From 94319bc92605833085f9fbb8b54c4f58ae3fbdbb Mon Sep 17 00:00:00 2001
From: josebb <jose.bautista.barato@gmail.com>
Date: Wed, 1 Dec 2021 18:59:26 +0200
Subject: [PATCH] Distinguish between port number of internal endpoint and
binding port number in keystone
Now binding ports of service and pod spec are configured using
internal endpoint values.
To support reverse proxy for internalUrl, need to distinguish
between binding ports and internal endpoint ports.
I added `service` section in endpoint items apart from admin,public
,internal and default.
Change-Id: I79b867a4e6771e07d1eebec89235352d7613e8eb
---
keystone/Chart.yaml | 2 +-
keystone/templates/deployment-api.yaml | 6 +++---
keystone/templates/service-api.yaml | 3 +--
keystone/values.yaml | 4 +++-
.../values_overrides/internal-reverse-proxy.yaml | 16 ++++++++++++++++
keystone/values_overrides/tls.yaml | 6 +++---
releasenotes/notes/keystone.yaml | 1 +
7 files changed, 28 insertions(+), 10 deletions(-)
create mode 100644 keystone/values_overrides/internal-reverse-proxy.yaml
diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml
index e3a9ce64ad..968bfcac98 100644
--- a/keystone/Chart.yaml
+++ b/keystone/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Keystone
name: keystone
-version: 0.2.29
+version: 0.2.30
home: https://docs.openstack.org/keystone/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
sources:
diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
index 94e705b817..c9e8d0f908 100644
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@@ -14,9 +14,9 @@ limitations under the License.
{{- define "apiProbeTemplate" }}
httpGet:
- scheme: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ scheme: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
path: /v3/
- port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ port: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
{{- if .Values.manifests.deployment_api }}
@@ -80,7 +80,7 @@ spec:
- stop
ports:
- name: ks-pub
- containerPort: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ containerPort: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ dict "envAll" $envAll "component" "api" "container" "api" "type" "readiness" "probeTemplate" (include "apiProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }}
{{ dict "envAll" $envAll "component" "api" "container" "api" "type" "liveness" "probeTemplate" (include "apiProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }}
volumeMounts:
diff --git a/keystone/templates/service-api.yaml b/keystone/templates/service-api.yaml
index 5fb0112354..21f9f3c441 100644
--- a/keystone/templates/service-api.yaml
+++ b/keystone/templates/service-api.yaml
@@ -21,9 +21,8 @@ metadata:
name: {{ tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
spec:
ports:
- {{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- name: ks-pub
- port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ port: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.network.api.node_port.enabled }}
nodePort: {{ .Values.network.api.node_port.port }}
{{ end }}
diff --git a/keystone/values.yaml b/keystone/values.yaml
index d5c5bc7631..69546b56b8 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -772,7 +772,7 @@ conf:
ThreadLimit 720
</IfModule>
wsgi_keystone: |
- {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen 0.0.0.0:{{ $portInt }}
@@ -972,12 +972,14 @@ endpoints:
default: /v3
scheme:
default: http
+ service: http
port:
api:
default: 80
# NOTE(portdirect): to retain portability across images, and allow
# running under a unprivileged user simply, we default to a port > 1000.
internal: 5000
+ service: 5000
oslo_db:
namespace: null
auth:
diff --git a/keystone/values_overrides/internal-reverse-proxy.yaml b/keystone/values_overrides/internal-reverse-proxy.yaml
new file mode 100644
index 0000000000..35a5a539b6
--- /dev/null
+++ b/keystone/values_overrides/internal-reverse-proxy.yaml
@@ -0,0 +1,16 @@
+---
+endpoints:
+ identity:
+ host_fqdn_override:
+ public: example.com
+ scheme:
+ default: https
+ public: https
+ internal: https
+ service: http
+ port:
+ api:
+ default: 443
+ internal: 443
+ service: 5000
+...
diff --git a/keystone/values_overrides/tls.yaml b/keystone/values_overrides/tls.yaml
index a9f2fe722c..416194ab9b 100644
--- a/keystone/values_overrides/tls.yaml
+++ b/keystone/values_overrides/tls.yaml
@@ -26,8 +26,7 @@ conf:
ssl_cert_file: /etc/rabbitmq/certs/tls.crt
ssl_key_file: /etc/rabbitmq/certs/tls.key
wsgi_keystone: |
- {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- {{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen 0.0.0.0:{{ $portInt }}
@@ -38,7 +37,7 @@ conf:
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
- <VirtualHost *:{{ tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+ <VirtualHost *:{{ tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
ServerName {{ printf "%s.%s.svc.%s" "keystone-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
@@ -78,6 +77,7 @@ endpoints:
scheme:
default: https
public: https
+ service: https
port:
api:
default: 443
diff --git a/releasenotes/notes/keystone.yaml b/releasenotes/notes/keystone.yaml
index d5699f3160..72b46af8eb 100644
--- a/releasenotes/notes/keystone.yaml
+++ b/releasenotes/notes/keystone.yaml
@@ -45,4 +45,5 @@ keystone:
- 0.2.27 Use LOG.warning instead of deprecated LOG.warn
- 0.2.28 Added OCI registry authentication
- 0.2.29 Support TLS endpoints
+ - 0.2.30 Distinguish between port number of internal endpoint and binding port number
...