Keystone network isolation fixes

This patch adds explicit nested stack parameters to
help manage use of the Keystone Admin API vs. the
Keystone Public API.

We also add a new output parameter specifically for the Keystone admin
API VIP. This can be useful when configuring keystone endpoints
with network isolation.

Change-Id: I2bd3e61570151e2faeee14ee09b03ad0b3208cc1

diff --git a/compute.yaml b/compute.yaml
index 933639c..169e9cf 100644 (file)
--- a/compute.yaml
+++ b/compute.yaml
@@ -102,7 +102,10 @@ parameters:
     default: default
     constraints:
       - custom_constraint: nova.keypair
-  KeystoneHost:
+  KeystoneAdminApiVirtualIP:
+    type: string
+    default: ''
+  KeystonePublicApiVirtualIP:
     type: string
     default: ''
   NeutronBridgeMappings:
@@ -409,7 +412,7 @@ resources:
         glance_host: {get_param: GlanceHost}
         glance_port: {get_param: GlancePort}
         glance_protocol: {get_param: GlanceProtocol}
-        keystone_host: {get_param: KeystoneHost}
+        keystone_host: {get_param: KeystonePublicApiVirtualIP}
         neutron_flat_networks: {get_param: NeutronFlatNetworks}
         neutron_host: {get_param: NeutronHost}
         neutron_local_ip: {get_attr: [NovaCompute, networks, ctlplane, 0]}

diff --git a/controller.yaml b/controller.yaml
index 8b57fa0..5156be5 100644 (file)
--- a/controller.yaml
+++ b/controller.yaml
@@ -515,6 +515,9 @@ parameters:
   MysqlVirtualIP:
     type: string
     default: ''
+  KeystoneAdminApiVirtualIP:
+    type: string
+    default: ''
   KeystonePublicApiVirtualIP:
     type: string
     default: ''

diff --git a/overcloud-without-mergepy.yaml b/overcloud-without-mergepy.yaml
index fcc7cc8..89db939 100644 (file)
--- a/overcloud-without-mergepy.yaml
+++ b/overcloud-without-mergepy.yaml
@@ -826,6 +826,7 @@ resources:
           HeatApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, HeatApiNetwork]}]}
           GlanceApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, GlanceApiNetwork]}]}
           MysqlVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
+          KeystoneAdminApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
           KeystonePublicApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
           NeutronApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, NeutronApiNetwork]}]}
           UpdateIdentifier: {get_param: UpdateIdentifier}
@@ -858,7 +859,8 @@ resources:
           Image: {get_param: NovaImage}
           ImageUpdatePolicy: {get_param: ImageUpdatePolicy}
           KeyName: {get_param: KeyName}
-          KeystoneHost: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
+          KeystoneAdminApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
+          KeystonePublicApiVirtualIP: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}]}
           NeutronBridgeMappings: {get_param: NeutronBridgeMappings}
           NeutronEnableTunnelling: {get_param: NeutronEnableTunnelling}
           NeutronFlatNetworks: {get_param: NeutronFlatNetworks}
@@ -1297,6 +1299,9 @@ outputs:
       - - http://
         - {get_attr: [PublicVirtualIP, ip_address]}
         - :5000/v2.0/
+  KeystoneAdminVip:
+    description: Keystone Admin VIP endpoint
+    value: {get_attr: [VipMap, net_ip_map, {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}]}
   PublicVip:
     description: Controller VIP for public API endpoints
     value: {get_attr: [PublicVirtualIP, ip_address]}

diff --git a/puppet/compute-puppet.yaml b/puppet/compute-puppet.yaml
index 3d5c934..0e6db3d 100644 (file)
--- a/puppet/compute-puppet.yaml
+++ b/puppet/compute-puppet.yaml
@@ -70,9 +70,12 @@ parameters:
     default: default
     constraints:
       - custom_constraint: nova.keypair
-  KeystoneHost:
+  KeystoneAdminApiVirtualIP:
     type: string
     default: ''
+  KeystonePublicApiVirtualIP:
+     type: string
+     default: ''
   NeutronBridgeMappings:
     description: >
       The OVS logical->physical bridge mappings to use. See the Neutron
@@ -411,7 +414,7 @@ resources:
           list_join:
             - ''
             - - 'http://'
-              - {get_param: KeystoneHost}
+              - {get_param: KeystonePublicApiVirtualIP}
               - ':5000/v2.0'
         snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
         snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
@@ -472,7 +475,7 @@ resources:
           list_join:
             - ''
             - - 'http://'
-              - {get_param: NeutronHost}
+              - {get_param: KeystoneAdminApiVirtualIP}
               - ':35357/v2.0'
         admin_password: {get_param: AdminPassword}
         rabbit_username: {get_param: RabbitUserName}

diff --git a/puppet/controller-puppet.yaml b/puppet/controller-puppet.yaml
index b59bcfc..a69c22e 100644 (file)
--- a/puppet/controller-puppet.yaml
+++ b/puppet/controller-puppet.yaml
@@ -491,6 +491,9 @@ parameters:
   MysqlVirtualIP:
     type: string
     default: ''
+  KeystoneAdminApiVirtualIP:
+    type: string
+    default: ''
   KeystonePublicApiVirtualIP:
     type: string
     default: ''
@@ -697,7 +700,7 @@ resources:
           list_join:
             - ''
             - - 'http://'
-              - {get_param: KeystonePublicApiVirtualIP}
+              - {get_param: KeystoneAdminApiVirtualIP}
               - ':35357/'
         keystone_auth_uri:
           list_join:
@@ -783,7 +786,7 @@ resources:
           list_join:
             - ''
             - - 'http://'
-              - {get_param: KeystonePublicApiVirtualIP}
+              - {get_param: KeystoneAdminApiVirtualIP}
               - ':35357/v2.0'
         ceilometer_backend: {get_param: CeilometerBackend}
         ceilometer_metering_secret: {get_param: CeilometerMeteringSecret}