Finalize migration to keystoneauth adapters
removes code that allowed some service sections to not have and use keystoneauth adapter options. Also deprecates `[keystone]region_name` option in favor of per-client option of the same name. Change-Id: Ifd58947b016bfa93b516dd47a170ba8f5abf277e Closes-Bug: #1699547
This commit is contained in:
parent
4d43262955
commit
ba53acb279
@ -1095,14 +1095,6 @@ function configure_client_for {
|
|||||||
iniset $IRONIC_CONF_FILE $service_config_section project_domain_id default
|
iniset $IRONIC_CONF_FILE $service_config_section project_domain_id default
|
||||||
# keystoneauth session options
|
# keystoneauth session options
|
||||||
iniset $IRONIC_CONF_FILE $service_config_section cafile $SSL_BUNDLE_FILE
|
iniset $IRONIC_CONF_FILE $service_config_section cafile $SSL_BUNDLE_FILE
|
||||||
}
|
|
||||||
|
|
||||||
# TODO(pas-ha) this function is for transition period only,
|
|
||||||
# after all clients are moved to use keystoneauth adapters, it will be merged
|
|
||||||
# into configure_client_for function
|
|
||||||
function configure_adapter_for {
|
|
||||||
local service_config_section
|
|
||||||
service_config_section=$1
|
|
||||||
# keystoneauth adapter options
|
# keystoneauth adapter options
|
||||||
# NOTE(pas-ha) relying on defaults for valid_interfaces being "internal,public" in ironic
|
# NOTE(pas-ha) relying on defaults for valid_interfaces being "internal,public" in ironic
|
||||||
iniset $IRONIC_CONF_FILE $service_config_section region_name $REGION_NAME
|
iniset $IRONIC_CONF_FILE $service_config_section region_name $REGION_NAME
|
||||||
@ -1119,14 +1111,6 @@ function configure_ironic_conductor {
|
|||||||
configure_client_for $conf_section
|
configure_client_for $conf_section
|
||||||
done
|
done
|
||||||
|
|
||||||
# TODO(pas-ha) this block is for transition period only,
|
|
||||||
# after all clients are moved to use keystoneauth adapters,
|
|
||||||
# it will be deleted
|
|
||||||
local sections_with_adapter="service_catalog glance cinder inspector swift neutron"
|
|
||||||
for conf_section in $sections_with_adapter; do
|
|
||||||
configure_adapter_for $conf_section
|
|
||||||
done
|
|
||||||
|
|
||||||
configure_rootwrap ironic
|
configure_rootwrap ironic
|
||||||
|
|
||||||
# set up drivers / hardware types
|
# set up drivers / hardware types
|
||||||
|
@ -67,15 +67,18 @@ Configuring ironic-conductor service
|
|||||||
service users for each service.
|
service users for each service.
|
||||||
|
|
||||||
Under the hood, Bare Metal service uses ``keystoneauth`` library
|
Under the hood, Bare Metal service uses ``keystoneauth`` library
|
||||||
together with ``Authentication plugin`` and ``Session`` concepts
|
together with ``Authentication plugin``, ``Session`` and ``Adapter``
|
||||||
provided by it to instantiate service clients.
|
concepts provided by it to instantiate service clients.
|
||||||
Please refer to `Keystoneauth documentation`_ for supported plugins,
|
Please refer to `Keystoneauth documentation`_ for supported plugins,
|
||||||
their available options as well as Session-related options
|
their available options as well as Session- and Adapter-related options
|
||||||
for authentication and connection respectively.
|
for authentication, connection and endpoint discovery respectively.
|
||||||
|
|
||||||
In the example below, authentication information for user to access the
|
In the example below, authentication information for user to access the
|
||||||
OpenStack Networking service is configured to use:
|
OpenStack Networking service is configured to use:
|
||||||
|
|
||||||
|
* Networking service is deployed in the Identity service region named
|
||||||
|
``RegionTwo``, with only its ``public`` endpoint interface registered
|
||||||
|
in the service catalog.
