Use Keystone internal endpoint instead of admin for services

The admin endpoint is listening on the ctlplane network by default; services should ideally be using the internal api network for this kind of traffic, as the ctlplane network is mostly for provisioning. On the other hand, the admin endpoint shouldn't be as relevant with services switching to keystone v3. Change-Id: I1213a83ef8693c1cca1d20de974f7949a801d9f1
2017-02-10 20:47:13 +02:00 · 2017-02-10 20:47:13 +02:00 · d1eb0bc0dc
parent fab8f52263
commit d1eb0bc0dc
23 changed files with 24 additions and 24 deletions
--- a/puppet/services/aodh-base.yaml
+++ b/puppet/services/aodh-base.yaml
@ -80,7 +80,7 @@ outputs:
        aodh::keystone::authtoken::project_name: 'service'
        aodh::keystone::authtoken::password: {get_param: AodhPassword}
        aodh::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-        aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+        aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
        aodh::auth::auth_password: {get_param: AodhPassword}
        aodh::auth::auth_region: 'regionOne'
        aodh::auth::auth_tenant_name: 'service'
--- a/puppet/services/barbican-api.yaml
+++ b/puppet/services/barbican-api.yaml
@ -75,7 +75,7 @@ outputs:
          - get_attr: [ApacheServiceBase, role_data, config_settings]
          - barbican::keystone::authtoken::password: {get_param: BarbicanPassword}
            barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
-            barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            barbican::keystone::authtoken::project_name: 'service'
            barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]}
            barbican::api::db_auto_create: false
--- a/puppet/services/ceilometer-base.yaml
+++ b/puppet/services/ceilometer-base.yaml
@ -102,7 +102,7 @@ outputs:
        ceilometer::keystone::authtoken::project_name: 'service'
        ceilometer::keystone::authtoken::password: {get_param: CeilometerPassword}
        ceilometer::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-        ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+        ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
        ceilometer::agent::auth::auth_password: {get_param: CeilometerPassword}
        ceilometer::agent::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
        ceilometer::agent::notification::event_pipeline_publishers: {get_param: EventPipelinePublishers}
--- a/puppet/services/ceph-rgw.yaml
+++ b/puppet/services/ceph-rgw.yaml
@ -54,7 +54,7 @@ outputs:
          - get_attr: [CephBase, role_data, config_settings]
          - tripleo::profile::base::ceph::rgw::rgw_key: {get_param: CephRgwKey}
            tripleo::profile::base::ceph::rgw::keystone_admin_token: {get_param: AdminToken}
-            tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]}
            tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]}
            tripleo::profile::base::ceph::rgw::rgw_keystone_version: v3
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@ -81,7 +81,7 @@ outputs:
          - get_attr: [CinderBase, role_data, config_settings]
          - get_attr: [ApacheServiceBase, role_data, config_settings]
          - cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
-            cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            cinder::keystone::authtoken::password: {get_param: CinderPassword}
            cinder::keystone::authtoken::project_name: 'service'
            cinder::api::enable_proxy_headers_parsing: true
--- a/puppet/services/ec2-api.yaml
+++ b/puppet/services/ec2-api.yaml
@ -66,7 +66,7 @@ outputs:
          ec2api::keystone::authtoken::project_name: 'service'
          ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword}
          ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-          ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+          ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
          ec2api::api::enabled: true
          ec2api::package_manage: {get_param: EnablePackageInstall}
          ec2api::api::ec2api_listen:
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@ -95,7 +95,7 @@ outputs:
                  - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
            glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
            glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-            glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+            glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            glance::api::enable_v1_api: false
            glance::api::enable_v2_api: true
            glance::api::authtoken::password: {get_param: GlancePassword}
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@ -84,7 +84,7 @@ outputs:
            gnocchi::api::enable_proxy_headers_parsing: true
            gnocchi::api::service_name: 'httpd'
            gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
-            gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}
            gnocchi::keystone::authtoken::project_name: 'service'
            gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
@ -105,7 +105,7 @@ outputs:
            gnocchi::wsgi::apache::wsgi_process_display_name: 'gnocchi_wsgi'

            gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
-            gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri]}
      step_config: |
        include ::tripleo::profile::base::gnocchi::api
--- a/puppet/services/heat-base.yaml
+++ b/puppet/services/heat-base.yaml
@ -122,7 +122,7 @@ outputs:
        heat::rabbit_heartbeat_timeout_threshold: 60
        heat::keystone::authtoken::project_name: 'service'
        heat::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-        heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+        heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
        heat::keystone::authtoken::password: {get_param: HeatPassword}
        heat::keystone::domain::domain_name: 'heat_stack'
        heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@ -51,7 +51,7 @@ outputs:
            ironic::api::authtoken::project_name: 'service'
            ironic::api::authtoken::username: 'ironic'
            ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-            ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            # NOTE: bind IP is found in Heat replacing the network name with the
            # local node IP for the given network; replacement examples
            # (eg. for internal_api):
--- a/puppet/services/manila-api.yaml
+++ b/puppet/services/manila-api.yaml
@ -49,7 +49,7 @@ outputs:
          - get_attr: [ManilaBase, role_data, config_settings]
          - manila::keystone::authtoken::password: {get_param: ManilaPassword}
            manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
-            manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+            manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            manila::keystone::authtoken::project_name: 'service'
            tripleo.manila_api.firewall_rules:
              '150 manila':
--- a/puppet/services/manila-share.yaml
+++ b/puppet/services/manila-share.yaml
@ -46,7 +46,7 @@ outputs:
          - manila::volume::cinder::cinder_admin_tenant_name: 'service'
            manila::keystone::authtoken::password: {get_param: ManilaPassword}
            manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
-            manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+            manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            manila::keystone::authtoken::project_name: 'service'
      service_config_settings:
        get_attr: [ManilaBase, role_data, service_config_settings]
--- a/puppet/services/mistral-base.yaml
+++ b/puppet/services/mistral-base.yaml
@ -76,7 +76,7 @@ outputs:
        mistral::keystone_tenant: 'service'
        mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
        mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]}
-        mistral::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+        mistral::identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
      service_config_settings:
        keystone:
          mistral::keystone::auth::tenant: 'service'
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@ -130,7 +130,7 @@ outputs:
                  - '?bind_address='
                  - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
            neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-            neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            neutron::server::api_workers: {get_param: NeutronWorkers}
            neutron::server::rpc_workers: {get_param: NeutronWorkers}
            neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover}
--- a/puppet/services/neutron-metadata.yaml
+++ b/puppet/services/neutron-metadata.yaml
@ -70,7 +70,7 @@ outputs:
          - neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
            neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers}
            neutron::agents::metadata::auth_password: {get_param: NeutronPassword}
-            neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+            neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
            neutron::agents::metadata::auth_tenant: 'service'
            neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}"
      step_config: |
--- a/puppet/services/neutron-plugin-plumgrid.yaml
+++ b/puppet/services/neutron-plugin-plumgrid.yaml
@ -102,7 +102,7 @@ outputs:
              - '/ovs_neutron'
              - '?bind_address='
              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
-        neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneAdmin, host]}
+        neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneInternal, host]}
        neutron::plugins::plumgrid::admin_password: {get_param: AdminPassword}
        neutron::plugins::plumgrid::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
        neutron::plugins::plumgrid::director_server: {get_param: PLUMgridDirectorServer}
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@ -108,7 +108,7 @@ outputs:
          nova::keystone::authtoken::project_name: 'service'
          nova::keystone::authtoken::password: {get_param: NovaPassword}
          nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-          nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+          nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
          nova::api::enabled: true
          nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool}
          nova::api::sync_db_api: true
--- a/puppet/services/nova-base.yaml
+++ b/puppet/services/nova-base.yaml
@ -139,7 +139,7 @@ outputs:
          nova::rabbit_port: {get_param: RabbitClientPort}
          nova::placement::project_name: 'service'
          nova::placement::password: {get_param: NovaPassword}
-          nova::placement::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+          nova::placement::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
          nova::placement::os_region_name: {get_param: KeystoneRegion}
          nova::placement::os_interface: {get_param: NovaPlacementAPIInterface}
          nova::database_connection:
--- a/puppet/services/octavia-api.yaml
+++ b/puppet/services/octavia-api.yaml
@ -68,7 +68,7 @@ outputs:
                  - '/octavia'
                  - '?bind_address='
                  - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
-            octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            octavia::keystone::authtoken::project_name: 'service'
            octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
            octavia::api::sync_db: true
--- a/puppet/services/panko-base.yaml
+++ b/puppet/services/panko-base.yaml
@ -53,7 +53,7 @@ outputs:
        panko::keystone::authtoken::project_name: 'service'
        panko::keystone::authtoken::password: {get_param: PankoPassword}
        panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-        panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+        panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
        panko::auth::auth_password: {get_param: PankoPassword}
        panko::auth::auth_region: 'regionOne'
        panko::auth::auth_tenant_name: 'service'
--- a/puppet/services/sahara-base.yaml
+++ b/puppet/services/sahara-base.yaml
@ -73,7 +73,7 @@ outputs:
        sahara::debug: {get_param: Debug}
        sahara::admin_password: {get_param: SaharaPassword}
        sahara::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-        sahara::identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
+        sahara::identity_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
        sahara::use_neutron: true
        sahara::plugins: {get_param: SaharaPlugins}
        sahara::rpc_backend: rabbit
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@ -87,7 +87,7 @@ outputs:
          - get_attr: [SwiftBase, role_data, config_settings]

          - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
-            swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            swift::proxy::authtoken::password: {get_param: SwiftPassword}
            swift::proxy::authtoken::project_name: 'service'
            swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
--- a/puppet/services/zaqar.yaml
+++ b/puppet/services/zaqar.yaml
@ -40,7 +40,7 @@ outputs:
      config_settings:
        zaqar::keystone::authtoken::password: {get_param: ZaqarPassword}
        zaqar::keystone::authtoken::project_name: 'service'
-        zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+        zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
        zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
        zaqar::debug: {get_param: Debug}
        zaqar::transport::websocket::bind: {get_param: [EndpointMap, ZaqarInternal, host]}