The keystone puppet code sets up the following cidrs:
include ::network::constants $prod_networks = join($::network::constants::production_networks, ' ') $labs_networks = join($::network::constants::labs_networks, ' ') $ldap_rw_host = $ldap_config['rw-server']
Those are later fed to the password_safelist plugin, selectively allowing some password auth to openstack APIs based on which network the request is coming from.
I believe that 172.20.5.0/24 is included as part of 'labs_networks' which means they allow read-only API access but prevent use of the novaadmin user.
Should they be a part of prod_networks instead? Or should we handle them as a special case? As it is, the standard 'novaadmin' user doesn't work for traffic coming through the cloudlbs.