Enforce internal api for token verification
This change enforces the usage of internal api for token verification,
so that internal requests to keystone uses internal endpoint instead
of admin endpoint which is deployed on provisioning network by default.
Conflicts:
deployment/heat/heat-base-puppet.yaml
deployment/nova/nova-api-container-puppet.yaml
Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
Closes-Bug: #1899266
(cherry picked from commit 37548ddb40
)
This commit is contained in:
parent
8e412bd6ce
commit
a10dee72cf
|
@ -107,6 +107,7 @@ outputs:
|
|||
aodh::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
aodh::keystone::authtoken::interface: 'internal'
|
||||
aodh::auth::auth_password: {get_param: AodhPassword}
|
||||
aodh::auth::auth_region: {get_param: KeystoneRegion}
|
||||
aodh::auth::auth_project_name: 'service'
|
||||
|
|
|
@ -253,6 +253,7 @@ outputs:
|
|||
barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
barbican::keystone::authtoken::project_name: 'service'
|
||||
barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
barbican::keystone::authtoken::interface: 'internal'
|
||||
barbican::keystone::notification::enable_keystone_notification: True
|
||||
barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
|
||||
barbican::policy::policies: {get_param: BarbicanPolicies}
|
||||
|
|
|
@ -186,6 +186,7 @@ outputs:
|
|||
cinder::keystone::authtoken::user_domain_name: 'Default'
|
||||
cinder::keystone::authtoken::project_domain_name: 'Default'
|
||||
cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
cinder::keystone::authtoken::interface: 'internal'
|
||||
cinder::policy::policies: {get_param: CinderApiPolicies}
|
||||
cinder::notification_driver: {get_param: NotificationDriver}
|
||||
cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType}
|
||||
|
|
|
@ -117,3 +117,4 @@ outputs:
|
|||
sahara::keystone::authtoken::user_domain_name: 'Default'
|
||||
sahara::keystone::authtoken::project_domain_name: 'Default'
|
||||
sahara::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
sahara::keystone::authtoken::interface: 'internal'
|
||||
|
|
|
@ -104,6 +104,7 @@ outputs:
|
|||
designate::keystone::authtoken::project_name: 'service'
|
||||
designate::keystone::authtoken::password: {get_param: DesignatePassword}
|
||||
designate::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
designate::keystone::authtoken::interface: 'internal'
|
||||
tripleo::profile::base::designate::api::listen_ip:
|
||||
str_replace:
|
||||
template:
|
||||
|
|
|
@ -422,6 +422,7 @@ outputs:
|
|||
glance::api::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
glance::api::authtoken::user_domain_name: 'Default'
|
||||
glance::api::authtoken::project_domain_name: 'Default'
|
||||
glance::api::authtoken::interface: 'internal'
|
||||
glance::api::pipeline:
|
||||
if:
|
||||
- glance_cache_enabled
|
||||
|
|
|
@ -205,6 +205,7 @@ outputs:
|
|||
gnocchi::keystone::authtoken::user_domain_name: 'Default'
|
||||
gnocchi::keystone::authtoken::project_domain_name: 'Default'
|
||||
gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
gnocchi::keystone::authtoken::interface: 'internal'
|
||||
gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||
gnocchi::wsgi::apache::servername:
|
||||
str_replace:
|
||||
|
|
|
@ -178,6 +178,7 @@ outputs:
|
|||
heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
heat::keystone::authtoken::password: {get_param: HeatPassword}
|
||||
heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
heat::keystone::authtoken::interface: 'internal'
|
||||
heat::keystone::domain::domain_name: 'heat_stack'
|
||||
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
|
||||
heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'
|
||||
|
|
|
@ -143,6 +143,7 @@ outputs:
|
|||
ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
ironic::api::authtoken::region_name: {get_param: KeystoneRegion }
|
||||
ironic::api::authtoken::interface: 'internal'
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the
|
||||
# local node IP for the given network; replacement examples
|
||||
# (eg. for internal_api):
|
||||
|
|
|
@ -274,6 +274,7 @@ outputs:
|
|||
ironic::inspector::authtoken::user_domain_name: 'Default'
|
||||
ironic::inspector::authtoken::project_domain_name: 'Default'
|
||||
ironic::inspector::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
ironic::inspector::authtoken::interface: 'internal'
|
||||
ironic::inspector::cors::allowed_origin: '*'
|
||||
ironic::inspector::cors::max_age: 3600
|
||||
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
||||
|
|
|
@ -138,6 +138,7 @@ outputs:
|
|||
manila::keystone::authtoken::user_domain_name: 'Default'
|
||||
manila::keystone::authtoken::project_domain_name: 'Default'
|
||||
manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
manila::keystone::authtoken::interface: 'internal'
