Enforce internal api for token verification

This change enforces the usage of internal api for token verification, so that internal requests to keystone uses internal endpoint instead of admin endpoint which is deployed on provisioning network by default. Conflicts: deployment/heat/heat-base-puppet.yaml deployment/nova/nova-api-container-puppet.yaml Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63 Closes-Bug: #1899266 (cherry picked from commit 37548dd)
openstack-archive · Jul 8, 2021 · a10dee7 · a10dee7
1 parent 8e412bd
commit a10dee7
Show file tree

Hide file tree

Showing 22 changed files with 23 additions and 1 deletion.
diff --git a/deployment/aodh/aodh-base.yaml b/deployment/aodh/aodh-base.yaml
@@ -107,6 +107,7 @@ outputs:
         aodh::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
         aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
         aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+        aodh::keystone::authtoken::interface: 'internal'
         aodh::auth::auth_password: {get_param: AodhPassword}
         aodh::auth::auth_region: {get_param: KeystoneRegion}
         aodh::auth::auth_project_name: 'service'

diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml
@@ -253,6 +253,7 @@ outputs:
             barbican::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             barbican::keystone::authtoken::project_name: 'service'
             barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            barbican::keystone::authtoken::interface: 'internal'
             barbican::keystone::notification::enable_keystone_notification: True
             barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
             barbican::policy::policies: {get_param: BarbicanPolicies}

diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml
@@ -186,6 +186,7 @@ outputs:
             cinder::keystone::authtoken::user_domain_name: 'Default'
             cinder::keystone::authtoken::project_domain_name: 'Default'
             cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            cinder::keystone::authtoken::interface: 'internal'
             cinder::policy::policies: {get_param: CinderApiPolicies}
             cinder::notification_driver: {get_param: NotificationDriver}
             cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType}

diff --git a/deployment/deprecated/sahara/sahara-base.yaml b/deployment/deprecated/sahara/sahara-base.yaml
@@ -117,3 +117,4 @@ outputs:
         sahara::keystone::authtoken::user_domain_name: 'Default'
         sahara::keystone::authtoken::project_domain_name: 'Default'
         sahara::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+        sahara::keystone::authtoken::interface: 'internal'
diff --git a/deployment/experimental/designate/designate-api-container-puppet.yaml b/deployment/experimental/designate/designate-api-container-puppet.yaml
@@ -104,6 +104,7 @@ outputs:
             designate::keystone::authtoken::project_name: 'service'
             designate::keystone::authtoken::password: {get_param: DesignatePassword}
             designate::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            designate::keystone::authtoken::interface: 'internal'
             tripleo::profile::base::designate::api::listen_ip:
               str_replace:
                 template:

diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml
@@ -422,6 +422,7 @@ outputs:
             glance::api::authtoken::region_name: {get_param: KeystoneRegion}
             glance::api::authtoken::user_domain_name: 'Default'
             glance::api::authtoken::project_domain_name: 'Default'
+            glance::api::authtoken::interface: 'internal'
             glance::api::pipeline:
               if:
               - glance_cache_enabled

diff --git a/deployment/gnocchi/gnocchi-api-container-puppet.yaml b/deployment/gnocchi/gnocchi-api-container-puppet.yaml
@@ -205,6 +205,7 @@ outputs:
             gnocchi::keystone::authtoken::user_domain_name: 'Default'
             gnocchi::keystone::authtoken::project_domain_name: 'Default'
             gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            gnocchi::keystone::authtoken::interface: 'internal'
             gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             gnocchi::wsgi::apache::servername:
               str_replace:

diff --git a/deployment/heat/heat-base-puppet.yaml b/deployment/heat/heat-base-puppet.yaml
@@ -178,6 +178,7 @@ outputs:
             heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             heat::keystone::authtoken::password: {get_param: HeatPassword}
             heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            heat::keystone::authtoken::interface: 'internal'
             heat::keystone::domain::domain_name: 'heat_stack'
             heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
             heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'

diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml
@@ -143,6 +143,7 @@ outputs:
             ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             ironic::api::authtoken::region_name: {get_param: KeystoneRegion }
+            ironic::api::authtoken::interface: 'internal'
             # NOTE: bind IP is found in hiera replacing the network name with the
             # local node IP for the given network; replacement examples
             # (eg. for internal_api):

diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml
@@ -274,6 +274,7 @@ outputs:
             ironic::inspector::authtoken::user_domain_name: 'Default'
             ironic::inspector::authtoken::project_domain_name: 'Default'
             ironic::inspector::authtoken::region_name: {get_param: KeystoneRegion}
+            ironic::inspector::authtoken::interface: 'internal'
             ironic::inspector::cors::allowed_origin: '*'
             ironic::inspector::cors::max_age: 3600
             ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'

