Enforce internal api for token verification

This change enforces the usage of internal api for token verification, so that internal requests to keystone uses internal endpoint instead of admin endpoint which is deployed on provisioning network by default. Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63 Closes-Bug: #1899266
2020-10-11 00:51:06 +09:00 · 2020-10-11 00:51:06 +09:00 · 37548ddb40
parent b6eb9fbe93
commit 37548ddb40
22 changed files with 23 additions and 1 deletions
--- a/deployment/aodh/aodh-base.yaml
+++ b/deployment/aodh/aodh-base.yaml
@ -107,6 +107,7 @@ outputs:
        aodh::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
        aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
        aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}
        aodh::keystone::authtoken::interface: 'internal'
        aodh::auth::auth_password: {get_param: AodhPassword}
        aodh::auth::auth_region: {get_param: KeystoneRegion}
        aodh::auth::auth_project_name: 'service'
--- a/deployment/barbican/barbican-api-container-puppet.yaml
+++ b/deployment/barbican/barbican-api-container-puppet.yaml
@ -242,6 +242,7 @@ outputs:
            barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::project_name: 'service'
            barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            barbican::keystone::authtoken::interface: 'internal'
            barbican::keystone::notification::enable_keystone_notification: True
            barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
            barbican::policy::policies: {get_param: BarbicanPolicies}
--- a/deployment/cinder/cinder-api-container-puppet.yaml
+++ b/deployment/cinder/cinder-api-container-puppet.yaml
@ -182,6 +182,7 @@ outputs:
            cinder::keystone::authtoken::user_domain_name: 'Default'
            cinder::keystone::authtoken::project_domain_name: 'Default'
            cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            cinder::keystone::authtoken::interface: 'internal'
            cinder::policy::policies: {get_param: CinderApiPolicies}
            cinder::notification_driver: {get_param: NotificationDriver}
            cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType}
--- a/deployment/deprecated/mistral/mistral-base.yaml
+++ b/deployment/deprecated/mistral/mistral-base.yaml
@ -107,6 +107,7 @@ outputs:
        mistral::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
        mistral::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
        mistral::keystone::authtoken::region_name: {get_param: KeystoneRegion}
        mistral::keystone::authtoken::interface: 'internal'
        mistral::keystone_ec2_uri:
          list_join:
          - ''
--- a/deployment/deprecated/novajoin/novajoin-container-puppet.yaml
+++ b/deployment/deprecated/novajoin/novajoin-container-puppet.yaml
@ -134,6 +134,7 @@ outputs:
        nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
        nova::metadata::novajoin::authtoken::project_name: 'service'
        nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion}
        nova::metadata::novajoin::authtoken::interface: 'internal'
        nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
      service_config_settings:
        nova_metadata: &nova_vendordata
--- a/deployment/deprecated/sahara/sahara-base.yaml
+++ b/deployment/deprecated/sahara/sahara-base.yaml
@ -117,3 +117,4 @@ outputs:
        sahara::keystone::authtoken::user_domain_name: 'Default'
        sahara::keystone::authtoken::project_domain_name: 'Default'
        sahara::keystone::authtoken::region_name: {get_param: KeystoneRegion}
        sahara::keystone::authtoken::interface: 'internal'
--- a/deployment/experimental/designate/designate-api-container-puppet.yaml
+++ b/deployment/experimental/designate/designate-api-container-puppet.yaml
@ -104,6 +104,7 @@ outputs:
            designate::keystone::authtoken::project_name: 'service'
            designate::keystone::authtoken::password: {get_param: DesignatePassword}
            designate::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            designate::keystone::authtoken::interface: 'internal'
            tripleo::profile::base::designate::api::listen_ip:
              str_replace:
                template:
--- a/deployment/glance/glance-api-container-puppet.yaml
+++ b/deployment/glance/glance-api-container-puppet.yaml
@ -431,6 +431,7 @@ outputs:
            glance::api::authtoken::region_name: {get_param: KeystoneRegion}
            glance::api::authtoken::user_domain_name: 'Default'
            glance::api::authtoken::project_domain_name: 'Default'
            glance::api::authtoken::interface: 'internal'
            glance::api::pipeline:
              if:
              - glance_cache_enabled
--- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml
+++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml
@ -205,6 +205,7 @@ outputs:
            gnocchi::keystone::authtoken::user_domain_name: 'Default'
            gnocchi::keystone::authtoken::project_domain_name: 'Default'
            gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            gnocchi::keystone::authtoken::interface: 'internal'
            gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
            gnocchi::wsgi::apache::servername:
              str_replace:
--- a/deployment/heat/heat-base-puppet.yaml
+++ b/deployment/heat/heat-base-puppet.yaml
@ -167,6 +167,7 @@ outputs:
            heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            heat::keystone::authtoken::password: {get_param: HeatPassword}
            heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            heat::keystone::authtoken::interface: 'internal'
            heat::heat_keystone_clients_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            heat::keystone::domain::domain_name: 'heat_stack'
            heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
--- a/deployment/ironic/ironic-api-container-puppet.yaml
+++ b/deployment/ironic/ironic-api-container-puppet.yaml
@ -143,6 +143,7 @@ outputs:
            ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            ironic::api::authtoken::region_name: {get_param: KeystoneRegion }
            ironic::api::authtoken::interface: 'internal'
            # NOTE: bind IP is found in hiera replacing the network name with the
            # local node IP for the given network; replacement examples
            # (eg. for internal_api):
