On Wed, Feb 20, 2019 at 1:43 PM Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> wrote:
In openstack-ansible we are trying to help a number of our end users with their heat deployments, some of them in conjunction with magnum.
There is some uncertainty with how the following heat.conf sections should be configured:
[clients_keystone] auth_uri = ...
[keystone_authtoken] www_authenticate_uri = ...
It does not appear to be possible to define a set of internal or external keystone endpoints in heat.conf which allow the following:
* The orchestration panels being functional in horizon * Deployers isolating internal openstack from external networks * Deployers using self signed/company cert on the external endpoint * Magnum deployments completing * Heat delivering an external endpoint at [1] * Heat delivering an external endpoint at [2]
There are a number of related bugs:
https://bugs.launchpad.net/openstack-ansible/+bug/1814909 https://bugs.launchpad.net/openstack-ansible/+bug/1811086 https://storyboard.openstack.org/#!/story/2004808 https://storyboard.openstack.org/#!/story/2004524
Any help we could get from the heat team to try to understand the root cause of these issues would be really helpful.
I think this is a really critical issue that Jonathan has spent a lot of time on to get to work. If we can't support this model, maybe we should consider dropping the whole idea of admin/internal/public if we can't commit to testing it properly.
Jon.
[1] https://github.com/openstack/heat/blob/master/heat/engine/resources/server_b...
[2] https://github.com/openstack/heat/blob/master/heat/engine/resources/signal_r...
-- Mohammed Naser — vexxhost ----------------------------------------------------- D. 514-316-8872 D. 800-910-1726 ext. 200 E. mnaser@vexxhost.com W. http://vexxhost.com