Move services to internal_ip by default and refactor endpoint creation

We're currently defaulting to localhost which makes clouds.yaml/openrc not portable and complicates TLS configuration. Moving to internal_ip makes it possible to just copy clouds.yaml around. Refactored endpoint creation in keystone to use the openstack modules and to avoid copy-pasting authentication information. As a side effect, it becomes possible to update existing endpoints. The use_public_urls variable loses most of its sense now and is replaced by explicitly checking for public_ip. Change-Id: I48b5ab9aa656abbddd619df4bed6be9bf3766da5
2020-08-26 15:27:33 +02:00 · 2020-08-26 15:27:33 +02:00 · 114c21043c
commit 114c21043c
parent 292b16364e
11 changed files with 141 additions and 278 deletions
--- a/bifrost/cli.py
+++ b/bifrost/cli.py
@ -154,7 +154,6 @@ def cmd_install(args):
            install_dib='true',
            network_interface=args.network_interface,
            enable_keystone=args.enable_keystone,
            use_public_urls=args.enable_keystone,
            noauth_mode='false',
            enabled_hardware_types=args.hardware_types,
            cleaning_disk_erase=args.cleaning_disk_erase,
--- a/playbooks/roles/bifrost-cloud-config/defaults/main.yml
+++ b/playbooks/roles/bifrost-cloud-config/defaults/main.yml
@ -1,2 +1,9 @@
 ---
 noauth_mode: true
 network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"
 internal_ip: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}"
 api_protocol: http
 ironic_api_url: "{{ api_protocol }}://{{ internal_ip }}:6385"
--- a/playbooks/roles/bifrost-cloud-config/tasks/main.yml
+++ b/playbooks/roles/bifrost-cloud-config/tasks/main.yml
@ -65,7 +65,7 @@
 - name: "Provide ironic_url for no-auth mode if there is no override"
  set_fact:
-    ironic_url: "http://localhost:6385/"
+    ironic_url: "{{ ironic_api_url }}"
  when:
    - ironic_url | default("") == ""
    - noauth_mode | bool
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@ -260,8 +260,10 @@ noauth_mode: true
 enable_keystone: false
 # Service URLs used for communication with them.
-ironic_api_url: "http://localhost:6385"
+api_protocol: http
-ironic_inspector_api_url: "http://localhost:5050"
+ironic_api_url: "{{ api_protocol }}://{{ internal_ip }}:6385"
 ironic_inspector_api_url: "{{ api_protocol }}://{{ internal_ip }}:5050"
 keystone_api_url: "{{ api_protocol }}://{{ internal_ip }}:5000/v3"
 # Directory (on the controller) to keep the passwords
 password_dir: "{{ lookup('env', 'HOME') }}/.config/bifrost"
@ -284,7 +286,7 @@ ironic:
  service_catalog:
    username: "ironic"
    password: "{{ service_password }}"
-    auth_url: "http://127.0.0.1:5000/v3"
+    auth_url: "{{ keystone_api_url }}"
    project_name: "service"
  keystone:
    default_username: "{{ default_username }}"
@ -299,7 +301,7 @@ ironic_inspector:
  service_catalog:
    username: "ironic_inspector"
    password: "{{ service_password }}"
-    auth_url: "http://127.0.0.1:5000/v3"
+    auth_url: "{{ keystone_api_url }}"
    project_name: "service"
  keystone:
    default_username: "{{ default_username }}"
@ -318,9 +320,9 @@ keystone:
    username: "{{ admin_username }}"
    password: "{{ admin_password }}"
    project_name: admin
-    admin_url: "http://127.0.0.1:35357/v3/"
+    admin_url: "{{ api_protocol }}://{{ internal_ip }}:35357/v3/"
-    public_url: "http://127.0.0.1:5000/v3/"
+    public_url: "{{ keystone_api_url }}"
-    internal_url: "http://127.0.0.1:5000/v3/"
+    internal_url: "{{ api_protocol }}://127.0.0.1:5000/v3/"
    region_name: "RegionOne"
  message_queue:
    username: keystone
--- a/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup.yml
@ -34,20 +34,25 @@
      ironic.keystone.default_username is undefined or
      ironic.keystone.default_password is undefined
- name: "Ensure service project is present"
+- name: "Configure keystone auth"
-  os_project:
+  set_fact:
-    name: "{{ ironic.service_catalog.project_name }}"
+    keystone_auth:
-    state: present
+      auth_url: "{{ ironic.service_catalog.auth_url | default(keystone_api_url) }}"
    description: "Service Project"
    domain_id: "default"
    enabled: yes
    auth:
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}/"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "{{ keystone.bootstrap.project_name | default('admin') }}"
      project_domain_id: "default"
      user_domain_id: "default"
  no_log: true
 - name: "Ensure service project is present"
  openstack.cloud.project:
    name: "{{ ironic.service_catalog.project_name }}"
    state: present
    description: "Service Project"
    domain_id: "default"
    enabled: yes
    auth: "{{ keystone_auth }}"
  environment: "{{ bifrost_venv_env }}"
  no_log: true
@ -58,13 +63,7 @@
    state: present
    domain: "default"
    default_project: "{{ ironic.service_catalog.project_name }}"
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "{{ keystone.bootstrap.project_name | default('admin') }}"
      project_domain_id: "default"
      user_domain_id: "default"
    update_password: always
    wait: yes
  environment: "{{ bifrost_venv_env }}"
@ -75,13 +74,7 @@
    user: "{{ ironic.service_catalog.username }}"
    role: "admin"
    project: "{{ ironic.service_catalog.project_name }}"
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "{{ keystone.bootstrap.project_name | default('admin') }}"
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment: "{{ bifrost_venv_env }}"
  no_log: true
@ -92,125 +85,60 @@
    name: "ironic"
    service_type: "baremetal"
    description: OpenStack Baremetal Service
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "{{ keystone.bootstrap.project_name | default('admin') }}"
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment: "{{ bifrost_venv_env }}"
  register: baremetal_catalog_service
  no_log: true
 - name: "Check ironic admin endpoint exists"
  command: |
    openstack
    --os-identity-api-version 3
    --os-username "{{ keystone.bootstrap.username }}"
    --os-password "{{ keystone.bootstrap.password }}"
    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
    --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}"
    endpoint list -f json --noindent --service baremetal --interface admin
    --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
  no_log: true
  register: test_ironic_admin_endpoint
  ignore_errors: true
  environment: "{{ bifrost_venv_env }}"
 - name: "Check ironic public endpoint exists"
  command: |
    openstack
    --os-identity-api-version 3
    --os-username "{{ keystone.bootstrap.username }}"
    --os-password "{{ keystone.bootstrap.password }}"
    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
    --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}"
    endpoint list -f json --noindent --service baremetal --interface public
    --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
  no_log: true
  register: test_ironic_public_endpoint
  ignore_errors: true
  environment: "{{ bifrost_venv_env }}"
 - name: "Check ironic internal endpoint exists"
  command: |
    openstack
    --os-identity-api-version 3
    --os-username "{{ keystone.bootstrap.username }}"
    --os-password "{{ keystone.bootstrap.password }}"
    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
    --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}"
    endpoint list -f json --noindent --service baremetal --interface internal
    --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
  no_log: true
  register: test_ironic_internal_endpoint
  ignore_errors: true
  environment: "{{ bifrost_venv_env }}"
 - name: "Create ironic admin endpoint"
-  command: |
+  openstack.cloud.endpoint:
-    openstack
+    state: present
-    --os-identity-api-version 3
+    service: "{{ baremetal_catalog_service.id }}"
-    --os-username "{{ keystone.bootstrap.username }}"
+    endpoint_interface: admin
-    --os-password "{{ keystone.bootstrap.password }}"
+    url: "{{ ironic.keystone.admin_url | default(ironic_api_url) }}"
-    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
-    --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}"
+    auth: "{{ keystone_auth }}"
    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
    baremetal admin "{{ ironic.keystone.admin_url | default('http://127.0.0.1:6385/') }}"
  no_log: true
  environment: "{{ bifrost_venv_env }}"
  when: test_ironic_admin_endpoint.rc != 0 or test_ironic_admin_endpoint.stdout == '[]'
 - name: "Setting external Ironic public URL"
  set_fact:
-    ironic_public_url: "{{ ironic.keystone.public_url | default('http://127.0.0.1:6385/') | replace('127.0.0.1', public_ip | default(internal_ip)) }}"