|
||||||
* HTTPS connection with specific CA SSL certificate when making requests
|
* HTTPS connection with specific CA SSL certificate when making requests
|
||||||
* the same service user as configured for ironic-api service
|
* the same service user as configured for ironic-api service
|
||||||
* dynamic ``password`` authentication plugin that will discover
|
* dynamic ``password`` authentication plugin that will discover
|
||||||
@ -116,61 +119,46 @@ Configuring ironic-conductor service
|
|||||||
# HTTPs connections. (string value)
|
# HTTPs connections. (string value)
|
||||||
cafile=/opt/stack/data/ca-bundle.pem
|
cafile=/opt/stack/data/ca-bundle.pem
|
||||||
|
|
||||||
#. Notes for configuring the Image service access
|
# The default region_name for endpoint URL discovery. (string
|
||||||
|
# value)
|
||||||
|
region_name = RegionTwo
|
||||||
|
|
||||||
.. note::
|
# List of interfaces, in order of preference, for endpoint
|
||||||
Swift backend for the Image service must be installed and configured
|
# URL. (list value)
|
||||||
for ``agent_*`` drivers. Ceph Object Gateway (RADOS Gateway) is also
|
valid_interfaces=public
|
||||||
supported as the Image service's backend (:ref:`radosgw support`).
|
|
||||||
|
|
||||||
Configure the ironic-conductor service to use specific Image service
|
|
||||||
endpoints - only if you do not want to use Image service endpoint discovery
|
|
||||||
from the keystone service catalog.
|
|
||||||
Replace ``<GLANCE_SERVICE_URL>`` with the address of the image service API:
|
|
||||||
|
|
||||||
.. code-block:: ini
|
|
||||||
|
|
||||||
[glance]
|
|
||||||
endpoint_override = <GLANCE_SERVICE_URL>
|
|
||||||
|
|
||||||
|
|
||||||
#. Notes for configuring the Network service access
|
By default, in order to communicate with another service, the Bare
|
||||||
|
Metal service will attempt to discover an appropriate endpoint for
|
||||||
.. note::
|
that service via the Identity service's service catalog.
|
||||||
To configure the network for ironic-conductor service to perform node
|
The relevant configuration options from that service group in the Bare
|
||||||
cleaning, see :ref:`cleaning` from the admin guide.
|
Metal service configuration file are used for this purpose.
|
||||||
|
If you want to use a different endpoint for a particular service,
|
||||||
Set a specific URL (replace ``NETWORKING_SERVICE_ENDPOINT``)
|
specify this via the ``endpoint_override`` configuration option of
|
||||||
for connecting to the Networking service, to be the Networking
|
that service group, in the Bare Metal service's configuration file.
|
||||||
service endpoint - only for the case when you do not want to use
|
Taking the previous Networking service example, this would be
|
||||||
discovery of Networking service endpoint from keystone service catalog:
|
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
[neutron]
|
[neutron]
|
||||||
|
...
|
||||||
|
endpoint_override = <NEUTRON_API_ADDRESS>
|
||||||
|
|
||||||
# URL for connecting to neutron. (string value)
|
(Replace `<NEUTRON_API_ADDRESS>` with actual address of a specific
|
||||||
endpoint_override = <NETWORKING_SERVICE_ENDPOINT>
|
Networking service endpoint.)
|
||||||
|
|
||||||
#. Configure a specific ironic-api service URL - only if you do not want
|
|
||||||
to use discovery of the Baremetal service endpoint from keystone catalog
|
|
||||||
(for example when having deployed two separate pools of ironic-api services
|
|
||||||
for security reasons).
|
|
||||||
Replace ``IRONIC_API_IP`` with IP of specific ironic-api service as follows:
|
|
||||||
|
|
||||||
.. code-block:: ini
|
|
||||||
|
|
||||||
[conductor]
|
|
||||||
|
|
||||||
# URL of Ironic API service. If not set ironic can get the
|
|
||||||
# current value from the keystone service catalog. (string
|
|
||||||
# value)
|
|
||||||
endpoint_override=http://IRONIC_API_IP:6385
|
|
||||||
|
|
||||||
|
|
||||||
#. Configure enabled drivers and hardware types as described in
|
#. Configure enabled drivers and hardware types as described in
|
||||||
:doc:`/install/enabling-drivers`.
