From b693746cb0bbe2ea382cb6fbd620f83045ed3295 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= <radoslaw.piliszek@gmail.com>
Date: Sun, 18 Aug 2019 12:22:20 +0200
Subject: [PATCH] Fix Zun connectivity to itself and Cinder
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Zun was misconfigured and defaulted to using public endpoints
which are likely inaccessible from the internal network.
This patch fixes that and removes unused and deprecated
options. Validity of options confirmed from Queens to Train
against respective docs.

Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5
Closes-bug: #1840572
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
---
 ansible/roles/zun/templates/zun.conf.j2 | 52 +++++++++++--------------
 1 file changed, 22 insertions(+), 30 deletions(-)

diff --git a/ansible/roles/zun/templates/zun.conf.j2 b/ansible/roles/zun/templates/zun.conf.j2
index fc0dc60a1d..a951cbc5e8 100644
--- a/ansible/roles/zun/templates/zun.conf.j2
+++ b/ansible/roles/zun/templates/zun.conf.j2
@@ -11,34 +11,24 @@ transport_url = {{ rpc_transport_url }}
 
 state_path = /var/lib/zun
 container_driver = docker.driver.DockerDriver
-db_type = sql
 
 [network]
 driver = kuryr
 
-[oslo_messaging_notifications]
-transport_url = {{ notify_transport_url }}
-driver = messaging
-
 [api]
 host_ip = {{ api_interface_address }}
 port = {{ zun_api_port }}
 workers = {{ openstack_service_workers }}
 
-[compute]
-topic = zun-compute
-
 [database]
 connection = mysql+pymysql://{{ zun_database_user }}:{{ zun_database_password }}@{{ zun_database_address }}/{{ zun_database_name }}
 max_retries = -1
 
-[zun_client]
-version = 1
-service_type = container
-service_name = zun
-
+# NOTE(yoctozepto): despite what the docs say, both keystone_auth and
+# keystone_authtoken sections are used and Zun internals may use either -
+# - best keep them both in sync
 [keystone_auth]
-auth_uri = {{ keystone_internal_url }}
+www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
@@ -46,11 +36,18 @@ user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ zun_keystone_user }}
 password = {{ zun_keystone_password }}
+service_token_roles_required = True
+region_name = {{ openstack_region_name }}
 
+{% if enable_memcached | bool %}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+{% endif %}
 
+# NOTE(yoctozepto): despite what the docs say, both keystone_auth and
+# keystone_authtoken sections are used and Zun internals may use either -
+# - best keep them both in sync
 [keystone_authtoken]
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_admin_url }}
@@ -61,32 +58,27 @@ project_name = service
 username = {{ zun_keystone_user }}
 password = {{ zun_keystone_password }}
 service_token_roles_required = True
+region_name = {{ openstack_region_name }}
 
+{% if enable_memcached | bool %}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+{% endif %}
+
+[zun_client]
+region_name = {{ openstack_region_name }}
+endpoint_type = internalURL
 
 [glance_client]
-auth_uri = {{ keystone_internal_url }}
-auth_url = {{ keystone_admin_url }}
-auth_type = password
-project_domain_id = {{ default_project_domain_id }}
-user_domain_id = {{ default_user_domain_id }}
-project_name = service
-username = {{ zun_keystone_user }}
-password = {{ zun_keystone_password }}
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
 
 [neutron_client]
-auth_uri = {{ keystone_internal_url }}
-auth_url = {{ keystone_admin_url }}
-auth_type = password
-project_domain_id = {{ default_project_domain_id }}
-user_domain_id = {{ default_user_domain_id }}
-project_name = service
-username = {{ zun_keystone_user }}
-password = {{ zun_keystone_password }}
+region_name = {{ openstack_region_name }}
+endpoint_type = internalURL
+
+[cinder_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL