Hide Forgot
The following configuration items in heat engine metadata_server_url waitcondition_server_url watch_server_url Are configured to point to the internal_api network endpoints of heat. However, when instances attempt to use heat, these configuration values are what is passed to instances, and because the instances can't connect to the internal_api network (major security issue), they can't talk to heat. These configuration items should instead be configured to the publicURL endpoints of heat
Just tracking how metadata_server_url ends up with an internal network value, it is set from HeatApiVirtualIPUri which is set from this ServiceNetMap/VipMap lookup: HeatApiVirtualIPUri: {get_attr: [VipMap, net_ip_uri_map, {get_param: [ServiceNetMap, HeatApiNetwork]}]} The default ServiceNetMap has HeatApiNetwork: internal_api It looks like the solution is either to: 1. fix the ServiceNetMap to have HeatApiNetwork: external_api, or 2. to use something else entirely to build HeatApiVirtualIPUri. Option 1. looks easiest but may cause other problems and may not actually be the right thing to do. Setting needinfo on shardy for his opinion
*** This bug has been marked as a duplicate of bug 1293700 ***