also add a new output parameter specifically for the Keystone admin API VIP. This can be useful when configuring keystone endpoints with network isolation. Change-Id: I2bd3e61570151e2faeee14ee09b03ad0b3208cc1 --- compute.yaml | 7 +++++-- controller.yaml | 3 +++ overcloud-without-mergepy.yaml | 7 ++++++- puppet/compute-puppet.yaml | 9 ++++++--- puppet/controller-puppet.yaml | 7 +++++-- 5 files changed, 25 insertions(+), 8 deletions(-) diff --git a/compute.yaml b/compute.yaml index 933639ce..169e9cf2 100644 --- a/compute.yaml +++ b/compute.yaml @@ -102,7 +102,10 @@ parameters: default: default constraints: - custom_constraint: nova.keypair - KeystoneHost: + KeystoneAdminApiVirtualIP: + type: string + default: '' + KeystonePublicApiVirtualIP: type: string default: '' NeutronBridgeMappings: @@ -409,7 +412,7 @@ resources: glance_host: {get_param: GlanceHost} glance_port: {get_param: GlancePort} glance_protocol: {get_param: GlanceProtocol} - keystone_host: {get_param: KeystoneHost} + keystone_host: {get_param: KeystonePublicApiVirtualIP} neutron_flat_networks: {get_param: NeutronFlatNetworks} neutron_host: {get_param: NeutronHost} neutron_local_ip: {get_attr: [NovaCompute, networks, ctlplane, 0]} diff --git a/controller.yaml b/controller.yaml index 8b57fa0f..5156be59 100644 --- a/controller.yaml +++ b/controller.yaml @@ -515,6 +515,9 @@ parameters: MysqlVirtualIP: type: string default: '' + KeystoneAdminApiVirtualIP: + type: string + default: '' KeystonePublicApiVirtualIP: type: string default: '' diff --git a/overcloud-without-mergepy.yaml b/overcloud-without-mergepy.yaml index fcc7cc80..89db939a 100644 --- a/overcloud-without-mergepy.yaml +++ b/overcloud-without-mergepy.yaml @@ -826,6 +826,7 @@ resources: HeatApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, HeatApiNetwork]}]} GlanceApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, GlanceApiNetwork]}]} MysqlVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]} + KeystoneAdminApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]} KeystonePublicApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]} NeutronApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]} UpdateIdentifier: {get_param: UpdateIdentifier} @@ -858,7 +859,8 @@ resources: Image: {get_param: NovaImage} ImageUpdatePolicy: {get_param: ImageUpdatePolicy} KeyName: {get_param: KeyName} - KeystoneHost: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]} + KeystoneAdminApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]} + KeystonePublicApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]} NeutronBridgeMappings: {get_param: NeutronBridgeMappings} NeutronEnableTunnelling: {get_param: NeutronEnableTunnelling} NeutronFlatNetworks: {get_param: NeutronFlatNetworks} @@ -1297,6 +1299,9 @@ outputs: - - http:// - {get_attr: [PublicVirtualIP, ip_address]} - :5000/v2.0/ + KeystoneAdminVip: + description: Keystone Admin VIP endpoint + value: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]} PublicVip: description: Controller VIP for public API endpoints value: {get_attr: [PublicVirtualIP, ip_address]} diff --git a/puppet/compute-puppet.yaml b/puppet/compute-puppet.yaml index 3d5c9345..0e6db3d6 100644 --- a/puppet/compute-puppet.yaml +++ b/puppet/compute-puppet.yaml @@ -70,9 +70,12 @@ parameters: default: default constraints: - custom_constraint: nova.keypair - KeystoneHost: + KeystoneAdminApiVirtualIP: type: string default: '' + KeystonePublicApiVirtualIP: + type: string + default: '' NeutronBridgeMappings: description: > The OVS logical->physical bridge mappings to use. See the Neutron @@ -411,7 +414,7 @@ resources: list_join: - '' - - 'http://' - - {get_param: KeystoneHost} + - {get_param: KeystonePublicApiVirtualIP} - ':5000/v2.0' snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName} snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} @@ -472,7 +475,7 @@ resources: list_join: - '' - - 'http://' - - {get_param: NeutronHost} + - {get_param: KeystoneAdminApiVirtualIP} - ':35357/v2.0' admin_password: {get_param: AdminPassword} rabbit_username: {get_param: RabbitUserName} diff --git a/puppet/controller-puppet.yaml b/puppet/controller-puppet.yaml index b59bcfc7..a69c22e4 100644 --- a/puppet/controller-puppet.yaml +++ b/puppet/controller-puppet.yaml @@ -491,6 +491,9 @@ parameters: MysqlVirtualIP: type: string default: '' + KeystoneAdminApiVirtualIP: + type: string + default: '' KeystonePublicApiVirtualIP: type: string default: '' @@ -697,7 +700,7 @@ resources: list_join: - '' - - 'http://' - - {get_param: KeystonePublicApiVirtualIP} + - {get_param: KeystoneAdminApiVirtualIP} - ':35357/' keystone_auth_uri: list_join: @@ -783,7 +786,7 @@ resources: list_join: - '' - - 'http://' - - {get_param: KeystonePublicApiVirtualIP} + - {get_param: KeystoneAdminApiVirtualIP} - ':35357/v2.0' ceilometer_backend: {get_param: CeilometerBackend} ceilometer_metering_secret: {get_param: CeilometerMeteringSecret} -- cgit 1.2.3-korg