Fix Zun connectivity to itself and Cinder

Zun was misconfigured and defaulted to using public endpoints
which are likely inaccessible from the internal network.
This patch fixes that and removes unused and deprecated
options. Validity of options confirmed from Queens to Train
against respective docs.

Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5
Closes-bug: #1840572
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
(cherry picked from commit b693746cb0bbe2ea382cb6fbd620f83045ed3295)

ansible/roles/zun/templates/zun.conf.j2

@@ -11,34 +11,24 @@ transport_url = {{ rpc_transport_url }}
 
 state_path = /var/lib/zun
 container_driver = docker.driver.DockerDriver
-db_type = sql
 
 [network]
 driver = kuryr
 
-[oslo_messaging_notifications]
-transport_url = {{ notify_transport_url }}
-driver = messaging
-
 [api]
 host_ip = {{ api_interface_address }}
 port = {{ zun_api_port }}
 workers = {{ openstack_service_workers }}
 
-[compute]
-topic = zun-compute
-
 [database]
 connection = mysql+pymysql://{{ zun_database_user }}:{{ zun_database_password }}@{{ zun_database_address }}/{{ zun_database_name }}
 max_retries = -1
 
-[zun_client]
-version = 1
-service_type = container
-service_name = zun
-
+# NOTE(yoctozepto): despite what the docs say, both keystone_auth and
+# keystone_authtoken sections are used and Zun internals may use either -
+# - best keep them both in sync
 [keystone_auth]
-auth_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
@@ -46,11 +36,18 @@ user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ zun_keystone_user }}
 password = {{ zun_keystone_password }}
+service_token_roles_required = True
+region_name = {{ openstack_region_name }}
 
+{% if enable_memcached | bool %}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+{% endif %}
 
+# NOTE(yoctozepto): despite what the docs say, both keystone_auth and
+# keystone_authtoken sections are used and Zun internals may use either -
+# - best keep them both in sync
 [keystone_authtoken]
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_admin_url }}
@@ -61,32 +58,27 @@ project_name = service
 username = {{ zun_keystone_user }}
 password = {{ zun_keystone_password }}
 service_token_roles_required = True
+region_name = {{ openstack_region_name }}
 
+{% if enable_memcached | bool %}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+{% endif %}
+
+[zun_client]
+region_name = {{ openstack_region_name }}
+endpoint_type = internalURL
 
 [glance_client]
-auth_uri = {{ keystone_internal_url }}
-auth_url = {{ keystone_admin_url }}
-auth_type = password
-project_domain_id = {{ default_project_domain_id }}
-user_domain_id = {{ default_user_domain_id }}
-project_name = service
-username = {{ zun_keystone_user }}
-password = {{ zun_keystone_password }}
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
 
 [neutron_client]
-auth_uri = {{ keystone_internal_url }}
-auth_url = {{ keystone_admin_url }}
-auth_type = password
-project_domain_id = {{ default_project_domain_id }}
-user_domain_id = {{ default_user_domain_id }}
-project_name = service
-username = {{ zun_keystone_user }}
-password = {{ zun_keystone_password }}
+region_name = {{ openstack_region_name }}
+endpoint_type = internalURL
+
+[cinder_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL