On Wed, Feb 20, 2019 at 1:43 PM Jonathan Rosser jonathan.rosser@rd.bbc.co.uk wrote:
In openstack-ansible we are trying to help a number of our end users with their heat deployments, some of them in conjunction with magnum.
There is some uncertainty with how the following heat.conf sections should be configured:
[clients_keystone] auth_uri = ...
[keystone_authtoken] www_authenticate_uri = ...
It does not appear to be possible to define a set of internal or external keystone endpoints in heat.conf which allow the following:
- The orchestration panels being functional in horizon
- Deployers isolating internal openstack from external networks
- Deployers using self signed/company cert on the external endpoint
- Magnum deployments completing
- Heat delivering an external endpoint at [1]
- Heat delivering an external endpoint at [2]
There are a number of related bugs:
https://bugs.launchpad.net/openstack-ansible/+bug/1814909 https://bugs.launchpad.net/openstack-ansible/+bug/1811086 https://storyboard.openstack.org/#!/story/2004808 https://storyboard.openstack.org/#!/story/2004524
Any help we could get from the heat team to try to understand the root cause of these issues would be really helpful.
I think this is a really critical issue that Jonathan has spent a lot of time on to get to work.
If we can't support this model, maybe we should consider dropping the whole idea of admin/internal/public if we can't commit to testing it properly.
Jon.
[1] https://github.com/openstack/heat/blob/master/heat/engine/resources/server_b...
[2] https://github.com/openstack/heat/blob/master/heat/engine/resources/signal_r...