From d54c8fbdccfd8145b65d0fcc50dc8628b37c1a88 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Thu, 15 Aug 2019 16:04:44 +0100
Subject: [PATCH] Use internal API for heat -> heat communication

Heat has a new option (server_keystone_endpoint_type), which can be used
to set the keystone endpoint used by instances to make callbacks to
heat. This needs to be public, since we can't assume users have access
to the internal API. However, the current method of setting
[clients_heat] endpoint_type means that communication from heat to its
own API (e.g. when a stack is a resource in another stack) uses the
public network also, and this might not work if TLS is enabled.

This change uses server_keystone_endpoint_type to keep instance traffic
on the public API, and removes the [clients_heat] endpoint_type option
to use the default in [clients] endpoint_type of internalURL.

This feature was added to heat in https://review.opendev.org/#/c/650967.

Change-Id: I932ea55a3c2a411557c34361db08bcb3a2b27eaf
Closes-Bug: #1812864
Related-Bug: #1762754
Related-Bug: #1688331
---
 ansible/roles/heat/templates/heat.conf.j2 | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/heat/templates/heat.conf.j2 b/ansible/roles/heat/templates/heat.conf.j2
index 9431c4de0..d902e522c 100644
--- a/ansible/roles/heat/templates/heat.conf.j2
+++ b/ansible/roles/heat/templates/heat.conf.j2
@@ -22,6 +22,8 @@ transport_url = {{ rpc_transport_url }}
 
 region_name_for_services = {{ openstack_region_name }}
 
+server_keystone_endpoint_type = public
+
 {% if service_name == 'heat-api' %}
 [heat_api]
 bind_host = {{ api_interface_address }}
@@ -92,9 +94,6 @@ policy_file = {{ heat_policy_file }}
 [clients]
 endpoint_type = internalURL
 
-[clients_heat]
-endpoint_type = publicURL
-
 [oslo_middleware]
 enable_proxy_headers_parsing = True
 
-- 
GitLab