|
:doc:`/install/enabling-drivers`.
|
||||||
|
|
||||||
|
A. If you enabled any driver that uses :ref:`direct-deploy`,
|
||||||
|
Swift backend for the Image service must be installed and configured,
|
||||||
|
see :ref:`image-store`.
|
||||||
|
Ceph Object Gateway (RADOS Gateway) is also supported as the Image
|
||||||
|
service's backend, see :ref:`radosgw support`.
|
||||||
|
|
||||||
|
#. Configure the network for ironic-conductor service to perform node
|
||||||
|
cleaning, see :ref:`cleaning` from the admin guide.
|
||||||
|
|
||||||
#. Restart the ironic-conductor service:
|
#. Restart the ironic-conductor service:
|
||||||
|
|
||||||
.. TODO(mmitchell): Split this based on operating system
|
.. TODO(mmitchell): Split this based on operating system
|
||||||
|
@ -2218,8 +2218,14 @@
|
|||||||
# From ironic
|
# From ironic
|
||||||
#
|
#
|
||||||
|
|
||||||
# The region used for getting endpoints of OpenStack services.
|
# DEPRECATED: The region used for getting endpoints of
|
||||||
# (string value)
|
# OpenStack services. (string value)
|
||||||
|
# This option is deprecated for removal.
|
||||||
|
# Its value may be silently ignored in the future.
|
||||||
|
# Reason: Use 'region_name' option in the following sections -
|
||||||
|
# '[service_catalog]', '[neutron]', '[glance]', '[cinder]',
|
||||||
|
# '[swift]' and '[inspector]' to configure region for those
|
||||||
|
# services individually.
|
||||||
#region_name = <None>
|
#region_name = <None>
|
||||||
|
|
||||||
|
|
||||||
@ -2643,7 +2649,9 @@
|
|||||||
#domain_name = <None>
|
#domain_name = <None>
|
||||||
|
|
||||||
# Always use this endpoint URL for requests for this client.
|
# Always use this endpoint URL for requests for this client.
|
||||||
# (string value)
|
# NOTE: The unversioned endpoint should be specified here; to
|
||||||
|
# request a particular API version, use the `version`, `min-
|
||||||
|
# version`, and/or `max-version` options. (string value)
|
||||||
#endpoint_override = <None>
|
#endpoint_override = <None>
|
||||||
|
|
||||||
# Verify HTTPS connections. (boolean value)
|
# Verify HTTPS connections. (boolean value)
|
||||||
@ -2736,16 +2744,16 @@
|
|||||||
# Its value may be silently ignored in the future.
|
# Its value may be silently ignored in the future.
|
||||||
# Reason: Use [neutron]/endpoint_override option instead. It
|
# Reason: Use [neutron]/endpoint_override option instead. It
|
||||||
# has no default value and must be set explicitly if required
|
# has no default value and must be set explicitly if required
|
||||||
# to connect to specific neutron URL, for example when
|
# to connect to specific neutron URL, for example in stand
|
||||||
# [neutron]auth_strategy is noauth.
|
# alone mode when [neutron]/auth_type is 'none'.
|
||||||
#url = <None>
|
#url = <None>
|
||||||
|
|
||||||
# DEPRECATED: Timeout value for connecting to neutron in
|
# DEPRECATED: Timeout value for connecting to neutron in
|
||||||
# seconds. (integer value)
|
# seconds. (integer value)
|
||||||
# This option is deprecated for removal.
|
# This option is deprecated for removal.
|
||||||
# Its value may be silently ignored in the future.
|
# Its value may be silently ignored in the future.
|
||||||
# Reason: Use [neutron]/timeout option instead. It has no
|
# Reason: Set the desired value explicitly using the
|
||||||
# default value and must be set explicitly.
|
# [neutron]/timeout option instead.
|
||||||