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the
|
||||
# local node IP for the given network; replacement examples
|
||||
# (eg. for internal_api):
|
||||
|
|
|
@ -99,6 +99,7 @@ outputs:
|
|||
manila::keystone::authtoken::user_domain_name: 'Default'
|
||||
manila::keystone::authtoken::project_domain_name: 'Default'
|
||||
manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
manila::keystone::authtoken::interface: 'internal'
|
||||
# compute
|
||||
manila::compute::nova::username: 'manila'
|
||||
manila::compute::nova::password: {get_param: ManilaPassword}
|
||||
|
|
|
@ -107,6 +107,7 @@ outputs:
|
|||
mistral::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
|
||||
mistral::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
mistral::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
mistral::keystone::authtoken::interface: 'internal'
|
||||
mistral::keystone_ec2_uri:
|
||||
list_join:
|
||||
- ''
|
||||
|
|
|
@ -308,6 +308,7 @@ outputs:
|
|||
neutron::keystone::authtoken::user_domain_name: 'Default'
|
||||
neutron::keystone::authtoken::project_domain_name: 'Default'
|
||||
neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
neutron::keystone::authtoken::interface: 'internal'
|
||||
neutron::quota::quota_port: {get_param: NeutronPortQuota}
|
||||
neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota}
|
||||
neutron::server::sync_db: true
|
||||
|
|
|
@ -225,6 +225,7 @@ outputs:
|
|||
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
nova::keystone::authtoken::interface: 'internal'
|
||||
nova::api::max_limit: {get_param: NovaApiMaxLimit}
|
||||
nova::api::enabled: true
|
||||
nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool}
|
||||
|
|
|
@ -836,6 +836,7 @@ outputs:
|
|||
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
nova::keystone::authtoken::interface: 'internal'
|
||||
nova::cinder::username: 'cinder'
|
||||
nova::cinder::auth_type: 'v3password'
|
||||
nova::cinder::project_name: 'service'
|
||||
|
|
|
@ -163,6 +163,7 @@ outputs:
|
|||
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
||||
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
nova::keystone::authtoken::interface: 'internal'
|
||||
nova::wsgi::apache_metadata::api_port: '8775'
|
||||
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
|
||||
nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}
|
||||
|
|
|
@ -134,6 +134,7 @@ outputs:
|
|||
nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
|
||||
nova::metadata::novajoin::authtoken::project_name: 'service'
|
||||
nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
nova::metadata::novajoin::authtoken::interface: 'internal'
|
||||
nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
|
||||
service_config_settings:
|
||||
nova_metadata: &nova_vendordata
|
||||
|
|
|
@ -165,13 +165,14 @@ outputs:
|
|||
- {get_attr: [OctaviaWorker, role_data, config_settings]}
|
||||
- {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
|
||||
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
||||
octavia::policy::policies: {get_param: OctaviaApiPolicies}
|
||||
octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
|
||||
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
|
||||
octavia::keystone::authtoken::user_domain_name: 'Default'
|
||||
octavia::keystone::authtoken::project_domain_name: 'Default'
|
||||
octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
octavia::keystone::authtoken::interface: 'internal'
|
||||
octavia::policy::policies: {get_param: OctaviaApiPolicies}
|
||||
octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
|
||||
octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
|
||||
octavia::api::sync_db: true
|
||||
|
|
|
@ -141,6 +141,7 @@ outputs:
|
|||
placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
placement::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
placement::keystone::authtoken::interface: 'internal'
|
||||
placement::wsgi::apache::api_port: '8778'
|
||||
placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
|
|
|
@ -168,6 +168,7 @@ outputs:
|
|||
swift::proxy::authtoken::password: {get_param: SwiftPassword}
|
||||
swift::proxy::authtoken::project_name: 'service'
|
||||
swift::proxy::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
swift::proxy::authtoken::interface: 'internal'
|
||||
swift::proxy::s3token::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
|
||||
swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
|
||||
-
|
||||
|
|
|
@ -159,6 +159,7 @@ outputs:
|
|||
zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
|
||||
zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
zaqar::keystone::authtoken::interface: 'internal'
|
||||
zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
zaqar::logging::debug:
|
||||
if:
|
||||
|
|
Loading…
Reference in New Issue