--- a/deployment/ironic/ironic-inspector-container-puppet.yaml
+++ b/deployment/ironic/ironic-inspector-container-puppet.yaml
@ -274,6 +274,7 @@ outputs:
            ironic::inspector::authtoken::user_domain_name: 'Default'
            ironic::inspector::authtoken::project_domain_name: 'Default'
            ironic::inspector::authtoken::region_name: {get_param: KeystoneRegion}
            ironic::inspector::authtoken::interface: 'internal'
            ironic::inspector::cors::allowed_origin: '*'
            ironic::inspector::cors::max_age: 3600
            ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
--- a/deployment/manila/manila-api-container-puppet.yaml
+++ b/deployment/manila/manila-api-container-puppet.yaml
@ -138,6 +138,7 @@ outputs:
            manila::keystone::authtoken::user_domain_name: 'Default'
            manila::keystone::authtoken::project_domain_name: 'Default'
            manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            manila::keystone::authtoken::interface: 'internal'
            # NOTE: bind IP is found in hiera replacing the network name with the
            # local node IP for the given network; replacement examples
            # (eg. for internal_api):
--- a/deployment/manila/manila-share-container-puppet.yaml
+++ b/deployment/manila/manila-share-container-puppet.yaml
@ -99,6 +99,7 @@ outputs:
            manila::keystone::authtoken::user_domain_name: 'Default'
            manila::keystone::authtoken::project_domain_name: 'Default'
            manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            manila::keystone::authtoken::interface: 'internal'
            # compute
            manila::compute::nova::username: 'manila'
            manila::compute::nova::password: {get_param: ManilaPassword}
--- a/deployment/neutron/neutron-api-container-puppet.yaml
+++ b/deployment/neutron/neutron-api-container-puppet.yaml
@ -298,6 +298,7 @@ outputs:
            neutron::keystone::authtoken::user_domain_name: 'Default'
            neutron::keystone::authtoken::project_domain_name: 'Default'
            neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            neutron::keystone::authtoken::interface: 'internal'
            neutron::quota::quota_port: {get_param: NeutronPortQuota}
            neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota}
            neutron::server::placement::region_name: {get_param: KeystoneRegion}
--- a/deployment/nova/nova-api-container-puppet.yaml
+++ b/deployment/nova/nova-api-container-puppet.yaml
@ -193,6 +193,7 @@ outputs:
            nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            nova::keystone::authtoken::interface: 'internal'
            nova::api::enabled: true
            nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool}
            nova::api::enable_proxy_headers_parsing: true
--- a/deployment/nova/nova-compute-container-puppet.yaml
+++ b/deployment/nova/nova-compute-container-puppet.yaml
@ -731,6 +731,7 @@ outputs:
            nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            nova::keystone::authtoken::interface: 'internal'
            nova::cinder::username: 'cinder'
            nova::cinder::auth_type: 'v3password'
            nova::cinder::project_name: 'service'
--- a/deployment/nova/nova-metadata-container-puppet.yaml
+++ b/deployment/nova/nova-metadata-container-puppet.yaml
@ -136,6 +136,7 @@ outputs:
            nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
            nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            nova::keystone::authtoken::interface: 'internal'
            nova::wsgi::apache_metadata::api_port: '8775'
            nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
            nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}
--- a/deployment/octavia/octavia-api-container-puppet.yaml
+++ b/deployment/octavia/octavia-api-container-puppet.yaml
@ -165,13 +165,14 @@ outputs:
          - {get_attr: [OctaviaWorker, role_data, config_settings]}
          - {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
          - octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
            octavia::policy::policies: {get_param: OctaviaApiPolicies}
            octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
            octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
            octavia::keystone::authtoken::user_domain_name: 'Default'
            octavia::keystone::authtoken::project_domain_name: 'Default'
            octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            octavia::keystone::authtoken::interface: 'internal'
            octavia::policy::policies: {get_param: OctaviaApiPolicies}
            octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
            octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
            octavia::api::service_name: 'httpd'
--- a/deployment/placement/placement-api-container-puppet.yaml
+++ b/deployment/placement/placement-api-container-puppet.yaml
@ -141,6 +141,7 @@ outputs:
            placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            placement::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            placement::keystone::authtoken::interface: 'internal'
            placement::wsgi::apache::api_port: '8778'
            placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
            # NOTE: bind IP is found in hiera replacing the network name with the local node IP
--- a/deployment/swift/swift-proxy-container-puppet.yaml
+++ b/deployment/swift/swift-proxy-container-puppet.yaml
@ -160,6 +160,7 @@ outputs:
            swift::proxy::authtoken::password: {get_param: SwiftPassword}
            swift::proxy::authtoken::project_name: 'service'
            swift::proxy::authtoken::region_name: {get_param: KeystoneRegion}
            swift::proxy::authtoken::interface: 'internal'
            swift::proxy::s3token::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
            swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
          -
--- a/deployment/zaqar/zaqar-container-puppet.yaml
+++ b/deployment/zaqar/zaqar-container-puppet.yaml
@ -159,6 +159,7 @@ outputs:
            zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
            zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion}
            zaqar::keystone::authtoken::interface: 'internal'
            zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            zaqar::logging::debug:
              if: