Use public endpoint for [keystone_authtoken] www_authenticate_uri

According to the parameter description, www_authenticate_uri should be complete public Identity endpoint, which is accessible by all end users. This change replaces internal endpoint by public endpoint to meet that requirement. Closes-Bug: #1955397 Change-Id: I30165c8ee5aa4b777b73ad89ac709e2c8a375382
2021-12-20 19:46:44 +09:00 · 2021-12-20 19:46:44 +09:00 · 160936df13
parent d2850ab047
commit 160936df13
18 changed files with 18 additions and 18 deletions
--- a/deployment/aodh/aodh-api-container-puppet.yaml
+++ b/deployment/aodh/aodh-api-container-puppet.yaml
@ -178,7 +178,7 @@ outputs:
            aodh::keystone::authtoken::user_domain_name: 'Default'
            aodh::keystone::authtoken::project_domain_name: 'Default'
            aodh::keystone::authtoken::password: {get_param: AodhPassword}
-            aodh::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+            aodh::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            aodh::keystone::authtoken::interface: 'internal'
--- a/deployment/barbican/barbican-api-container-puppet.yaml
+++ b/deployment/barbican/barbican-api-container-puppet.yaml
@ -228,7 +228,7 @@ outputs:
          - get_attr: [BarbicanApiLogging, config_settings]
          - apache::default_vhost: false
            barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
-            barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            barbican::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
            barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::project_name: 'service'
            barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
--- a/deployment/cinder/cinder-api-container-puppet.yaml
+++ b/deployment/cinder/cinder-api-container-puppet.yaml
@ -165,7 +165,7 @@ outputs:
          - get_attr: [CinderBase, role_data, config_settings]
          - get_attr: [ApacheServiceBase, role_data, config_settings]
          - keystone_resources_managed: false
-          - cinder::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+          - cinder::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
            cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            cinder::keystone::authtoken::password: {get_param: CinderPassword}
            cinder::keystone::authtoken::project_name: 'service'
--- a/deployment/deprecated/novajoin/novajoin-container-puppet.yaml
+++ b/deployment/deprecated/novajoin/novajoin-container-puppet.yaml
@ -132,7 +132,7 @@ outputs:
        # kerberos via puppet.
        nova::metadata::novajoin::api::configure_kerberos: true
        nova::metadata::novajoin::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-        nova::metadata::novajoin::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+        nova::metadata::novajoin::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
        nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
        nova::metadata::novajoin::authtoken::project_name: 'service'
        nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion}
--- a/deployment/designate/designate-api-container-puppet.yaml
+++ b/deployment/designate/designate-api-container-puppet.yaml
@ -104,7 +104,7 @@ outputs:
        map_merge:
          - get_attr: [DesignateBase, role_data, config_settings]
          - designate::api::enable_proxy_headers_parsing: true
-            designate::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+            designate::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            designate::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            designate::keystone::authtoken::project_name: 'service'
            designate::keystone::authtoken::password: {get_param: DesignatePassword}
--- a/deployment/glance/glance-api-container-puppet.yaml
+++ b/deployment/glance/glance-api-container-puppet.yaml
@ -486,7 +486,7 @@ outputs:
                      read_default_group: tripleo

            glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
-            glance::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+            glance::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            glance::api::enable_v1_api: false
            glance::api::enable_v2_api: true
--- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml
+++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml
@ -203,7 +203,7 @@ outputs:
            gnocchi::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
            gnocchi::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
            gnocchi::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
-            gnocchi::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            gnocchi::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
            gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}
            gnocchi::keystone::authtoken::project_name: 'service'
--- a/deployment/heat/heat-base-puppet.yaml
+++ b/deployment/heat/heat-base-puppet.yaml
@ -191,7 +191,7 @@ outputs:
            heat::keystone::authtoken::project_name: 'service'
            heat::keystone::authtoken::user_domain_name: 'Default'
            heat::keystone::authtoken::project_domain_name: 'Default'
-            heat::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+            heat::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            heat::keystone::authtoken::password: {get_param: HeatPassword}
            heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
--- a/deployment/ironic/ironic-conductor-container-puppet.yaml
+++ b/deployment/ironic/ironic-conductor-container-puppet.yaml
@ -412,7 +412,7 @@ outputs:
            - ironic::json_rpc::auth_strategy: {get_param: IronicAuthStrategy}
              ironic::api::authtoken::password: {get_param: IronicPassword}
              ironic::api::authtoken::project_name: 'service'
