Skip to content

make prodel URL conditional for global region#10879

Merged
tz3 merged 2 commits intomasterfrom
enable-prodel-global-keystone
Mar 5, 2026
Merged

make prodel URL conditional for global region#10879
tz3 merged 2 commits intomasterfrom
enable-prodel-global-keystone

Conversation

@tz3
Copy link
Member

@tz3 tz3 commented Feb 26, 2026
edited
Loading

Problem

Prodel is being deployed to the global region to support project deletion in the global Keystone domain (see cc/prodel#159).

However, Keystone's policy template currently uses a hardcoded Prodel URL that assumes the prodel namespace:

http://prodel.prodel.svc/check-delete_project/%(project_id)s

This doesn't work for global Keystone, which runs in the monsoon3global namespace and needs to call Prodel at:

http://prodel.monsoon3global.svc/check-delete_project/%(project_id)s

Solution

Make the Prodel URL conditional based on the global.is_global_region flag that's already set in secrets/global/values/globals.yaml.

When global.is_global_region=true

helm template -n keystone . --values ci/test-values.yaml --set global.is_global_region=true -s templates/configmap-etc.yaml

the URL of prodel in the rule changes like below:

- "identity:delete_project": "(rule:cloud_admin or (rule:admin_required and (project_id:%(project_id)s or project_id:%(target.project.parent_id)s))) and (http://prodel.prodel.svc/check-delete_project/%(project_id)s)"
+ "identity:delete_project": "(rule:cloud_admin or (rule:admin_required and (project_id:%(project_id)s or project_id:%(target.project.parent_id)s))) and (http://prodel.keystone-namespace.svc/check-delete_project/%(project_id)s)"

@stanislav-zaprudskiy
Use named template to calculate prodel_url
9a84834 
To make it more readable.

Also, do not hard-code namespace name of `prodel` release in global
region, but rather rely on values provided via `global:globals` in
pipeline.
stanislav-zaprudskiy
stanislav-zaprudskiy approved these changes Feb 26, 2026
View reviewed changes
Copy link
Contributor

@stanislav-zaprudskiy stanislav-zaprudskiy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've pushed the update to use a named template for URL calculation to make it more readable, and also relying on global:globals values that the pipeline should supply when deploying in global region.

@tz3 tz3 merged commit 37aec9c into master Mar 5, 2026
2 checks passed
@tz3 tz3 deleted the enable-prodel-global-keystone branch March 5, 2026 12:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stanislav-zaprudskiy stanislav-zaprudskiy stanislav-zaprudskiy approved these changes

@bbobrov bbobrov bbobrov approved these changes

@galkindmitrii galkindmitrii Awaiting requested review from galkindmitrii galkindmitrii is a code owner

@Carthaca Carthaca Awaiting requested review from Carthaca Carthaca is a code owner

@fwiesel fwiesel Awaiting requested review from fwiesel fwiesel is a code owner

@rajivmucheli rajivmucheli Awaiting requested review from rajivmucheli rajivmucheli is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tz3 @stanislav-zaprudskiy @bbobrov