Enforce internal api for token verification
This change enforces the usage of internal api for token verification, so that internal requests to keystone uses internal endpoint instead of admin endpoint which is deployed on provisioning network by default. Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63 Closes-Bug: #1899266
This commit is contained in:
Takashi Kajinami
parent
b6eb9fbe93
commit
37548ddb40
|
|
@ -107,6 +107,7 @@ outputs:
|
|||
aodh::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
aodh::keystone::authtoken::interface: 'internal'
|
||||
aodh::auth::auth_password: {get_param: AodhPassword}
|
||||
aodh::auth::auth_region: {get_param: KeystoneRegion}
|
||||
aodh::auth::auth_project_name: 'service'
|
||||
|
|
|
|||
|
|
@ -242,6 +242,7 @@ outputs:
|
|||
barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
barbican::keystone::authtoken::project_name: 'service'
|
||||
barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
barbican::keystone::authtoken::interface: 'internal'
|
||||
barbican::keystone::notification::enable_keystone_notification: True
|
||||
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
|
||||
barbican::policy::policies: {get_param: BarbicanPolicies}
|
||||
|
|
|
|||
|
|
@ -182,6 +182,7 @@ outputs:
|
|||
cinder::keystone::authtoken::user_domain_name: 'Default'
|
||||
cinder::keystone::authtoken::project_domain_name: 'Default'
|
||||
cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
cinder::keystone::authtoken::interface: 'internal'
|
||||
cinder::policy::policies: {get_param: CinderApiPolicies}
|
||||
cinder::notification_driver: {get_param: NotificationDriver}
|
||||
cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType}
|
||||
|
|
|
|||
|
|
@ -107,6 +107,7 @@ outputs:
|
|||
mistral::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
|
||||
mistral::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
mistral::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
mistral::keystone::authtoken::interface: 'internal'
|
||||
mistral::keystone_ec2_uri:
|
||||
list_join:
|
||||
- ''
|
||||
|
|
|
|||
|
|
@ -134,6 +134,7 @@ outputs:
|
|||
nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
|
||||
nova::metadata::novajoin::authtoken::project_name: 'service'
|
||||
nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
nova::metadata::novajoin::authtoken::interface: 'internal'
|
||||
nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
|
||||
service_config_settings:
|
||||
nova_metadata: &nova_vendordata
|
||||
|
|
|
|||
|
|
@ -117,3 +117,4 @@ outputs:
|
|||
sahara::keystone::authtoken::user_domain_name: 'Default'
|
||||
sahara::keystone::authtoken::project_domain_name: 'Default'
|
||||
sahara::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
sahara::keystone::authtoken::interface: 'internal'
|
||||
|
|
|
|||
|
|
@ -104,6 +104,7 @@ outputs:
|
|||
designate::keystone::authtoken::project_name: 'service'
|
||||
designate::keystone::authtoken::password: {get_param: DesignatePassword}
|
||||
designate::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
designate::keystone::authtoken::interface: 'internal'
|
||||
tripleo::profile::base::designate::api::listen_ip:
|
||||
str_replace:
|
||||
template:
|
||||
|
|
|
|||
|
|
@ -431,6 +431,7 @@ outputs:
|
|||
glance::api::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
glance::api::authtoken::user_domain_name: 'Default'
|
||||
glance::api::authtoken::project_domain_name: 'Default'
|
||||
glance::api::authtoken::interface: 'internal'
|
||||
glance::api::pipeline:
|
||||
if:
|
||||
- glance_cache_enabled
|
||||
|
|
|
|||
|
|
@ -205,6 +205,7 @@ outputs:
|
|||
gnocchi::keystone::authtoken::user_domain_name: 'Default'
|
||||
gnocchi::keystone::authtoken::project_domain_name: 'Default'
|
||||
gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
gnocchi::keystone::authtoken::interface: 'internal'
|
||||
gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||
gnocchi::wsgi::apache::servername:
|
||||
str_replace:
|
||||
|
|
|
|||
|
|
@ -167,6 +167,7 @@ outputs:
|
|||
heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
heat::keystone::authtoken::password: {get_param: HeatPassword}
|
||||
heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
heat::keystone::authtoken::interface: 'internal'
|
||||
heat::heat_keystone_clients_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
|
||||
heat::keystone::domain::domain_name: 'heat_stack'
|
||||
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
|
||||
|
|
|
|||
|
|
@ -143,6 +143,7 @@ outputs:
|
|||
ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
ironic::api::authtoken::region_name: {get_param: KeystoneRegion }
|
||||
ironic::api::authtoken::interface: 'internal'
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the
|
||||
# local node IP for the given network; replacement examples
|
||||
# (eg. for internal_api):
|
||||
|
|
|
|||
|
|
@ -274,6 +274,7 @@ outputs:
|
|||
ironic::inspector::authtoken::user_domain_name: 'Default'
|
||||
ironic::inspector::authtoken::project_domain_name: 'Default'
|
||||
ironic::inspector::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
ironic::inspector::authtoken::interface: 'internal'
|
||||
ironic::inspector::cors::allowed_origin: '*'
|
||||
ironic::inspector::cors::max_age: 3600
|
||||
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
||||
|
|
|
|||
|
|
@ -138,6 +138,7 @@ outputs:
|
|||
manila::keystone::authtoken::user_domain_name: 'Default'
|
||||
manila::keystone::authtoken::project_domain_name: 'Default'
|
||||
manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
manila::keystone::authtoken::interface: 'internal'
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the
|
||||
# local node IP for the given network; replacement examples
|
||||
# (eg. for internal_api):
|
||||
|
|
|
|||
|
|
@ -99,6 +99,7 @@ outputs:
|
|||
manila::keystone::authtoken::user_domain_name: 'Default'
|
||||
manila::keystone::authtoken::project_domain_name: 'Default'
|
||||
manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
manila::keystone::authtoken::interface: 'internal'
|
||||
# compute
|
||||
manila::compute::nova::username: 'manila'
|
||||
manila::compute::nova::password: {get_param: ManilaPassword}
|
||||
|
|
|
|||
|
|
@ -298,6 +298,7 @@ outputs:
|
|||
neutron::keystone::authtoken::user_domain_name: 'Default'
|
||||
neutron::keystone::authtoken::project_domain_name: 'Default'
|
||||
neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
neutron::keystone::authtoken::interface: 'internal'
|
||||
neutron::quota::quota_port: {get_param: NeutronPortQuota}
|
||||
neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota}
|
||||
neutron::server::placement::region_name: {get_param: KeystoneRegion}
|
||||
|
|
|
|||
|
|
@ -193,6 +193,7 @@ outputs:
|
|||
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
nova::keystone::authtoken::interface: 'internal'
|
||||
nova::api::enabled: true
|
||||
nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool}
|
||||
nova::api::enable_proxy_headers_parsing: true
|
||||
|
|
|
|||
|
|
@ -731,6 +731,7 @@ outputs:
|
|||
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
nova::keystone::authtoken::interface: 'internal'
|
||||
nova::cinder::username: 'cinder'
|
||||
nova::cinder::auth_type: 'v3password'
|
||||
nova::cinder::project_name: 'service'
|
||||
|
|
|
|||
|
|
@ -136,6 +136,7 @@ outputs:
|
|||
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
||||
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
nova::keystone::authtoken::interface: 'internal'
|
||||
nova::wsgi::apache_metadata::api_port: '8775'
|
||||
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
|
||||
nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}
|
||||
|
|
|
|||
|
|
@ -165,13 +165,14 @@ outputs:
|
|||
- {get_attr: [OctaviaWorker, role_data, config_settings]}
|
||||
- {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
|
||||
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
||||
octavia::policy::policies: {get_param: OctaviaApiPolicies}
|
||||
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
|
||||
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
|
||||
octavia::keystone::authtoken::user_domain_name: 'Default'
|
||||
octavia::keystone::authtoken::project_domain_name: 'Default'
|
||||
octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
octavia::keystone::authtoken::interface: 'internal'
|
||||
octavia::policy::policies: {get_param: OctaviaApiPolicies}
|
||||
octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
|
||||
octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
|
||||
octavia::api::service_name: 'httpd'
|
||||
|
|
|
|||
|
|
@ -141,6 +141,7 @@ outputs:
|
|||
placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
placement::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
placement::keystone::authtoken::interface: 'internal'
|
||||
placement::wsgi::apache::api_port: '8778'
|
||||
placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
|
|
|
|||
|
|
@ -160,6 +160,7 @@ outputs:
|
|||
swift::proxy::authtoken::password: {get_param: SwiftPassword}
|
||||
swift::proxy::authtoken::project_name: 'service'
|
||||
swift::proxy::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
swift::proxy::authtoken::interface: 'internal'
|
||||
swift::proxy::s3token::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
|
||||
swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
|
||||
-
|
||||
|
|
|
|||
|
|
@ -159,6 +159,7 @@ outputs:
|
|||
zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
|
||||
zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
zaqar::keystone::authtoken::interface: 'internal'
|
||||
zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
zaqar::logging::debug:
|
||||
if:
|
||||
|
|
|
|||
Loading…
Reference in New Issue