openstack
/
openstack-ansible-os_heat
Code Issues Proposed changes

Fix keystone endpoint for heat servers 

This patch changes the heat config so that communication between
the heat service and the other internal parts of openstack occurs over
the internal API endpoint, but a new heat configuration option [1] is set
which ensures that the keystone endpoint written into server configs
points to the external API endpoint.

This should address several long running SSL related failures when self
signed certificates are used, and allows heat to work correctly when the
internal and external endpoints are on different networks.

Change-Id: I533ab16557cb83e2791dbb7267a97fb0d44e9ba6
Fixes-Bug: 1811086
Fixes-Bug: 1820591
Related-Bug: 1824646
Related-Bug: 1814909
Depends-On: https://review.opendev.org/678062
This commit is contained in:
Jonathan Rosser 2019-07-26 11:20:48 +01:00
parent 2d60bf6e38
commit 288634ce0b
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
templates/heat.conf.j2
View File

@ -14,6 +14,7 @@ stack_user_domain_name = {{ heat_stack_user_domain_name }}
max_nested_stack_depth = {{ heat_max_nested_stack_depth }}
heat_waitcondition_server_url = {{ heat_waitcondition_server_url }}
heat_metadata_server_url = {{ heat_metadata_server_url }}
server_keystone_endpoint_type = public
deferred_auth_method = {{ heat_deferred_auth_method }}
trusts_delegated_roles = {{ heat_trusts_delegated_roles | join(',') }}
@ -43,13 +44,13 @@ endpoint_type = {{ heat_clients_heat_endpoint }}
[clients_keystone]
insecure = {{ keystone_service_internaluri_insecure | bool }}
endpoint_type = {{ heat_clients_endpoint }}
auth_uri = {{ keystone_service_publicuri }}
auth_uri = {{ keystone_service_internaluri }}
[database]
connection = mysql+pymysql://{{ heat_galera_user }}:{{ heat_container_mysql_password }}@{{ heat_galera_address }}/{{ heat_galera_database }}?charset=utf8{% if heat_galera_use_ssl | bool %}&ssl_ca={{ heat_galera_ssl_ca_cert }}{% endif %}
[ec2authtoken]
auth_uri = {{ keystone_service_publicuri }}
auth_uri = {{ keystone_service_internaluri }}
[heat_api]
bind_port = {{ heat_service_port }}
@ -81,7 +82,7 @@ trace_sqlalchemy = {{ heat_profiler_trace_sqlalchemy }}
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_type = {{ heat_keystone_auth_plugin }}
auth_url = {{ keystone_service_adminurl }}
www_authenticate_uri = {{ keystone_service_publicuri }}
www_authenticate_uri = {{ keystone_service_internaluri }}
project_domain_id = {{ heat_service_project_domain_id }}
user_domain_id = {{ heat_service_user_domain_id }}
project_name = {{ heat_service_project_name }}