cinder.conf: add [nova] section, override interface defaults

To the best of my knowledge, the [nova] section in cinder.conf
is only ever used if the Cinder scheduler is acting as a Nova client
when the operator has enabled the InstanceLocalityFilter.

Per https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/cinder.conf.html,
Cinder defaults to using the public Nova endpoint when using the
Nova API. This is contrary to OSA precedent, where services
normally use internal endpoints for service-to-service API requests.

When enabling the InstanceLocalityFilter in combination with Cinder
talking to the public Nova endpoint, this can create a very confusing
situation, particularly in pre-production clusters: if the public
endpoint has a self-signed SSL certificate, and Cinder is not
explicitly configured not to verify certificates, then this creates
a whole load of connection errors.

Thus, in order to follow POLA, configure the [nova] section to use
the internal endpoint, and (in case the internal endpoint does
use HTTPS) honor the keystone_service_internaluri_insecure setting,
as for other services.

Change-Id: Ie31a7e2917a188027db49ac51e6a77ee39a9abf0
This commit is contained in:
Florian Haas 2019-02-15 15:42:14 +01:00
parent ada7167002
commit 8c436038e3
1 changed files with 4 additions and 0 deletions

View File

@ -150,3 +150,7 @@ token_cache_time = 300
# if your memcached server is shared, use these settings to avoid cache poisoning
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcached_encryption_key }}
[nova]
interface = internal
insecure = {{ keystone_service_internaluri_insecure | bool }}