OpenStack Services Should Use keystone_internal_url for auth

Horizon and Neutron mistakenly were using keystone_public_url for authentication. This works without error in deployments when the internal services happen to have access to the public network, but it is still wrong. This fails to work when the internal services can not access the public URLs, for example when TLS is enabled on the public endppoints. This patches corrects horizon and neutron to use keystone_internal_url for auth. Change-Id: I59b9094364bef375036028ba86a771dabf28c963 Closes-bug: #1625648
2016-10-15 18:50:41 -04:00 · 2016-10-15 18:50:41 -04:00 · cc2dde0854
commit cc2dde0854
parent 57203424c2
2 changed files with 2 additions and 2 deletions
--- a/ansible/roles/horizon/templates/local_settings.j2
+++ b/ansible/roles/horizon/templates/local_settings.j2
@ -192,7 +192,7 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'

 OPENSTACK_HOST = "{% if orchestration_engine == 'KUBERNETES' %}{{ api_interface_address }}{% else %}{{ kolla_internal_fqdn }}{% endif %}"

-OPENSTACK_KEYSTONE_URL = "{{ keystone_public_url }}"
+OPENSTACK_KEYSTONE_URL = "{{ keystone_internal_url }}"
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_openstack_keystone_default_role }}"

 # Enables keystone web single-sign-on if set to True.
--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@ -72,7 +72,7 @@ connection = mysql+pymysql://{{ neutron_database_user }}:{{ neutron_database_pas
 max_retries = -1

 [keystone_authtoken]
-auth_uri = {{ keystone_public_url }}
+auth_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = default