From c6764f557fb37fff17d6c4dd51d4440b3b26bad2 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 10 Dec 2018 10:18:57 +0000 Subject: [PATCH] Use public FQDN for OS_AUTH_URL in public-openrc.sh If a public FQDN is defined, use it instead of the virtual IP address. When using TLS, certificates are generally tied to a hostname rather than to an IP address. Change-Id: I0afef32a0f4030bba613febdf266e2ccd863512d --- ansible/public-openrc.yml | 4 ++-- .../notes/use-public-fqdn-in-openrc-f7990958ceec817d.yaml | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/use-public-fqdn-in-openrc-f7990958ceec817d.yaml diff --git a/ansible/public-openrc.yml b/ansible/public-openrc.yml index 49f60e739..4367773a0 100644 --- a/ansible/public-openrc.yml +++ b/ansible/public-openrc.yml @@ -8,9 +8,9 @@ - public-openrc vars: public_api_proto: "{% if kolla_enable_tls_external | bool %}https{% else %}http{% endif %}" - public_api_vip_address: "{{ public_net_name | net_vip_address }}" + public_api_host: "{{ public_net_name | net_fqdn or public_net_name | net_vip_address }}" public_api_keystone_port: 5000 roles: - role: public-openrc public_openrc_kolla_config_path: "{{ kolla_config_path }}" - public_openrc_auth_url: "{{ public_api_proto }}://{{ public_api_vip_address }}:{{ public_api_keystone_port }}" + public_openrc_auth_url: "{{ public_api_proto }}://{{ public_api_host }}:{{ public_api_keystone_port }}" diff --git a/releasenotes/notes/use-public-fqdn-in-openrc-f7990958ceec817d.yaml b/releasenotes/notes/use-public-fqdn-in-openrc-f7990958ceec817d.yaml new file mode 100644 index 000000000..999122468 --- /dev/null +++ b/releasenotes/notes/use-public-fqdn-in-openrc-f7990958ceec817d.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + The ``public-openrc.sh`` file generated by Kayobe now uses the public + network FQDN for populating the OS_AUTH_URL variable instead of using the + public virtual IP address. If the FQDN variable is not set, the virtual IP + address remains used. This ensures better compatibility with TLS-enabled + deployments where certificates are generally tied to a hostname.