Use public keystone URL for www_authenticate_uri

The `www_authenticate_uri` parameter is used to indicate to clients where they should get a token from in order to authenticate against a service. Most clients are not expected to be able to talk to the internal identity endpoint, so this parameter should refer to the public endpoint instead, see also [0]. [0] https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/_opts.py#L31-L50 Change-Id: Ic99804967b5a62b5a9e39486749474520734ba48
2024-12-30 16:25:02 +01:00
parent c5b2829492
commit 9ecdf2f0a3
25 changed files with 33 additions and 25 deletions
--- a/ansible/roles/aodh/templates/aodh.conf.j2
+++ b/ansible/roles/aodh/templates/aodh.conf.j2
@@ -20,7 +20,7 @@ service_type = alarming
 memcache_security_strategy = {{ memcache_security_strategy }}
 memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 project_domain_name = {{ default_project_domain_name }}
 project_name = service
 user_domain_name = {{ default_user_domain_name }}
--- a/ansible/roles/barbican/templates/barbican.conf.j2
+++ b/ansible/roles/barbican/templates/barbican.conf.j2
@@ -59,7 +59,7 @@ topic = barbican_notifications

 [keystone_authtoken]
 service_type = key-manager
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 project_domain_id = {{ default_project_domain_id }}
 project_name = service
 user_domain_id = {{ default_user_domain_id }}
--- a/ansible/roles/blazar/templates/blazar.conf.j2
+++ b/ansible/roles/blazar/templates/blazar.conf.j2
@@ -21,7 +21,7 @@ plugins = virtual.instance.plugin,physical.host.plugin

 [keystone_authtoken]
 service_type = reservation
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = default
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -123,7 +123,7 @@ service_type = volume
 # see: https://security.openstack.org/ossa/OSSA-2023-003.html
 # and: https://docs.openstack.org/cinder/zed/configuration/block-storage/service-token.html#troubleshooting
 service_token_roles_required = true
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2
+++ b/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2
@@ -18,7 +18,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = rating
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/cyborg/templates/cyborg.conf.j2
+++ b/ansible/roles/cyborg/templates/cyborg.conf.j2
@@ -20,7 +20,7 @@ memcache_security_strategy = {{ memcache_security_strategy }}
 memcache_secret_key = {{ memcache_secret_key }}
 memcache_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}

-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 project_domain_name = {{ default_project_domain_name }}
 project_name = service
 user_domain_name = {{ default_user_domain_name }}
--- a/ansible/roles/designate/templates/designate.conf.j2
+++ b/ansible/roles/designate/templates/designate.conf.j2
@@ -20,7 +20,7 @@ enabled_extensions_admin = quotas, reports

 [keystone_authtoken]
 service_type = dns
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@@ -39,7 +39,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = image
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/gnocchi/templates/gnocchi.conf.j2
+++ b/ansible/roles/gnocchi/templates/gnocchi.conf.j2
@@ -45,7 +45,7 @@ url = mysql+pymysql://{{ gnocchi_database_user }}:{{ gnocchi_database_password }

 [keystone_authtoken]
 service_type = metric
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 project_domain_id = {{ default_project_domain_id }}
 project_name = service
 user_domain_id = {{ default_user_domain_id }}
--- a/ansible/roles/heat/templates/heat.conf.j2
+++ b/ansible/roles/heat/templates/heat.conf.j2
@@ -30,7 +30,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = orchestration
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/ironic/templates/ironic-inspector.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.conf.j2
@@ -44,7 +44,7 @@ endpoint_override = {{ ironic_internal_endpoint }}
 {% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
 service_type = baremetal-introspection
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -74,7 +74,7 @@ max_retries = -1
 {% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
 service_type = baremetal
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/magnum/templates/magnum.conf.j2
+++ b/ansible/roles/magnum/templates/magnum.conf.j2
@@ -81,7 +81,7 @@ cafile = {{ openstack_cacert }}

 [keystone_authtoken]
 service_type = container-infra
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_name }}
--- a/ansible/roles/manila/templates/manila.conf.j2
+++ b/ansible/roles/manila/templates/manila.conf.j2
@@ -32,7 +32,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = share
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/masakari/templates/masakari.conf.j2
+++ b/ansible/roles/masakari/templates/masakari.conf.j2
@@ -23,7 +23,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = instance-ha
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_name }}
--- a/ansible/roles/mistral/templates/mistral.conf.j2
+++ b/ansible/roles/mistral/templates/mistral.conf.j2
@@ -40,7 +40,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = workflow
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@@ -106,7 +106,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = network
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -113,7 +113,7 @@ memcache_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address

 [keystone_authtoken]
 service_type = compute
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@@ -59,7 +59,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres

 [keystone_authtoken]
 service_type = load-balancer
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/placement/templates/placement.conf.j2
+++ b/ansible/roles/placement/templates/placement.conf.j2
@@ -26,7 +26,7 @@ memcache_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address

 [keystone_authtoken]
 service_type = placement
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/tacker/templates/tacker.conf.j2
+++ b/ansible/roles/tacker/templates/tacker.conf.j2
@@ -33,7 +33,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = nfv-orchestration
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_id }}
--- a/ansible/roles/trove/templates/trove.conf.j2
+++ b/ansible/roles/trove/templates/trove.conf.j2
@@ -54,7 +54,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = database
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 project_domain_name = {{ default_project_domain_name }}
 project_name = service
 user_domain_name = {{ default_user_domain_name }}
--- a/ansible/roles/watcher/templates/watcher.conf.j2
+++ b/ansible/roles/watcher/templates/watcher.conf.j2
@@ -20,7 +20,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = infra-optim
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/ansible/roles/zun/templates/zun.conf.j2
+++ b/ansible/roles/zun/templates/zun.conf.j2
@@ -28,7 +28,7 @@ max_retries = -1
 # keystone_authtoken sections are used and Zun internals may use either -
 # - best keep them both in sync
 [keystone_auth]
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
@@ -51,7 +51,7 @@ memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_addres
 # - best keep them both in sync
 [keystone_authtoken]
 service_type = container
-www_authenticate_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/releasenotes/notes/use-public-www-authenticate-uri-1144df4d205f8ebd.yaml
+++ b/releasenotes/notes/use-public-www-authenticate-uri-1144df4d205f8ebd.yaml
@@ -0,0 +1,8 @@
+---
+other:
+  - |
+    The `www_authenticate_uri` parameter, which is used to indicate to
+    clients where they should get a token from in order to authenticate against
+    a service, is switched from the internal identity endpoint to the public
+    endpoint, see also
+    `this note <https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/_opts.py#L31-L50>`_.