Re: [keystone] What does a multi-region service catalog look like?

16 Oct 2024

      That's great info. Thanks both. So to be clear, Karl, in your service catalog
you see a single endpoint for Keystone and N endpoints (one per region) for
Cinder, Nova etc? And tooling (OSC, SDK, etc.) is happy using one region for
Keystone and potentially a different one for all other services?

I would like to document this somewhere, so I'd like to make sure said docs
reflect a real world scenario. If you had a service catalog you could share
(with potentially sensitive info like URLs stripped out/anonymised) that would
be helpful.

Cheers,
Stephen

On Tue, 2024-10-15 at 22:19 +0000, Karl Kloppenborg wrote:
...
Hi Stephen,

As Artem has pointed out, we’ve seen both.
Some people also have a single keystone distributed across several regions
using database replication.

There’s pros and cons to all these deployments, however we personally use a
centralised keystone and multiple regions with region specific endpoints.
The downside of this is that loss of comms to the keystone makes multiple
regions inaccessible however it doesn’t break customer compute workloads, so
we absorb that as acceptable risk.

Some others also do an A/B keystone behind keystone, I have also seen keystone
presented more cleverly utilising anycast addressing and database replication,
which avoids the aforementioned situation.

Thanks,
Karl Kloppenborg.

Karl Kloppenborg
Chief Technology Officer
m: +61 437 239 565
resetdata.com
reset.png
ResetData supports Mandatory Client Related Financial Disclosures – Scope 3
Emissions Reporting
For more information on the phasing of these requirements for business please
visit;  
https://treasury.gov.au/sites/default/files/2024-01/c2024-466491-policy-stat...
This email transmission is intended only for the addressee / person
responsible for delivery of the message to such person and may contain
confidential or privileged information. Confidentiality and legal privilege
are not waived or lost by reason of mistaken delivery to you, nor may you use,
review, disclose, disseminate or copy any information contained in or attached
to it. Whilst this email has been checked for viruses, the sender does not
warrant that any attachments are free from viruses or other defects. You
assume all liability for any loss, damage or other consequences which may
arise from opening or using the attachments. If you received this e-mail in
error please delete it and any attachments and kindly notify us by immediately
sending an email to contact@resetdata.com.au
From:Artem Goncharov <artem.goncharov@gmail.com>
Date: Tuesday, 15 October 2024 at 10:36 pm
To: Stephen Finucane <stephenfin@redhat.com>
Cc: openstack-discuss <openstack-discuss@lists.openstack.org>
Subject: Re: [keystone] What does a multi-region service catalog look like?
Short answer Stephen, there can be both (and I've seen both), but typically
there is single keystone for multiple non-identity regions.

----
typed from mobile, auto-correct typos assumed
----

On Tue, Oct 15, 2024, 13:33 Stephen Finucane <stephenfin@redhat.com> wrote:
...
o/
The question in $subject came up in a discussion earlier today and I neither
knew the answer nor was able to discover it by looking at a service catalogs
for
a few production deployments I have access to (also, the multi-region
feature is
currently broken in DevStack and likely has been for some time). Crucially,
in a
"standard" multi-region deployment where there is one Keystone instances and
N
Nova/Cinder/Glance/Neutron/... deployments, would I have something like the
below, where there is only one identity endpoint but multiple e.g. compute
endpoints, or would I expect there always to be as many identity endpoints
as
there are e.g. compute endpoints?
    {
        "token":
        {
            ...
            "catalog":
            [
                {
                    "endpoints":
                    [
                        {
                            "id": "fb757b386a23430d8f4d636b8b45fa89",
                            "interface": "public",
                            "region_id": "RegionOne",
                            "url": "http://10.0.110.125/identity",
                            "region": "RegionOne"
                        }
                    ],
                    "id": "50c4feff9d6149b898fce20ce23904a3",
                    "type": "identity",
                    "name": "keystone"
                },
                {
                    "endpoints":
                    [
                        {
                            "id": "2ed0cb59adb0415c948f8351b6546d3e",
                            "interface": "public",
                            "region_id": "RegionOne",
                            "url": "http://10.0.110.125/compute/v2.1",
                            "region": "RegionOne"
                        },
                        {
                            "id": "2ed0cb59adb0415c948f8351b6546d3e",
                            "interface": "public",
                            "region_id": "RegionTwo",
                            "url": "http://10.0.112.232/compute/v2.1",
                            "region": "RegionOne"
                        }
                    ],
                    "id": "87322637c5ab4e7b90bea7a8c1eb9525",
                    "type": "compute",
                    "name": "nova"
                },
                ...
            ]
        }
    }
I'm guessing the latter, but I'd like to confirm this.
Stephen