Open Stack

>
>Hello folks,
>
>I was wondering if you let me know if enabling keystone to listen on public interface for ports 5000 and 35357 is considered as a normal practice. Example if a customer wants to authenticate not via horizon or some other proxy but setting up OS_AUTH_URL=http://blah  variable to be able to run OpenStack commands in cli.

I think this depends a bit on your user base.
Personally I see horizon more of a getting-started thing for people who are not extremely technical and maybe want one or two instances which never change.

You really need the API’s if you want to automate deployments (e.g. Using Terraform).
If you have e.g. OPS teams using it they will probably want APIs

Depending on your user base (private/public cloud) you choose to expose the APIs on private/public IP space.
Since there are some pretty big OpenStack clouds facing the internet, eg backspace, I think the APIs are battle-tested.

Regarding how & ports:
I would terminate everything on port 443 (so people do not have to mess with firewalls) and offload SSL to a load-balancer.
You can do host-header inspection on the loadbalancer so e.g. keystone.example.com goes to your keystone server on port 5000 and keystone-admin.example.com goes to port 35357 (if you chose to expose it)

Cheers,
Robert van Leeuwen