Hello Openstack-discuss, I am wondering what the current recommendations / best-practices are in regards to the endpoints of keystone (and other services). There are three types of endpoints: public, internal and admin: * "public" certainly is for API access done by cloud users - so measures like rate limiting are likely in place. * "internal" is an alternative URL to be used by other services. Sounds reasonable to have an alternate path for the internal communication of OpenStack services, like having a management network Also reading https://docs.openstack.org/security-guide/api-endpoints/api-endpoint-configuration-recommendations.html this seems to be the recommendation. * "admin" - This is the one that gives me a little headache. According to commits 1) https://opendev.org/openstack/keystone/commit/4ec69218454d9f8be7150e2cee50c28765d50c94 2) https://github.com/openstack/keystone/commit/ecf721a3c176daf67d00536c48e80e78bded1af6 there should actually be no admin endpoint for Keystone anymore. Or should there? But looking at openstack-ansible doing the endpoint config (https://opendev.org/openstack/openstack-ansible-os_keystone/src/commit/a020ff87cde136a5c507b2cdc719d8c1dd85824d/tasks/main.yml#L246) all tree types are still configured? Backwards compatibility for services still expecting this endpoint? 1) Ceilometer - https://bugs.launchpad.net/ceilometer/+bug/1981207 2) Heat - https://review.opendev.org/c/openstack/openstacksdk/+/777343 Apart from Keystone also other services have "admin" endpoints which can be configured and placed as such into the service catalog. What is the reasoning behind that? Thanks and with kind regards, Christian