From 01ae01ec26769d15059a45432c8accffc10f0da1 Mon Sep 17 00:00:00 2001
From: Xing Zhang <angeiv.zhang@gmail.com>
Date: Tue, 28 Apr 2020 11:53:44 +0800
Subject: [PATCH] Make sure octavia uses internal endpoint to barbican

The octavia service communicates to the barbican service with
public endpoint_type by default[1], it should use internal
like other services.

[1] https://github.com/openstack/octavia/blob/0056b5175f89070164849501ec6d960549b95e34/octavia/common/config.py#L533-L537

Closes-Bug: #1875618
Change-Id: I90d2b0aeac090a3e2366341e260232fc1f0d6492
---
 ansible/roles/octavia/templates/octavia.conf.j2            | 2 ++
 ...-endpoint-for-barbican-in-octavia-0bcdcf91a8adc95c.yaml | 7 +++++++
 2 files changed, 9 insertions(+)
 create mode 100644 releasenotes/notes/use-internal-endpoint-for-barbican-in-octavia-0bcdcf91a8adc95c.yaml

diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2
index b6bd7b21a8..29227e4d29 100644
--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@@ -15,6 +15,8 @@ ca_private_key = /etc/octavia/certs/private/cakey.pem
 ca_certificate = /etc/octavia/certs/ca_01.pem
 {% if enable_barbican | bool %}
 region_name = {{ openstack_region_name }}
+endpoint_type = internal
+ca_certificates_file = {{ openstack_cacert }}
 {% endif %}
 
 [haproxy_amphora]
diff --git a/releasenotes/notes/use-internal-endpoint-for-barbican-in-octavia-0bcdcf91a8adc95c.yaml b/releasenotes/notes/use-internal-endpoint-for-barbican-in-octavia-0bcdcf91a8adc95c.yaml
new file mode 100644
index 0000000000..3cc26abef1
--- /dev/null
+++ b/releasenotes/notes/use-internal-endpoint-for-barbican-in-octavia-0bcdcf91a8adc95c.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Switch endpoint_type from public to internal for octavia
+    communicating with the barbican service. See
+    `bug 1875618 <https://bugs.launchpad.net/kolla-ansible/+bug/1875618>`__
+    for details.
-- 
GitLab