[heat][keystone] keystone endpoint configuration

Jonathan Rosser jonathan.rosser at rd.bbc.co.uk
Mon Mar 18 16:09:03 UTC 2019

On 28/02/2019 16:22, Zane Bitter wrote:

>> There are already examples of similar config options in heat.conf, 
>> such as "heat_waitcondition_server_url" - would additonal config items 
>> such as server_base_auth_url and signal_responder_auth_url be 
>> appropriate so that we can be totally explicit about the endpoints 
>> handed on to created VM?
> Yes, that's along the lines of what I was thinking too (although I think 
> we'd only need one option, for URLs destined to be called from 
> userspace). We already have an endpoint_type option (that defaults to 
> PublicURL), so maybe we just need to be able to specify 
> internal_auth_uri and public_auth_uri and we can select based on the 
> endpoint type when we're using the clients internally, but always use 
> the public one when gathering data to pass to a VM?

We've got a patch now to add an optional public_auth_uri config 

It would be be good to get confirmation from the heat side that we've 
not missed any other places auth_url should use public_auth_uri.

I'd like to keep this moving as the folks this is hurting the most are 
running openstack in labs or proofs-of-concept with self signed certs - 
we need to make sure those experiences are good.


More information about the openstack-discuss mailing list