+    ironic_public_url: "{{ api_protocol }}://{{ public_ip }}:6385/"
-  when: use_public_urls | default(false) | bool
+  when: public_ip is defined
 - name: "Create ironic public endpoint"
-  command: |
+  openstack.cloud.endpoint:
-    openstack
+    state: present
-    --os-identity-api-version 3
+    service: "{{ baremetal_catalog_service.id }}"
-    --os-username "{{ keystone.bootstrap.username }}"
+    endpoint_interface: public
-    --os-password "{{ keystone.bootstrap.password }}"
+    url: "{{ ironic.keystone.public_url | default(ironic_public_url) | default(ironic_api_url) }}"
-    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
-    --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}"
+    auth: "{{ keystone_auth }}"
    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
    baremetal public "{{ ironic_public_url | default(ironic.keystone.public_url) | default('http://127.0.0.1:6385/') }}"
  no_log: true
  environment: "{{ bifrost_venv_env }}"
  when: test_ironic_public_endpoint.rc != 0 or test_ironic_public_endpoint.stdout == '[]'
 - name: "Setting internal Ironic URL"
  set_fact:
-    ironic_private_url: "{{ ironic.keystone.internal_url | default('http://127.0.0.1:6385/') | replace('127.0.0.1', private_ip) }}"
+    ironic_private_url: "{{ api_protocol }}://{{ private_ip }}:6385/"
  when: private_ip is defined and private_ip | length > 0
 - name: "Create ironic internal endpoint"
-  command: |
+  openstack.cloud.endpoint:
-    openstack
+    state: present
-    --os-identity-api-version 3
+    service: "{{ baremetal_catalog_service.id }}"
-    --os-username "{{ keystone.bootstrap.username }}"
+    endpoint_interface: internal
-    --os-password "{{ keystone.bootstrap.password }}"
+    url: "{{ ironic.keystone.internal_url | default(ironic_private_url) | default(ironic_api_url) }}"
-    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
-    --os-project-name "{{ keystone.bootstrap.project_name | default('admin') }}"
+    auth: "{{ keystone_auth }}"
    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
    baremetal internal "{{ ironic_private_url | default(ironic.keystone.internal_url) | default('http://127.0.0.1:6385/') }}"
  no_log: true
  environment: "{{ bifrost_venv_env }}"
  when: test_ironic_internal_endpoint.rc != 0 or test_ironic_internal_endpoint.stdout == '[]'
 - name: "Create baremetal_admin role"
  openstack.cloud.identity_role:
    name: "baremetal_admin"
    state: present
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "{{ keystone.bootstrap.project_name | default('admin') }}"
      project_domain_id: "default"
      user_domain_id: "default"
  environment: "{{ bifrost_venv_env }}"
  no_log: true
@ -218,13 +146,7 @@
  openstack.cloud.identity_role:
    name: "baremetal_observer"
    state: present
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "{{ keystone.bootstrap.project_name | default('admin') }}"
      project_domain_id: "default"
      user_domain_id: "default"
  environment: "{{ bifrost_venv_env }}"
  no_log: true
@ -235,13 +157,7 @@
    description: "Baremetal Project"
    domain_id: "default"
    enabled: yes
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "{{ keystone.bootstrap.project_name | default('admin') }}"
      project_domain_id: "default"
      user_domain_id: "default"
  environment: "{{ bifrost_venv_env }}"
  no_log: true
@ -251,13 +167,7 @@
    password: "{{ ironic.keystone.default_password }}"
    default_project: "baremetal"
    domain: "default"
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "{{ keystone.bootstrap.project_name | default('admin') }}"
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment: "{{ bifrost_venv_env }}"
  no_log: true
@ -267,13 +177,7 @@
    user: "{{ ironic.keystone.default_username }}"
    role: "baremetal_admin"
    project: "baremetal"
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "{{ keystone.bootstrap.project_name | default('admin') }}"
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment: "{{ bifrost_venv_env }}"
  no_log: true
--- a/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/keystone_setup_inspector.yml
@ -33,6 +33,17 @@
      ironic_inspector.keystone.default_username is undefined or
      ironic_inspector.keystone.default_password is undefined
 - name: "Configure keystone auth"
