From 288634ce0bf042bed614b3f764753d7b65a7170f Mon Sep 17 00:00:00 2001
From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Date: Fri, 26 Jul 2019 11:20:48 +0100
Subject: [PATCH] Fix keystone endpoint for heat servers

This patch changes the heat config so that communication between
the heat service and the other internal parts of openstack occurs over
the internal API endpoint, but a new heat configuration option [1] is set
which ensures that the keystone endpoint written into server configs
points to the external API endpoint.

This should address several long running SSL related failures when self
signed certificates are used, and allows heat to work correctly when the
internal and external endpoints are on different networks.

Change-Id: I533ab16557cb83e2791dbb7267a97fb0d44e9ba6
Fixes-Bug: 1811086
Fixes-Bug: 1820591
Related-Bug: 1824646
Related-Bug: 1814909
Depends-On: https://review.opendev.org/678062
---
 templates/heat.conf.j2 | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/templates/heat.conf.j2 b/templates/heat.conf.j2
index e47381d..52195d9 100644
--- a/templates/heat.conf.j2
+++ b/templates/heat.conf.j2
@@ -14,6 +14,7 @@ stack_user_domain_name = {{ heat_stack_user_domain_name }}
 max_nested_stack_depth = {{ heat_max_nested_stack_depth }}
 heat_waitcondition_server_url = {{ heat_waitcondition_server_url }}
 heat_metadata_server_url = {{ heat_metadata_server_url }}
+server_keystone_endpoint_type = public
 
 deferred_auth_method = {{ heat_deferred_auth_method }}
 trusts_delegated_roles = {{ heat_trusts_delegated_roles | join(',') }}
@@ -43,13 +44,13 @@ endpoint_type = {{ heat_clients_heat_endpoint }}
 [clients_keystone]
 insecure = {{ keystone_service_internaluri_insecure | bool }}
 endpoint_type = {{ heat_clients_endpoint }}
-auth_uri = {{ keystone_service_publicuri }}
+auth_uri = {{ keystone_service_internaluri }}
 
 [database]
 connection = mysql+pymysql://{{ heat_galera_user }}:{{ heat_container_mysql_password }}@{{ heat_galera_address }}/{{ heat_galera_database }}?charset=utf8{% if heat_galera_use_ssl | bool %}&ssl_ca={{ heat_galera_ssl_ca_cert }}{% endif %}
 
 [ec2authtoken]
-auth_uri = {{ keystone_service_publicuri }}
+auth_uri = {{ keystone_service_internaluri }}
 
 [heat_api]
 bind_port = {{ heat_service_port }}
@@ -81,7 +82,7 @@ trace_sqlalchemy = {{ heat_profiler_trace_sqlalchemy }}
 insecure = {{ keystone_service_internaluri_insecure | bool }}
 auth_type = {{ heat_keystone_auth_plugin }}
 auth_url = {{ keystone_service_adminurl }}
-www_authenticate_uri = {{ keystone_service_publicuri }}
+www_authenticate_uri = {{ keystone_service_internaluri }}
 project_domain_id = {{ heat_service_project_domain_id }}
 user_domain_id = {{ heat_service_user_domain_id }}
 project_name = {{ heat_service_project_name }}