Stop generating admin endpoints in the keystone catalog¶
The admin endpoints offer no special functionality, users may talk to the public endpoints instead. The only historic use case has been the keystone v2 admin endpoint, but with keystone v3 API, even that is no longer needed.
Problem description¶
Currently we generate admin endpoints for almost all services. As the service catalog is sent to the API user for every transaction, this generates some amount of overhead, as these endpoints aren’t really needed anymore. Dropping them will also reduce the time needed for chef runs.
Proposed change¶
Drop the admin endpoints from all identity_registration recipes in our cookbooks. This will affect:
cookbook-openstack-block-storage
cookbook-openstack-compute
cookbook-openstack-identity
cookbook-openstack-image
cookbook-openstack-networking
cookbook-openstack-orchestration
cookbook-openstack-telemetry
Alternatives¶
Stick to the status quo.
Data model impact¶
None
REST API impact¶
None
Security impact¶
Deployments that have been using a different admin endpoint with restricted access may need to switch to using the internal endpoint instead.
Notifications impact¶
None
Other end user impact¶
None
Performance Impact¶
The size of the service catalog will be reduced, as well as the duration of chef runs, both with positively impact performance.
Other deployer impact¶
Deployments that in some way make unexpected use of the admin endpoints will need to be adapted.
Developer impact¶
None
Implementation¶
Assignee(s)¶
- Primary assignee:
<j-rosenboom-j>
- Other contributors:
<jklare>
Work Items¶
Update identity_registration recipes
Check for unknown dependencies
Dependencies¶
None
Testing¶
Our integration tests should have sufficient coverage in order to make sure that this change doesn’t have any negative impact.
Documentation Impact¶
None
References¶
None