diff --git a/deployment/manila/manila-api-container-puppet.yaml b/deployment/manila/manila-api-container-puppet.yaml
@@ -138,6 +138,7 @@ outputs:
             manila::keystone::authtoken::user_domain_name: 'Default'
             manila::keystone::authtoken::project_domain_name: 'Default'
             manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            manila::keystone::authtoken::interface: 'internal'
             # NOTE: bind IP is found in hiera replacing the network name with the
             # local node IP for the given network; replacement examples
             # (eg. for internal_api):

diff --git a/deployment/manila/manila-share-container-puppet.yaml b/deployment/manila/manila-share-container-puppet.yaml
@@ -99,6 +99,7 @@ outputs:
             manila::keystone::authtoken::user_domain_name: 'Default'
             manila::keystone::authtoken::project_domain_name: 'Default'
             manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            manila::keystone::authtoken::interface: 'internal'
             # compute
             manila::compute::nova::username: 'manila'
             manila::compute::nova::password: {get_param: ManilaPassword}

diff --git a/deployment/mistral/mistral-base.yaml b/deployment/mistral/mistral-base.yaml
@@ -107,6 +107,7 @@ outputs:
         mistral::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
         mistral::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
         mistral::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+        mistral::keystone::authtoken::interface: 'internal'
         mistral::keystone_ec2_uri:
           list_join:
           - ''

diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml
@@ -308,6 +308,7 @@ outputs:
             neutron::keystone::authtoken::user_domain_name: 'Default'
             neutron::keystone::authtoken::project_domain_name: 'Default'
             neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            neutron::keystone::authtoken::interface: 'internal'
             neutron::quota::quota_port: {get_param: NeutronPortQuota}
             neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota}
             neutron::server::sync_db: true

diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml
@@ -225,6 +225,7 @@ outputs:
             nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            nova::keystone::authtoken::interface: 'internal'
             nova::api::max_limit: {get_param: NovaApiMaxLimit}
             nova::api::enabled: true
             nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool}

diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml
@@ -836,6 +836,7 @@ outputs:
             nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            nova::keystone::authtoken::interface: 'internal'
             nova::cinder::username: 'cinder'
             nova::cinder::auth_type: 'v3password'
             nova::cinder::project_name: 'service'

diff --git a/deployment/nova/nova-metadata-container-puppet.yaml b/deployment/nova/nova-metadata-container-puppet.yaml
@@ -163,6 +163,7 @@ outputs:
             nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
             nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            nova::keystone::authtoken::interface: 'internal'
             nova::wsgi::apache_metadata::api_port: '8775'
             nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
             nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}

diff --git a/deployment/nova/novajoin-container-puppet.yaml b/deployment/nova/novajoin-container-puppet.yaml
@@ -134,6 +134,7 @@ outputs:
         nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
         nova::metadata::novajoin::authtoken::project_name: 'service'
         nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion}
+        nova::metadata::novajoin::authtoken::interface: 'internal'
         nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
       service_config_settings:
         nova_metadata: &nova_vendordata

diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml
@@ -165,13 +165,14 @@ outputs:
           - {get_attr: [OctaviaWorker, role_data, config_settings]}
           - {get_attr: [OctaviaProviderConfig, role_data, config_settings]}
           - octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
-            octavia::policy::policies: {get_param: OctaviaApiPolicies}
             octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
             octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
             octavia::keystone::authtoken::user_domain_name: 'Default'
             octavia::keystone::authtoken::project_domain_name: 'Default'
             octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            octavia::keystone::authtoken::interface: 'internal'
+            octavia::policy::policies: {get_param: OctaviaApiPolicies}
             octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
             octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
             octavia::api::sync_db: true

diff --git a/deployment/placement/placement-api-container-puppet.yaml b/deployment/placement/placement-api-container-puppet.yaml
@@ -141,6 +141,7 @@ outputs:
             placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             placement::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            placement::keystone::authtoken::interface: 'internal'
             placement::wsgi::apache::api_port: '8778'
             placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             # NOTE: bind IP is found in hiera replacing the network name with the local node IP

diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml
@@ -168,6 +168,7 @@ outputs:
             swift::proxy::authtoken::password: {get_param: SwiftPassword}
             swift::proxy::authtoken::project_name: 'service'
             swift::proxy::authtoken::region_name: {get_param: KeystoneRegion}
+            swift::proxy::authtoken::interface: 'internal'
             swift::proxy::s3token::www_authenticate_uri: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
             swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
           -

diff --git a/deployment/zaqar/zaqar-container-puppet.yaml b/deployment/zaqar/zaqar-container-puppet.yaml
@@ -159,6 +159,7 @@ outputs:
             zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
             zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion}
+            zaqar::keystone::authtoken::interface: 'internal'
             zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             zaqar::logging::debug:
               if: