I have two machines setup following the RDO guide for newton with the exception that I used openvswitch. Everything seems to be working apart from the fact that when instances contact the metadata service it returns 500. Digging into the nova-api logs I see lots of lines like the following:

2016-12-12 16:49:49.221 30364 ERROR nova.api.metadata.handler Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-387aefdc-15a3-4021-b7ca-6ca2fd5c0d0f) 2016-12-12 16:49:49.221 30364 ERROR nova.api.metadata.handler 2016-12-12 16:49:49.227 30364 INFO nova.metadata.wsgi.server [req-817e7ade-3f7e-44f4-96ba-42ca58fce9be - - - - -] 192.168.3.109,192.168.10.1 "GET /2009-04-04/meta-data/instance-id HTTP/1.1" status: 500 len: 229 time: 0.3256161 2016-12-12 16:49:51.437 30364 ERROR nova.api.metadata.handler [req-27a03f3d-7376-4958-ba95-052e17739fe2 - - - - -] Failed to get metadata for instance id: a85b5c06-2174-4a63-9ec3-7ae8589b4583

I am assuming that there is some mis-configuration that means relevant auth config is being propagated but I don't know where to start looking.