On 28/02/2019 16:22, Zane Bitter wrote:
There are already examples of similar config options in heat.conf, such as "heat_waitcondition_server_url" - would additonal config items such as server_base_auth_url and signal_responder_auth_url be appropriate so that we can be totally explicit about the endpoints handed on to created VM?
Yes, that's along the lines of what I was thinking too (although I think we'd only need one option, for URLs destined to be called from userspace). We already have an endpoint_type option (that defaults to PublicURL), so maybe we just need to be able to specify internal_auth_uri and public_auth_uri and we can select based on the endpoint type when we're using the clients internally, but always use the public one when gathering data to pass to a VM?
We've got a patch now to add an optional public_auth_uri config https://review.openstack.org/642812/. It would be be good to get confirmation from the heat side that we've not missed any other places auth_url should use public_auth_uri. I'd like to keep this moving as the folks this is hurting the most are running openstack in labs or proofs-of-concept with self signed certs - we need to make sure those experiences are good. Jon.