Use internal API for heat -> heat communication

Heat has a new option (server_keystone_endpoint_type), which can be used
to set the keystone endpoint used by instances to make callbacks to
heat. This needs to be public, since we can't assume users have access
to the internal API. However, the current method of setting
[clients_heat] endpoint_type means that communication from heat to its
own API (e.g. when a stack is a resource in another stack) uses the
public network also, and this might not work if TLS is enabled.

This change uses server_keystone_endpoint_type to keep instance traffic
on the public API, and removes the [clients_heat] endpoint_type option
to use the default in [clients] endpoint_type of internalURL.

This feature was added to heat in https://review.opendev.org/#/c/650967.

Change-Id: I932ea55a3c2a411557c34361db08bcb3a2b27eaf
Closes-Bug: #1812864
Related-Bug: #1762754
Related-Bug: #1688331

ansible/roles/heat/templates/heat.conf.j2

@@ -22,6 +22,8 @@ transport_url = {{ rpc_transport_url }}
 
 region_name_for_services = {{ openstack_region_name }}
 
+server_keystone_endpoint_type = public
+
 {% if service_name == 'heat-api' %}
 [heat_api]
 bind_host = {{ api_interface_address }}
@@ -92,9 +94,6 @@ policy_file = {{ heat_policy_file }}
 [clients]
 endpoint_type = internalURL
 
-[clients_heat]
-endpoint_type = publicURL
-
 [oslo_middleware]
 enable_proxy_headers_parsing = True