Description of problem: With OSP10z6 a new puppet-tripleo package (5.6.4-2) was released and it removed the configuration of Keystone Admin API on External interface in TLS, that API is only configured on Internal Interface but we need it also on external interface, see below the haproxy configuration after update of overcloud less /etc/haproxy/haproxy.cfg listen keystone_admin bind 10.10.10.33:35357 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server server001.net 10.10.10.7:35357 check fall 5 inter 2000 rise 2 server server002.net 10.10.10.8:35357 check fall 5 inter 2000 rise 2 server server003.net 10.10.10.9:35357 check fall 5 inter 2000 rise 2 we need like this as we have in production (different site) listen keystone_admin bind 420:fe0:0:2000:2001:4888:a42:3101:13357 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 20.20.20.138:13357 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 10.10.10.33:35357 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server anotherserv-001.internal.net 10.10.10.7:35357 check fall 5 inter 2000 rise 2 server anotherserv-002.internal.net 10.10.10.8:35357 check fall 5 inter 2000 rise 2 server anotherserv-003.internal.net 10.10.10.9:35357 check fall 5 inter 2000 rise 2 we can see /etc/puppet/modules/tripleo/manifests/haproxy.pp has changed and removed keystone_admin_api_ssl_port configuration keystone_admin_api_port => 35357, keystone_public_api_port => 5000, if $keystone_admin { ::tripleo::haproxy::endpoint { 'keystone_admin': internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), service_port => $ports[keystone_admin_api_port], ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, service_network => hiera('keystone_admin_api_network', undef) } } this is what /etc/puppet/modules/tripleo/manifests/haproxy.pp used to be in previous package version that we have in production (puppet-tripleo-5.5.0-4) keystone_admin_api_port => 35357, keystone_admin_api_ssl_port => 13357, keystone_public_api_port => 5000, if $keystone_admin { ::tripleo::haproxy::endpoint { 'keystone_admin': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), service_port => $ports[keystone_admin_api_port], ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, public_ssl_port => $ports[keystone_admin_api_ssl_port], } } To fix this issue I had added an workaround in templates to configure haproxy, but this implementation broke our initial implementation, so I want to know why this code changed and how would be the right implementation of Keystone Admin API on external network without my workaround How reproducible: Every time
It makes sense from a security standpoint to eliminate the non-ssl endpoint. If you really need the non-ssl endpoint, workarounds are provided here: https://access.redhat.com/solutions/2943481 Or in this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1514244 Closing as NOTABUG. Please feel free to reopen if needed.
If you switch to using keystone v3 you won't need the admin endpoint to be exposed in the external network and you could just use the public one. Is there a specific reason why you need the admin endpoint exposed? If you REALLY need it in the external network you could configure it via the ServiceNetMap. The previous exposing of the admin endpoint was more a bug than a feature. If you really need the admin network exposed externally, we can see if we can configure the ServiceNetMap to match your desired config.
Please confirm that you really need the admin endpoint exposed in the external network.
The double endpoint for the keystone admin interface was removed in an effort increase security by locking down the overcloud. It is also not needed when using keystone v3, as one can also use the public keystone endpoint (which uses TLS).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1593