Portal:Cloud VPS/Admin/notes/keystone

From Wikitech
This page is outdate and refers to a setup we no longer have (shared keystone between deployments)

This page contains some notes on keystone, specifically how we deployed keystone for Cloud VPS.

previous and current status

Originally we had 1 keystone per deployment.

Then, Chase merged/collapsed the keystone services in labtest/labtestn, so a single keystone database serves both deployments. This means that the keystone database stores endpoints for both deployments, making use of the openstack concept of regions.

The reason for this merge is to allow as smooth migration from the nova-network to the neutron models.

On 2018-08-13 we merged also the main/eqiad1 keystone services (see phab:T201504).

Please note where the databases lives:

  • main/eqiad1: m5-master.eqiad.wmnet
  • labtest/labtestn: labtestcontrol2001.wikimedia.org

basic deployment

Please follow the bootstrap instructions modules/openstack/templates/bootstrap/keystone/keystone_seed.sh.erb

creating a shared keystone

Things to consider when collapsing keystone to server more than one deployment (example tracking phabricator task: phab:T201504)

  • networking connectivity (ferm ACLs) between the clients, the endpoints and the databases
  • regions in the database are correctly set
  • multi-region awareness. Lots of code using the keystone API isn't region-aware.
  • nova_controller vs keystone_host: we have 2 different hiera keys for setting where the keystone daemon lives. The latter is preferred.
  • endpoints are updated in the database to reflect the final environment