Description of problem:

It is typical for our customers to VPN in to their OpenStack environment, and only have access to the private networks in the environment via the VPN.  In these cases, we would like them to use the Internal endpoints.  Due to the Keystone configuration, any requests to the internal identity endpoint are re-directed to the PublicURL.  To get around this, currently our customers have to modify their environment files to set OS_AUTH_URL to the identity endpoint admin URL.  This scenario, while not the preferred solution, works fine along with the endpoint type set to internal.  Things break with this configuration when the customer attempts to use any of the identity functions.

Ideally we would be able to set the auth URL and endpoint type to Internal and have that work successfully.  In the future OSP 10 on, we would also like to take advantage of SSL enabled internal endpoints, which do/will use a different subnet from the Public URLs.


Version-Release number of selected component (if applicable):
OSP9 & OSP10

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: