Enforce internal api for token verification

This change enforces the usage of internal api for token verification,
so that internal requests to keystone uses internal endpoint instead
of admin endpoint which is deployed on provisioning network by default.

Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
Closes-Bug: #1899266
changes/95/757295/2
Takashi Kajinami 2 years ago
parent b6eb9fbe93
commit 37548ddb40
  1. 1
      deployment/aodh/aodh-base.yaml
  2. 1
      deployment/barbican/barbican-api-container-puppet.yaml
  3. 1
      deployment/cinder/cinder-api-container-puppet.yaml
  4. 1
      deployment/deprecated/mistral/mistral-base.yaml
  5. 1
      deployment/deprecated/novajoin/novajoin-container-puppet.yaml
  6. 1
      deployment/deprecated/sahara/sahara-base.yaml
  7. 1
      deployment/experimental/designate/designate-api-container-puppet.yaml
  8. 1
      deployment/glance/glance-api-container-puppet.yaml
  9. 1
      deployment/gnocchi/gnocchi-api-container-puppet.yaml
  10. 1
      deployment/heat/heat-base-puppet.yaml
  11. 1
      deployment/ironic/ironic-api-container-puppet.yaml
  12. 1
      deployment/ironic/ironic-inspector-container-puppet.yaml
  13. 1
      deployment/manila/manila-api-container-puppet.yaml
  14. 1
      deployment/manila/manila-share-container-puppet.yaml
  15. 1
      deployment/neutron/neutron-api-container-puppet.yaml
  16. 1
      deployment/nova/nova-api-container-puppet.yaml
  17. 1
      deployment/nova/nova-compute-container-puppet.yaml
  18. 1
      deployment/nova/nova-metadata-container-puppet.yaml
  19. 3
      deployment/octavia/octavia-api-container-puppet.yaml
  20. 1
      deployment/placement/placement-api-container-puppet.yaml
  21. 1
      deployment/swift/swift-proxy-container-puppet.yaml
  22. 1
      deployment/zaqar/zaqar-container-puppet.yaml

@ -107,6 +107,7 @@ outputs:
aodh::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}
aodh::keystone::authtoken::interface: 'internal'
aodh::auth::auth_password: {get_param: AodhPassword}
aodh::auth::auth_region: {get_param: KeystoneRegion}
aodh::auth::auth_project_name: 'service'

@ -242,6 +242,7 @@ outputs:
barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
barbican::keystone::authtoken::project_name: 'service'
barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
barbican::keystone::authtoken::interface: 'internal'
barbican::keystone::notification::enable_keystone_notification: True
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
barbican::policy::policies: {get_param: BarbicanPolicies}

@ -182,6 +182,7 @@ outputs:
cinder::keystone::authtoken::user_domain_name: 'Default'
cinder::keystone::authtoken::project_domain_name: 'Default'
cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion}
cinder::keystone::authtoken::interface: 'internal'
cinder::policy::policies: {get_param: CinderApiPolicies}
cinder::notification_driver: {get_param: NotificationDriver}
cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType}

@ -107,6 +107,7 @@ outputs:
mistral::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
mistral::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
mistral::keystone::authtoken::region_name: {get_param: KeystoneRegion}
mistral::keystone::authtoken::interface: 'internal'
mistral::keystone_ec2_uri:
list_join:
- ''

@ -134,6 +134,7 @@ outputs:
nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
nova::metadata::novajoin::authtoken::project_name: 'service'
nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion}
nova::metadata::novajoin::authtoken::interface: 'internal'
nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
service_config_settings:
nova_metadata: &nova_vendordata

@ -117,3 +117,4 @@ outputs:
sahara::keystone::authtoken::user_domain_name: 'Default'
sahara::keystone::authtoken::project_domain_name: 'Default'
sahara::keystone::authtoken::region_name: {get_param: KeystoneRegion}
sahara::keystone::authtoken::interface: 'internal'

@ -104,6 +104,7 @@ outputs:
designate::keystone::authtoken::project_name: 'service'
designate::keystone::authtoken::password: {get_param: DesignatePassword}
designate::keystone::authtoken::region_name: {get_param: KeystoneRegion}
designate::keystone::authtoken::interface: 'internal'
tripleo::profile::base::designate::api::listen_ip:
str_replace:
template:

@ -431,6 +431,7 @@ outputs:
glance::api::authtoken::region_name: {get_param: KeystoneRegion}
glance::api::authtoken::user_domain_name: 'Default'
glance::api::authtoken::project_domain_name: 'Default'
glance::api::authtoken::interface: 'internal'
glance::api::pipeline:
if:
- glance_cache_enabled

@ -205,6 +205,7 @@ outputs:
gnocchi::keystone::authtoken::user_domain_name: 'Default'
gnocchi::keystone::authtoken::project_domain_name: 'Default'
gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
gnocchi::keystone::authtoken::interface: 'internal'
gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
gnocchi::wsgi::apache::servername:
str_replace:

@ -167,6 +167,7 @@ outputs:
heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
heat::keystone::authtoken::password: {get_param: HeatPassword}
heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
heat::keystone::authtoken::interface: 'internal'
heat::heat_keystone_clients_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
heat::keystone::domain::domain_name: 'heat_stack'
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'

@ -143,6 +143,7 @@ outputs:
ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::api::authtoken::region_name: {get_param: KeystoneRegion }
ironic::api::authtoken::interface: 'internal'
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):

@ -274,6 +274,7 @@ outputs:
ironic::inspector::authtoken::user_domain_name: 'Default'
ironic::inspector::authtoken::project_domain_name: 'Default'
ironic::inspector::authtoken::region_name: {get_param: KeystoneRegion}
ironic::inspector::authtoken::interface: 'internal'
ironic::inspector::cors::allowed_origin: '*'
ironic::inspector::cors::max_age: 3600
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'

@ -138,6 +138,7 @@ outputs:
manila::keystone::authtoken::user_domain_name: 'Default'
manila::keystone::authtoken::project_domain_name: 'Default'
manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
manila::keystone::authtoken::interface: 'internal'
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):

@ -99,6 +99,7 @@ outputs:
manila::keystone::authtoken::user_domain_name: 'Default'
manila::keystone::authtoken::project_domain_name: 'Default'
manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
manila::keystone::authtoken::interface: 'internal'
# compute
manila::compute::nova::username: 'manila'
manila::compute::nova::password: {get_param: ManilaPassword}

@ -298,6 +298,7 @@ outputs:
neutron::keystone::authtoken::user_domain_name: 'Default'
neutron::keystone::authtoken::project_domain_name: 'Default'
neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion}
neutron::keystone::authtoken::interface: 'internal'
neutron::quota::quota_port: {get_param: NeutronPortQuota}
neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota}
neutron::server::placement::region_name: {get_param: KeystoneRegion}

@ -193,6 +193,7 @@ outputs:
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
nova::keystone::authtoken::interface: 'internal'
nova::api::enabled: true
nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool}
nova::api::enable_proxy_headers_parsing: true

@ -731,6 +731,7 @@ outputs:
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
nova::keystone::authtoken::interface: 'internal'
nova::cinder::username: 'cinder'
nova::cinder::auth_type: 'v3password'
nova::cinder::project_name: 'service'

@ -136,6 +136,7 @@ outputs:
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
nova::keystone::authtoken::interface: 'internal'
nova::wsgi::apache_metadata::api_port: '8775'
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}

@ -165,13 +165,14 @@ outputs:
- {get_attr: [OctaviaWorker, role_data, config_settings]}
- {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
octavia::policy::policies: {get_param: OctaviaApiPolicies}
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
octavia::keystone::authtoken::user_domain_name: 'Default'
octavia::keystone::authtoken::project_domain_name: 'Default'
octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
octavia::keystone::authtoken::interface: 'internal'
octavia::policy::policies: {get_param: OctaviaApiPolicies}
octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
octavia::api::service_name: 'httpd'

@ -141,6 +141,7 @@ outputs:
placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
placement::keystone::authtoken::region_name: {get_param: KeystoneRegion}
placement::keystone::authtoken::interface: 'internal'
placement::wsgi::apache::api_port: '8778'
placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP

@ -160,6 +160,7 @@ outputs:
swift::proxy::authtoken::password: {get_param: SwiftPassword}
swift::proxy::authtoken::project_name: 'service'
swift::proxy::authtoken::region_name: {get_param: KeystoneRegion}
swift::proxy::authtoken::interface: 'internal'
swift::proxy::s3token::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
-

@ -159,6 +159,7 @@ outputs:
zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion}
zaqar::keystone::authtoken::interface: 'internal'
zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
zaqar::logging::debug:
if:

Loading…
Cancel
Save