In openstack-ansible we are trying to help a number of our end users with their heat deployments, some of them in conjunction with magnum. There is some uncertainty with how the following heat.conf sections should be configured: [clients_keystone] auth_uri = ... [keystone_authtoken] www_authenticate_uri = ... It does not appear to be possible to define a set of internal or external keystone endpoints in heat.conf which allow the following: * The orchestration panels being functional in horizon * Deployers isolating internal openstack from external networks * Deployers using self signed/company cert on the external endpoint * Magnum deployments completing * Heat delivering an external endpoint at [1] * Heat delivering an external endpoint at [2] There are a number of related bugs: https://bugs.launchpad.net/openstack-ansible/+bug/1814909 https://bugs.launchpad.net/openstack-ansible/+bug/1811086 https://storyboard.openstack.org/#!/story/2004808 https://storyboard.openstack.org/#!/story/2004524 Any help we could get from the heat team to try to understand the root cause of these issues would be really helpful. Jon. [1] https://github.com/openstack/heat/blob/master/heat/engine/resources/server_base.py#L87 [2] https://github.com/openstack/heat/blob/master/heat/engine/resources/signal_responder.py#L106