  set_fact:
    keystone_auth:
      auth_url: "{{ ironic.service_catalog.auth_url | default(keystone_api_url) }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "admin"
      project_domain_id: "default"
      user_domain_id: "default"
  no_log: true
 - name: "Create service user for ironic-inspector"
  openstack.cloud.identity_user:
    name: "{{ ironic_inspector.service_catalog.username }}"
@ -40,13 +51,7 @@
    state: present
    domain: "default"
    default_project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}"
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "admin"
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment: "{{ bifrost_venv_env }}"
  no_log: true
@ -56,13 +61,7 @@
    user: "{{ ironic_inspector.service_catalog.username }}"
    role: admin
    project: "{{ ironic_inspector.service_catalog.project_name | default('service') }}"
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "admin"
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment: "{{ bifrost_venv_env }}"
  no_log: true
@ -73,114 +72,54 @@
    name: ironic-inspector
    service_type: baremetal-introspection
    description: OpenStack Baremetal Introspection Service
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: "admin"
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment: "{{ bifrost_venv_env }}"
  register: introspection_catalog_service
  no_log: true
 - name: "Check ironic-inspector admin endpoint exists"
  command: |
    openstack
    --os-identity-api-version 3
    --os-username "{{ keystone.bootstrap.username }}"
    --os-password "{{ keystone.bootstrap.password }}"
    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
    --os-project-name admin
    endpoint list -f json --noindent --service baremetal-introspection --interface admin
    --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
  no_log: true
  register: test_ironic_inspector_admin_endpoint
  environment: "{{ bifrost_venv_env }}"
 - name: "Check ironic-inspector public endpoint exists"
  command: |
    openstack
    --os-identity-api-version 3
    --os-username "{{ keystone.bootstrap.username }}"
    --os-password "{{ keystone.bootstrap.password }}"
    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
    --os-project-name admin
    endpoint list -f json --noindent --service baremetal-introspection --interface public
    --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
  no_log: true
  register: test_ironic_inspector_public_endpoint
  environment: "{{ bifrost_venv_env }}"
 - name: "Check ironic-inspector internal endpoint exists"
  command: |
    openstack
    --os-identity-api-version 3
    --os-username "{{ keystone.bootstrap.username }}"
    --os-password "{{ keystone.bootstrap.password }}"
    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
    --os-project-name admin
    endpoint list -f json --noindent --service baremetal-introspection --interface internal
    --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
  no_log: true
  register: test_ironic_inspector_internal_endpoint
  environment: "{{ bifrost_venv_env }}"
 - name: "Create ironic-inspector admin endpoint"
-  command: |
+  openstack.cloud.endpoint:
-    openstack
+    state: present
-    --os-identity-api-version 3
+    service: "{{ introspection_catalog_service.id }}"
-    --os-username "{{ keystone.bootstrap.username }}"
+    endpoint_interface: admin
-    --os-password "{{ keystone.bootstrap.password }}"
+    url: "{{ ironic_inspector.keystone.admin_url | default(ironic_inspector_api_url) }}"
-    --os-auth-url "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
-    --os-project-name admin
+    auth: "{{ keystone_auth }}"
    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
    baremetal-introspection admin "{{ ironic_inspector.keystone.admin_url | default('http://127.0.0.1:5050/') }}"
  no_log: true
  environment: "{{ bifrost_venv_env }}"
  when: test_ironic_inspector_admin_endpoint.rc != 0 or test_ironic_inspector_admin_endpoint.stdout == '[]'
 - name: "Setting external ironic-inspector public URL"
  set_fact:
-    ironic_inspector_public_url: >-
+    ironic_inspector_public_url: "{{ api_protocol }}://{{ public_ip }}:5050/"
-      {{ ironic_inspector.keystone.public_url | default('http://127.0.0.1:5050/') | replace('127.0.0.1', public_ip | default(internal_ip)) }}
