[openstack-dev] [TripleO][keystone] internal endpoints vs sanity
Attila Fazekas
afazekas at redhat.com
Mon Jul 24 08:23:34 UTC 2017
Thanks for your answer.
The real question is do we agree in the
internalULR usage what suggested in [1] is a bad security practice
and should not be told to operators at all.
Also we should try to get rid off the enpointTypes in keystone v4.
Do we have any good (not just making happy funny dev envs) to keep
endpoint types ?
On Fri, Jul 21, 2017 at 1:37 PM, Giulio Fidente <gfidente at redhat.com> wrote:
> Only a comment about the status in TripleO
>
> On 07/21/2017 12:40 PM, Attila Fazekas wrote:
>
> [...]
>
> > We should seriously consider using names instead of ip address also
> > on the devstack gates to avoid people thinking the catalog entries
> > meant to be used with ip address and keystone is a replacement for DNS.
>
> this is configurable, you can have names or ips in the keystone
> endpoints ... actually you can chose to use names or ips independently
> for each service and even for the different endpoints
> (Internal/Admin/Public) of the same service
>
> if an operator, like you suggested, configures the DNS to resolve
> different IPs for the same name basing on where the request comes from,
> then he can use the same 'hostname' for all Public, Admin and Internal
> endpoints which I *think* is what you're suggesting
>
> also using names is the default when ssl is enabled
>
> check environments/ssl/tls-endpoints-public-dns.yaml and note how
> EndpointMap can resolve to CLOUDNAME or IP_ADDRESS
>
> adding Juan on CC as he did a great work around this and can help further
> --
> Giulio Fidente
> GPG KEY: 08D733BA
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170724/ed41c982/attachment.html>
More information about the OpenStack-dev
mailing list