keystone haproxy service configuration is broken when using federation

Bug #2058656 reported by Gaël THEROND
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Status tracked in Dalmatian
Antelope
In Progress
Medium
Unassigned
Bobcat
In Progress
Medium
Unassigned
Caracal
In Progress
Medium
Gaël THEROND
Dalmatian
Fix Released
Medium
Gaël THEROND
Yoga
Confirmed
Medium
Unassigned
Zed
Confirmed
Medium
Unassigned

Bug Description

As of ZED and any branch that backported support for federation on kolla, the generated service.cfg file for keystone isn't correct.

Indeed, for the backend balancing mode, the template do generate an improper value:

```
backend keystone_external_back
    mode http
    ['balance source']
```

where it should produce:

```
backend keystone_external_back
    mode http
    balance source
```
This is due to the way the service default main.yml substitution is made compared to other services:

On keystone:
```yaml
backend_http_extra: "{{ ['balance source'] if enable_keystone_federation | bool else [] }}"

```

vs

On horizon

```yaml
backend_http_extra:
  - "balance {{ 'roundrobin' if enable_memcached | bool or horizon_backend_database | bool else 'source' }}"
```

As keystone need source when federation is enabled and roundrobin when disabled, we should rather use:

```yaml
backend_http_extra:
  - balance "{{ 'source' if enable_keystone_federation | bool else 'roundrobin' }}"
```

Of course we could leave the balance empty when keystone federation is disabled, but as the default balance algorithm for any backend is roundrobin no matter what (out of higher rank default directive set), that would probably beneficial for everyone to get the value explicited rather than letting operators have a long search about it.

ref: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-balance

Gaël THEROND (gtherond)
Changed in kolla-ansible:
assignee: nobody → Gaël THEROND (gtherond)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)
Changed in kolla-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/913908
Committed: https://opendev.org/openstack/kolla-ansible/commit/33d03a4267c9c64d774e1cf90c402326ac2de6d1
Submitter: "Zuul (22348)"
Branch: master

commit 33d03a4267c9c64d774e1cf90c402326ac2de6d1
Author: Gaël THEROND (Fl1nt) <email address hidden>
Date: Thu Mar 21 15:32:39 2024 +0100

    Fix keystone configuration for haproxy.

    * Use proper balancing mode when federation is enabled.

    Closes-Bug: #2058656
    Change-Id: Ia81a6efc38ec2bdc1355d058c03568cf740fdac5

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/925101

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/925102

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/925103

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.