+  when: public_ip is defined
  when: use_public_urls | default(false) | bool
 # NOTE(TheJulia): This seems like something that should be
 # to admin or internal interfaces. Perhaps we should attempt
 # remove it after we have a working keystone integrated CI job.
 - name: "Create ironic-inspector public endpoint"
-  command: |
+  openstack.cloud.endpoint:
-    openstack
+    state: present
-    --os-identity-api-version 3
+    service: "{{ introspection_catalog_service.id }}"
-    --os-username "{{ keystone.bootstrap.username }}"
+    endpoint_interface: public
-    --os-password "{{ keystone.bootstrap.password }}"
+    url: "{{ ironic_inspector.keystone.public_url | default(ironic_inspector_public_url) | default(ironic_inspector_api_url) }}"
-    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
-    --os-project-name admin
+    auth: "{{ keystone_auth }}"
    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
    baremetal-introspection public "{{ ironic_inspector_public_url | default(ironic_inspector.keystone.public_url) | default('http://127.0.0.1:5050/') }}"
  no_log: true
  environment: "{{ bifrost_venv_env }}"
  when: test_ironic_inspector_public_endpoint.rc != 0 or test_ironic_inspector_public_endpoint.stdout == '[]'
 - name: "Setting internal ironic-inspector URL"
  set_fact:
-    ironic_inspector_private_url: "{{ ironic_inspector.keystone.internal_url | default('http://127.0.0.1:5050/') | replace('127.0.0.1', private_ip) }}"
+    ironic_inspector_private_url: "{{ api_protocol }}://{{ private_ip }}:5050/"
  when: private_ip is defined and private_ip | length > 0
 - name: "Create ironic-inspector internal endpoint"
-  command: |
+  openstack.cloud.endpoint:
-    openstack
+    state: present
-    --os-identity-api-version 3
+    service: "{{ introspection_catalog_service.id }}"
-    --os-username "{{ keystone.bootstrap.username }}"
+    endpoint_interface: internal
-    --os-password "{{ keystone.bootstrap.password }}"
+    url: "{{ ironic_inspector.keystone.internal_url | default(ironic_inspector_private_url) | default(ironic_inspector_api_url) }}"
-    --os-auth-url "{{ ironic.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
+    region: "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
-    --os-project-name admin
+    auth: "{{ keystone_auth }}"
    endpoint create --region "{{ keystone.bootstrap.region_name | default('RegionOne') }}"
    baremetal-introspection internal "{{ ironic_inspector_private_url | default(ironic_inspector.keystone.internal_url) | default('http://127.0.0.1:5050/') }}"
  no_log: true
  environment: "{{ bifrost_venv_env }}"
  when: test_ironic_inspector_internal_endpoint.rc != 0 or test_ironic_inspector_internal_endpoint.stdout == '[]'
 - name: "Create inspector_user user"
  openstack.cloud.identity_user:
@ -188,13 +127,7 @@
    password: "{{ ironic_inspector.keystone.default_password }}"
    default_project: "baremetal"
    domain: "default"
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: admin
      project_domain_id: "default"
      user_domain_id: "default"
    update_password: always
    wait: yes
  environment: "{{ bifrost_venv_env }}"
@ -205,13 +138,7 @@
    user: "{{ ironic_inspector.keystone.default_username }}"
    role: "baremetal_admin"
    project: baremetal
-    auth:
+    auth: "{{ keystone_auth }}"
      auth_url: "{{ ironic_inspector.service_catalog.auth_url | default('http://127.0.0.1:5000/') }}"
      username: "{{ keystone.bootstrap.username }}"
      password: "{{ keystone.bootstrap.password }}"
      project_name: admin
      project_domain_id: "default"
      user_domain_id: "default"
    wait: yes
  environment: "{{ bifrost_venv_env }}"
  no_log: true
--- a/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml
+++ b/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml
@ -1,6 +1,13 @@
 ---
-ironic_api_url: "http://localhost:6385"
+
-ironic_inspector_api_url: "http://localhost:5050"
+network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"
 internal_ip: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}"
 # Service URLs used for communication with them.
 api_protocol: http
 ironic_api_url: "{{ api_protocol }}://{{ internal_ip }}:6385"
 ironic_inspector_api_url: "{{ api_protocol }}://{{ internal_ip }}:5050"
 # Ensure that Ansible is using python interpreter and dependencies inside the bifrost virtual environment
 bifrost_venv_dir: "{{ lookup('env', 'VENV') or '/opt/stack/bifrost' }}"
--- a/playbooks/roles/bifrost-keystone-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-keystone-install/defaults/main.yml
@ -35,6 +35,9 @@ network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"
 internal_ip: "{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}"
 api_protocol: http
 keystone_api_url: "{{ api_protocol }}://{{ internal_ip }}:5000/v3"
