Fix keystone endpoint for heat servers

This patch changes the heat config so that communication between the heat service and the other internal parts of openstack occurs over the internal API endpoint, but a new heat configuration option [1] is set which ensures that the keystone endpoint written into server configs points to the external API endpoint. This should address several long running SSL related failures when self signed certificates are used, and allows heat to work correctly when the internal and external endpoints are on different networks. Change-Id: I533ab16557cb83e2791dbb7267a97fb0d44e9ba6 Fixes-Bug: 1811086 Fixes-Bug: 1820591 Related-Bug: 1824646 Related-Bug: 1814909 Depends-On: https://review.opendev.org/678062
openstack · Aug 22, 2019 · 288634c · 288634c
1 parent 2d60bf6
commit 288634c
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/templates/heat.conf.j2 b/templates/heat.conf.j2
@@ -14,6 +14,7 @@ stack_user_domain_name = {{ heat_stack_user_domain_name }}
 max_nested_stack_depth = {{ heat_max_nested_stack_depth }}
 heat_waitcondition_server_url = {{ heat_waitcondition_server_url }}
 heat_metadata_server_url = {{ heat_metadata_server_url }}
+server_keystone_endpoint_type = public
 
 deferred_auth_method = {{ heat_deferred_auth_method }}
 trusts_delegated_roles = {{ heat_trusts_delegated_roles | join(',') }}
@@ -43,13 +44,13 @@ endpoint_type = {{ heat_clients_heat_endpoint }}
 [clients_keystone]
 insecure = {{ keystone_service_internaluri_insecure | bool }}
 endpoint_type = {{ heat_clients_endpoint }}
-auth_uri = {{ keystone_service_publicuri }}
+auth_uri = {{ keystone_service_internaluri }}
 
 [database]
 connection = mysql+pymysql://{{ heat_galera_user }}:{{ heat_container_mysql_password }}@{{ heat_galera_address }}/{{ heat_galera_database }}?charset=utf8{% if heat_galera_use_ssl | bool %}&ssl_ca={{ heat_galera_ssl_ca_cert }}{% endif %}
 
 [ec2authtoken]
-auth_uri = {{ keystone_service_publicuri }}
+auth_uri = {{ keystone_service_internaluri }}
 
 [heat_api]
 bind_port = {{ heat_service_port }}
@@ -81,7 +82,7 @@ trace_sqlalchemy = {{ heat_profiler_trace_sqlalchemy }}
 insecure = {{ keystone_service_internaluri_insecure | bool }}
 auth_type = {{ heat_keystone_auth_plugin }}
 auth_url = {{ keystone_service_adminurl }}
-www_authenticate_uri = {{ keystone_service_publicuri }}
+www_authenticate_uri = {{ keystone_service_internaluri }}
 project_domain_id = {{ heat_service_project_domain_id }}
 user_domain_id = {{ heat_service_user_domain_id }}
 project_name = {{ heat_service_project_name }}