It is currently possible for heat to run outside the OpenStack cloud that it orchestrates against by configuring the APIs to run in standalone mode. This is done by specifying the following in the heat-api*.conf files:
[paste_deploy] flavor = standalone
The heat client can make requests to a standalone heat with the following options:
heat --os-no-client-auth --heat-url <heat api endpoint>
This switches to using Heat's KeystonePasswordAuthProtocol which authenticates by fetching a token using the provided credentials (instead of validating the provided token). However the APIs are still configured to use only a single keystone endpoint via the [keystone_authtoken] auth_uri configuration option.
This blueprint is to make it possible to configure Heat to orchestrate a stack within the cloud that the client requests. It will require the following changes:
- An [authpassword] configuration section in heat-api.conf with the following options:
- multi_cloud - boolean defaults to False. When True the configured auth_uri will be ignored and the X-Auth-Url header included in the client request will be used instead
- allowed_auth_uris - list defaults to . Ignored if multi_cloud is False. If empty, authenticating against any supplied X-Auth-Url will be attempted. Otherwise the X-Auth-Url will be validated against the configured list and authentication will fail if no match is found.
- Modify KeystonePasswordAuthProtocol to the desired behavior when the above options are configured.
It should then be possible to launch stacks on arbitrary clouds with the following command:
heat --os-no-client-auth --heat-url <heat api endpoint> --os-auth-url <keystone auth uri of arbitrary cloud>