os_magnum role uses internal VIP inside instances

I see this in the template:

[barbican_client]
endpoint_type = internalURL

[cinder_client]
region_name = {{ cinder_service_region }}
endpoint_type = internalURL

[glance_client]
endpoint_type = internalURL

[heat_client]
endpoint_type = internalURL

[keystone_authtoken]
auth_uri = {{ keystone_service_internalurl }}
auth_version = v3
insecure = {{ keystone_service_internaluri_insecure | bool }}
memcached_servers = {{ memcached_servers }}
identity_uri = {{ keystone_service_internaluri }}
auth_type = {{ magnum_keystone_auth_plugin }}
auth_url = {{ keystone_service_internaluri }}

[magnum_client]
endpoint_type = internalURL

[neutron_client]
endpoint_type = internalURL

[nova_client]
endpoint_type = internalURL

Is this the problem we're talking about?
This could probably be overriden by having something defined in magnum_config_overrides.

But I'd be happy to see if this should be done for everyone by default.

After looking at this more I think the problem is probably upstream in the Magnum project. It's what is setting the heat-params and kube_openstack_config files. The magnum.conf template OSA lays down should be fine using the internalVIP since the magnum container will have access to br-mgmt.

Sorry for my confusion. I got this working with the following openstack-ansible overrides. It seems Magnum does use the variables in magnum.conf to create the heat-params and kube_openstack_config files.

magnum_config_overrides:
  keystone_authtoken:
    auth_uri = {{ keystone_service_publicurl }}
    identity_uri = {{ keystone_service_publicuri }}
    auth_url = {{ keystone_service_publicuri }}
  magnum_client:
    endpoint_type = publicURL

I think most deployments will need these set to public so they should probably be setup as defaults for OSA/Magnum.

Hi, I think there should be no dependencies between "how magnum connects to the API ?" which is the parameters specified in magnum.conf and "how instances can reach the API".

It really depends on the customer deployment and as Jean-Philippe Evrard mentionned for Openstack Ansible, a majority of services use internalURL on a management network to reach the API. But Public URL for API might be on a different external network, and this network should be use for instances to connect to the API

So the parameters should not be linked together, there sould be another options to specify how instance connect to the API, independent from Magnum service itself

Hi Kevin,

I agree. How the magnum service connects to OpenStack API services should be separated from how instances need to connect to the API. A way for the heat-params and kube_openstack_config files to be built with instance connection in mind (public) while also allowing magnum services to be internal would solve for this.

Currently, from what I've seen the only way to solve for this is to use the openstack-ansible overrides I included, however, then the magnum service (magnum.conf) is also using those public endpoints, when I would rather them be internal.

We can add configuration option in magnum.conf in the trust section.

Fix proposed to branch: master
Review: https://review.openstack.org/455353

Fix proposed to branch: master
Review: https://review.openstack.org/455356

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/463601

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/463602

Reviewed: https://review.openstack.org/455353
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=4c241a683fdc0b2af2d02bfc74e060de4861d0d1
Submitter: Jenkins
Branch: master

commit 4c241a683fdc0b2af2d02bfc74e060de4861d0d1
Author: Kevin Lefevre <email address hidden>
Date: Mon Apr 10 16:36:21 2017 +0200

    Enable custom keystone endpoint_type in templates

    Allow to specify a custom AUTH_URL for the templates in case instances
    cannot reach internalURL which is the case in mose deployment.

    A new variable in trust section: trustee_keystone_interface which
    default to public is introduced.

    Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
    Closes-Bug: #1643197

Reviewed: https://review.openstack.org/455356
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_magnum/commit/?id=4b6f0444d64becedd990c67f82f961086be36390
Submitter: Jenkins
Branch: master

commit 4b6f0444d64becedd990c67f82f961086be36390
Author: ArchiFleKs <email address hidden>
Date: Mon Apr 10 17:10:39 2017 +0200

    Enable custom keystone endpoint_type in templates

    Allow to specify a custom AUTH_URL for the templates in case instances
    cannot reach internalURL which is the case in mose deployment.

    A new variable in trust section: trustee_keystone_interface which
    default to public for OSA.

    Also set magnum_client URL which is passed to instances to publicURL
    also, this is similar to what is done with heat which default to
    publicURL.

    Related to this change: https://review.openstack.org/#/c/455353/

    Change-Id: I51bf7615ca91f90b7d998e66327ed1bb662783b6
    Partial-Bug: #1643197

Reviewed: https://review.openstack.org/463602
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_magnum/commit/?id=9aea803aad6830fe9ac8b3ce295a5aed48bae542
Submitter: Jenkins
Branch: stable/ocata

commit 9aea803aad6830fe9ac8b3ce295a5aed48bae542
Author: ArchiFleKs <email address hidden>
Date: Mon Apr 10 17:10:39 2017 +0200

    Enable custom keystone endpoint_type in templates

    Allow to specify a custom AUTH_URL for the templates in case instances
    cannot reach internalURL which is the case in mose deployment.

    A new variable in trust section: trustee_keystone_interface which
    default to public for OSA.

    Also set magnum_client URL which is passed to instances to publicURL
    also, this is similar to what is done with heat which default to
    publicURL.

    Related to this change: https://review.openstack.org/#/c/455353/

    Change-Id: I51bf7615ca91f90b7d998e66327ed1bb662783b6
    Partial-Bug: #1643197
    (cherry picked from commit 4b6f0444d64becedd990c67f82f961086be36390)

Reviewed: https://review.openstack.org/467503
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=8e0dd3d8e03128b22f0ed1d487759363bf8680dd
Submitter: Jenkins
Branch: master

commit 8e0dd3d8e03128b22f0ed1d487759363bf8680dd
Author: ArchiFleKs <email address hidden>
Date: Wed May 24 09:20:06 2017 +0200

    reno: add custom keystone endpoint_type in configuration

    Implemented in:
    https://review.openstack.org/#/c/455353/
    Related-Bug: #1643197

    Change-Id: I7b08d78c8ba547f9fb75d48f68c6552582d528b9

Reviewed: https://review.openstack.org/463601
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=12a3cc01ca556ce77a4556fc4d691061f509feba
Submitter: Jenkins
Branch: stable/ocata

commit 12a3cc01ca556ce77a4556fc4d691061f509feba
Author: Kevin Lefevre <email address hidden>
Date: Mon Apr 10 16:36:21 2017 +0200

    Enable custom keystone endpoint_type in templates

    Allow to specify a custom AUTH_URL for the templates in case instances
    cannot reach internalURL which is the case in mose deployment.

    A new variable in trust section: trustee_keystone_interface which
    default to public is introduced.

    Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
    Closes-Bug: #1643197

This issue was fixed in the openstack/magnum 4.1.2 release.

This issue was fixed in the openstack/magnum 5.0.0 release.