Make Keystone admin endpoint creation optional

The admin endpoint is kept on upgrade to allow the upgrade to happen (as it allows to rewrite the previous admin endpoint entry to the new one). Change-Id: I1c16892bab67f281d539843f1f0fa658df1c4874 Depends-On: https://review.opendev.org/c/openstack/kolla/+/854837

Make Keystone admin endpoint creation optional
ee32736c · Radosław Piliszek · 8b35f273 · ee32736c · ee32736c · ee32736c
Commit ee32736c authored 2 years ago by Radosław Piliszek
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -195,14 +195,19 @@ keystone_enabled_notification_topics: "{{ keystone_notification_topics | selecta
 ####################
 # Keystone
 ####################
+keystone_service_endpoints:
+  - {'interface': 'internal', 'url': '{{ keystone_internal_url }}'}
+  - {'interface': 'public', 'url': '{{ keystone_public_url }}'}
+
+# TODO(yoctozepto): Remove admin_endpoint leftovers in Antelope (2023.1).
+keystone_service_admin_endpoint: {'interface': 'admin', 'url': '{{ keystone_internal_url }}'}
+keystone_create_admin_endpoint: false
+
 keystone_ks_services:
  - name: "keystone"
    type: "identity"
    description: "Openstack Identity Service"
-    endpoints:
-      - {'interface': 'admin', 'url': '{{ keystone_internal_url }}'}
-      - {'interface': 'internal', 'url': '{{ keystone_internal_url }}'}
-      - {'interface': 'public', 'url': '{{ keystone_public_url }}'}
+    endpoints: "{{ keystone_service_endpoints + ([keystone_service_admin_endpoint] if kolla_action == 'upgrade' or keystone_create_admin_endpoint | bool else []) }}"

 ####################
 # TLS

--- a/ansible/roles/keystone/tasks/register.yml
+++ b/ansible/roles/keystone/tasks/register.yml
@@ -4,7 +4,7 @@
  command: >
    docker exec keystone kolla_keystone_bootstrap
    {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
-    admin {{ keystone_internal_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
+    admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
  register: keystone_bootstrap
  changed_when: (keystone_bootstrap.stdout | from_json).changed
  failed_when: (keystone_bootstrap.stdout | from_json).failed

--- a/ansible/roles/keystone/tasks/upgrade.yml
+++ b/ansible/roles/keystone/tasks/upgrade.yml
@@ -47,3 +47,14 @@
  when:
    - inventory_hostname == groups['keystone'][-1]
    - not use_preconfigured_databases | bool
+
+# TODO(yoctozepto): Remove after Zed (in AA).
+# This is needed to update the admin endpoint as the port has
+# changed in the same release (Zed), i.e., the admin endpoint uses the
+# same port as the other ones (public, internal).
+- import_role:
+    name: service-ks-register
+  vars:
+    service_ks_register_auth: "{{ openstack_keystone_auth }}"
+    service_ks_register_services: "{{ keystone_ks_services }}"
+  run_once: True
--- a/releasenotes/notes/keystone-admin-endpoint-optional-8eb8c9a18085d64e.yaml
+++ b/releasenotes/notes/keystone-admin-endpoint-optional-8eb8c9a18085d64e.yaml
+---
+upgrade:
+  - |
+    The Keystone's admin endpoint is no longer created by default. Operators
+    of existing deployments may wish to remove it after the upgrade
+    completes. Operators having external services relying on the availability
+    of the Keystone's admin endpoint may set ``keystone_create_admin_endpoint``
+    to ``true`` to keep creating the admin endpoint but such support will
+    be removed after Zed.