#url_timeout = 30
|
#url_timeout = 30
|
||||||
|
|
||||||
# User's domain id (string value)
|
# User's domain id (string value)
|
||||||
@ -4057,7 +4065,9 @@
|
|||||||
#domain_name = <None>
|
#domain_name = <None>
|
||||||
|
|
||||||
# Always use this endpoint URL for requests for this client.
|
# Always use this endpoint URL for requests for this client.
|
||||||
# (string value)
|
# NOTE: The unversioned endpoint should be specified here; to
|
||||||
|
# request a particular API version, use the `version`, `min-
|
||||||
|
# version`, and/or `max-version` options. (string value)
|
||||||
#endpoint_override = <None>
|
#endpoint_override = <None>
|
||||||
|
|
||||||
# Verify HTTPS connections. (boolean value)
|
# Verify HTTPS connections. (boolean value)
|
||||||
|
@ -32,10 +32,11 @@ def register_auth_opts(conf, group, service_type=None):
|
|||||||
"""
|
"""
|
||||||
kaloading.register_session_conf_options(conf, group)
|
kaloading.register_session_conf_options(conf, group)
|
||||||
kaloading.register_auth_conf_options(conf, group)
|
kaloading.register_auth_conf_options(conf, group)
|
||||||
if service_type:
|
|
||||||
kaloading.register_adapter_conf_options(conf, group)
|
kaloading.register_adapter_conf_options(conf, group)
|
||||||
conf.set_default('valid_interfaces', DEFAULT_VALID_INTERFACES,
|
conf.set_default('valid_interfaces', DEFAULT_VALID_INTERFACES, group=group)
|
||||||
group=group)
|
# TODO(pas-ha) use os-service-type to try find the service_type by the
|
||||||
|
# config group name assuming it is a project name (e.g. 'glance')
|
||||||
|
if service_type:
|
||||||
conf.set_default('service_type', service_type, group=group)
|
conf.set_default('service_type', service_type, group=group)
|
||||||
|
|
||||||
|
|
||||||
|
@ -18,6 +18,12 @@ from ironic.common.i18n import _
|
|||||||
|
|
||||||
opts = [
|
opts = [
|
||||||
cfg.StrOpt('region_name',
|
cfg.StrOpt('region_name',
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_("Use 'region_name' option in the following "
|
||||||
|
"sections - '[service_catalog]', "
|
||||||
|
"'[neutron]', '[glance]', '[cinder]', "
|
||||||
|
"'[swift]' and '[inspector]' to configure "
|
||||||
|
"region for those services individually."),
|
||||||
help=_('The region used for getting endpoints of OpenStack'
|
help=_('The region used for getting endpoints of OpenStack'
|
||||||
' services.')),
|
' services.')),
|
||||||
]
|
]
|
||||||
|
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
Configuration option ``[keystone]/region_name`` is deprecated
|
||||||
|
and will be ignored in the Rocky release.
|
||||||
|
Instead, provide per-service ``region_name`` option in the following
|
||||||
|
configuration file sections:
|
||||||
|
|
||||||
|
- service_catalog (for ironic API discovery from keystone service catalog)
|
||||||
|
- glance
|
||||||
|
- neutron
|
||||||
|
- cinder
|
||||||
|
- inspector
|
||||||
|
- swift
|
||||||
|
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
Configuration option ``[keystone]/region_name`` is deprecated
|
||||||
|
and will be ignored in the Rocky release.
|
||||||
|
Instead, provide per-service ``region_name`` option in the following
|
||||||
|
configuration file sections:
|
||||||
|
|
||||||
|
- service_catalog (for ironic API discovery from keystone service catalog)
|
||||||
|
- glance
|
||||||
|
- neutron
|
||||||
|
- cinder
|
||||||
|
- inspector
|
||||||
|
- swift
|
Loading…
x
Reference in New Issue
Block a user