Use internal API for heat -> heat communication

Heat has a new option (server_keystone_endpoint_type), which can be used to set the keystone endpoint used by instances to make callbacks to heat. This needs to be public, since we can't assume users have access to the internal API. However, the current method of setting [clients_heat] endpoint_type means that communication from heat to its own API (e.g. when a stack is a resource in another stack) uses the public network also, and this might not work if TLS is enabled. This change uses server_keystone_endpoint_type to keep instance traffic on the public API, and removes the [clients_heat] endpoint_type option to use the default in [clients] endpoint_type of internalURL. This feature was added to heat in https://review.opendev.org/#/c/650967. Change-Id: I932ea55a3c2a411557c34361db08bcb3a2b27eaf Closes-Bug: #1812864 Related-Bug: #1762754 Related-Bug: #1688331

Use internal API for heat -> heat communication
d54c8fbd · Mark Goddard · dda18851 · d54c8fbd
Commit d54c8fbd authored 5 years ago by Mark Goddard
--- a/ansible/roles/heat/templates/heat.conf.j2
+++ b/ansible/roles/heat/templates/heat.conf.j2
@@ -22,6 +22,8 @@ transport_url = {{ rpc_transport_url }}

 region_name_for_services = {{ openstack_region_name }}

+server_keystone_endpoint_type = public
+
 {% if service_name == 'heat-api' %}
 [heat_api]
 bind_host = {{ api_interface_address }}
@@ -92,9 +94,6 @@ policy_file = {{ heat_policy_file }}
 [clients]
 endpoint_type = internalURL

-[clients_heat]
-endpoint_type = publicURL
-
 [oslo_middleware]
 enable_proxy_headers_parsing = True