 # Defaults required by this role that are normally inherited via
 # other roles.
 file_url_port: 8080
@ -66,9 +69,9 @@ keystone:
    username: "{{ admin_username }}"
    password: "{{ admin_password }}"
    project_name: admin
-    admin_url: "http://127.0.0.1:35357/v3/"
+    admin_url: "{{ api_protocol }}://{{ internal_ip }}:35357/v3/"
-    public_url: "http://127.0.0.1:5000/v3/"
+    public_url: "{{ keystone_api_url }}"
-    internal_url: "http://127.0.0.1:5000/v3/"
+    internal_url: "{{ api_protocol }}://127.0.0.1:5000/v3/"
    region_name: "RegionOne"
  message_queue:
    username: keystone
--- a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml
@ -120,12 +120,12 @@
 - name: "Setting external Keystone public URL"
  set_fact:
-    keystone_public_url: "{{ keystone.bootstrap.public_url | replace('127.0.0.1', public_ip | default(internal_ip)) }}"
+    keystone_public_url: "{{ api_protocol }}://{{ public_ip }}:5000/v3"
-  when: use_public_urls | default(false) | bool
+  when: public_ip is defined
 - name: "Setting internal Keystone URL"
  set_fact:
-    keystone_private_url: "{{ keystone.bootstrap.internal_url | replace('127.0.0.1', private_ip) }}"
+    keystone_private_url: "{{ api_protocol }}://{{ private_ip }}:5000/v3"
  when: private_ip is defined and private_ip | length > 0
 - name: "Bootstrap Keystone Database"
@ -135,9 +135,9 @@
    --bootstrap-password="{{ keystone.bootstrap.password }}"
    --bootstrap-project-name="{{ keystone.bootstrap.project_name }}"
    --bootstrap-service-name="keystone"
-    --bootstrap-admin-url="{{ keystone.bootstrap.admin_url }}"
+    --bootstrap-admin-url="{{ keystone.bootstrap.admin_url | default(keystone_api_url) }}"
-    --bootstrap-public-url="{{ keystone_public_url | default(keystone.bootstrap.public_url) }}"
+    --bootstrap-public-url="{{ keystone.bootstrap.public_url | default(keystone_public_url) | default(keystone_api_url) }}"
-    --bootstrap-internal-url="{{ keystone_private_url | default(keystone.bootstrap.internal_url) }}"
+    --bootstrap-internal-url="{{ keystone.bootstrap.internal_url | default(keystone_private_url) | default(keystone_api_url) }}"
    --bootstrap-region-id="{{ keystone.bootstrap.region_name }}"
  environment: "{{ bifrost_venv_env }}"
  when: >
--- a/releasenotes/notes/api-url-a6f79de3cc8b0e3d.yaml
+++ b/releasenotes/notes/api-url-a6f79de3cc8b0e3d.yaml
@ -0,0 +1,15 @@
 ---
 features:
  - |
    The first IPv4 address of the ``network_interface`` is now used for ironic
    and ironic-inspector API URLs in ``clouds.yaml`` in ``openrc`` instead
    of ``localhost``. Use ``ironic_api_url`` and ``ironic_inspector_api_url``
    to override.
 fixes:
  - |
    Changes to keystone endpoint configuration are now automatically reflected
    on existing endpoints.
 upgrade:
  - |
    The ``use_public_urls`` parameter is no longer supported, just provide
    ``public_ip`` instead.
--- a/scripts/test-bifrost.sh
+++ b/scripts/test-bifrost.sh
@ -176,7 +176,6 @@ ${ANSIBLE} -vvvv \
    -e wait_timeout=${PROVISION_WAIT_TIMEOUT} \
    -e noauth_mode=${NOAUTH_MODE} \
    -e enable_keystone=${ENABLE_KEYSTONE} \
    -e use_public_urls=${ENABLE_KEYSTONE} \
    -e wait_for_node_deploy=${WAIT_FOR_DEPLOY} \
    -e not_enrolled_data_file=${BAREMETAL_DATA_FILE}.rest \
    -e skip_install=${CLI_TEST} \