-              ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+              ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
              ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
              ironic::api::authtoken::region_name: {get_param: KeystoneRegion}
              ironic::api::authtoken::interface: 'internal'
--- a/deployment/ironic/ironic-inspector-container-puppet.yaml
+++ b/deployment/ironic/ironic-inspector-container-puppet.yaml
@ -302,7 +302,7 @@ outputs:
            ironic::inspector::pxe_filter::driver: dnsmasq
            ironic::inspector::logging::debug: {get_param: Debug}
            ironic::inspector::always_store_ramdisk_logs: {get_param: Debug}
-            ironic::inspector::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+            ironic::inspector::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri, uri_no_suffix] }
            ironic::inspector::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            ironic::inspector::authtoken::username: 'ironic'
            ironic::inspector::authtoken::password: {get_param: IronicPassword}
--- a/deployment/manila/manila-api-container-puppet.yaml
+++ b/deployment/manila/manila-api-container-puppet.yaml
@ -177,7 +177,7 @@ outputs:
          - get_attr: [ManilaBase, role_data, config_settings]
          - get_attr: [ApacheServiceBase, role_data, config_settings]
          - manila::keystone::authtoken::password: {get_param: ManilaPassword}
-            manila::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            manila::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
            manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            manila::keystone::authtoken::project_name: 'service'
            manila::keystone::authtoken::user_domain_name: 'Default'
--- a/deployment/manila/manila-share-container-puppet.yaml
+++ b/deployment/manila/manila-share-container-puppet.yaml
@ -92,7 +92,7 @@ outputs:
          - get_attr: [ManilaBase, role_data, config_settings]
            # keystone_authtoken
          - manila::keystone::authtoken::password: {get_param: ManilaPassword}
-            manila::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
+            manila::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri]}
            manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            manila::keystone::authtoken::project_name: 'service'
            manila::keystone::authtoken::user_domain_name: 'Default'
--- a/deployment/neutron/neutron-api-container-puppet.yaml
+++ b/deployment/neutron/neutron-api-container-puppet.yaml
@ -319,7 +319,7 @@ outputs:
                    - read_default_file: /etc/my.cnf.d/tripleo.cnf
                      read_default_group: tripleo
            neutron::policy::policies: {get_param: NeutronApiPolicies}
-            neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+            neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            neutron::server::agent_down_time: {get_param: NeutronAgentDownTime}
            neutron::server::auth_strategy: {get_param: NeutronAuthStrategy}
--- a/deployment/nova/nova-api-container-puppet.yaml
+++ b/deployment/nova/nova-api-container-puppet.yaml
@ -365,7 +365,7 @@ outputs:
            nova::keystone::authtoken::user_domain_name: 'Default'
            nova::keystone::authtoken::project_domain_name: 'Default'
            nova::keystone::authtoken::password: {get_param: NovaPassword}
-            nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+            nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            nova::keystone::authtoken::interface: 'internal'
--- a/deployment/nova/nova-metadata-container-puppet.yaml
+++ b/deployment/nova/nova-metadata-container-puppet.yaml
@ -155,7 +155,7 @@ outputs:
          - apache::default_vhost: false
          - nova::keystone::authtoken::project_name: 'service'
            nova::keystone::authtoken::password: {get_param: NovaPassword}
-            nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
+            nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
            nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            nova::keystone::authtoken::interface: 'internal'
--- a/deployment/octavia/octavia-api-container-puppet.yaml
+++ b/deployment/octavia/octavia-api-container-puppet.yaml
@ -168,7 +168,7 @@ outputs:
          - {get_attr: [OctaviaBase, role_data, config_settings]}
          - {get_attr: [OctaviaWorker, role_data, config_settings]}
          - {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
-          - octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
+          - octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
            octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
--- a/deployment/placement/placement-api-container-puppet.yaml
+++ b/deployment/placement/placement-api-container-puppet.yaml
@ -153,7 +153,7 @@ outputs:
          - apache::default_vhost: false
            placement::keystone::authtoken::project_name: 'service'
            placement::keystone::authtoken::password: {get_param: PlacementPassword}
-            placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
            placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            placement::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            placement::keystone::authtoken::interface: 'internal'
--- a/deployment/swift/swift-proxy-container-puppet.yaml
+++ b/deployment/swift/swift-proxy-container-puppet.yaml
@ -165,7 +165,7 @@ outputs:
              if:
                - cors_allowed_origin_set
                - {get_param: SwiftCorsAllowedOrigin}
-            swift::proxy::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+            swift::proxy::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
            swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            swift::proxy::authtoken::password: {get_param: SwiftPassword}
            swift::proxy::authtoken::project_name: 'service'