The [keystone_authtoken] www_authenticate_uri option should point public url

[kajinamit]

Currently the [keystone_authtoken] www_authenticate_uri option points internal url, but this should point public url, because the url is returned to clients when auth request fails.

We probably have to add separate options for public/internal endpoint and use different endpoints accordingly.

[gibizer]

I believe nova-api using the public keystone URL for everything:

$ oc get -o yaml NovaAPI/nova-api | grep keystoneAuthURL
  keystoneAuthURL: http://keystone-public-openstack.apps-crc.testing

I think the template parameter name is misleading here:

nova-operator/templates/nova.conf

Line 196 in cb238f8

www_authenticate_uri = {{ .keystone_internal_url }}

But the actual value is coming from here:

nova-operator/controllers/nova_controller.go

Lines 810 to 814 in cb238f8

	keystoneAPI, err := keystonev1.GetKeystoneAPI(ctx, h, instance.Namespace, map[string]string{})
	if err != nil {
	return "", err
	}
	authURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointPublic)

So my questions is: Is it OK to use the public endpoint for everything?

• If yes, then I will rename the template parameter
• If no, then I need to have a list of config params names where we need the public and another list of config param names where we need the internal keystone auth url. Then I will introduce a separate field on NovaAPI CR and also in the template.

[SeanMooney]

my intenstion is for nova to use the internal endpoitns of all service it calls but our external links in the API repoce should really be to the endpoint you invoked.

so if you call to the internal endpoint it should be internal and external external.

[gibizer]

my intenstion is for nova to use the internal endpoitns of all service it calls but our external links in the API repoce should really be to the endpoint you invoked.

so if you call to the internal endpoint it should be internal and external external.

1. So I guess to force nova to call the internal endpoint of keystone when calling to other services we need to set the auth_url to the internal endpoint in each [<service>] section. So that mean I will introduce a new field to the NovaAPI CR for the internal keystone endpoint.

2. so if you call to the internal endpoint it should be internal and external external.

Do you know how to configure nova to get this behavior?

[SeanMooney]

i dont think we should have to change the CR we should just take one keystone URL and that should be the internal one although we can always use endpoint to lookup the internal one too programmatically regardless of what is passed by the user in the cr.

for 2 no i thought we looked at the URL used to make the query to determine how we render the refurls in the responce.

[kajinamit]

I believe nova-api using the public keystone URL for everything:

$ oc get -o yaml NovaAPI/nova-api | grep keystoneAuthURL
  keystoneAuthURL: http://keystone-public-openstack.apps-crc.testing

Sorry I was confused by that naming (keystone_internal_url ) and you are totally correct. Probably we'd want to rename the paraneter name to avoid misleading as you said...

Jusy FYI. If we want nova to use internal endpoint for keystone API call, what we'd need are

• Use internal endpoint for [keystone_authtoken] auth_url
• Set [keystone_authtoken] interface = internal

However even in that case [keystone_authtoken] www_authenticate_uri should point the public endpoint because it can be exposed to external clients.

[gibizer]

i dont think we should have to change the CR we should just take one keystone URL and that should be the internal one

OK I can make that change without CR change. I will pass only the internal URL to NovaAPI.
But it also means I either don't set [keystone_authtoken] www_authenticate_uri or set it to the internal URL too. The latter is not good according to @kajinamit . Would be OK not to configuring www_authenticate_uri at all?

[kajinamit]

AFAIK we have to configure www_authenticate_uri, otherwise the middleware returns wrong url (likely http://127.0.0.1:35357 ).

[gibizer]

# Complete "public" Identity API endpoint. This endpoint should not be an
# "admin" endpoint, as it should be accessible by all end users.
# Unauthenticated clients are redirected to this endpoint to authenticate.
# Although this endpoint should ideally be unversioned, client support in the
# wild varies. If you're using a versioned v2 endpoint here, then this should
# *not* be the same endpoint the service user utilizes for validating tokens,
# because normal end users may not be able to reach that endpoint. (string
# value)
# Deprecated group/name - [keystone_authtoken]/auth_uri
#www_authenticate_uri = <None>

Based on the config doc we have to pass the public url so I will propose a patch to fix this.