Finalize migration to keystoneauth adapters

removes code that allowed some service sections to not have and use
keystoneauth adapter options.

Also deprecates `[keystone]region_name` option in favor of per-client
option of the same name.

Change-Id: Ifd58947b016bfa93b516dd47a170ba8f5abf277e
Closes-Bug: #1699547
This commit is contained in:
Pavlo Shchelokovskyy 2017-06-29 09:04:03 +00:00
parent 4d43262955
commit ba53acb279
6 changed files with 91 additions and 74 deletions

View File

@ -1095,14 +1095,6 @@ function configure_client_for {
iniset $IRONIC_CONF_FILE $service_config_section project_domain_id default iniset $IRONIC_CONF_FILE $service_config_section project_domain_id default
# keystoneauth session options # keystoneauth session options
iniset $IRONIC_CONF_FILE $service_config_section cafile $SSL_BUNDLE_FILE iniset $IRONIC_CONF_FILE $service_config_section cafile $SSL_BUNDLE_FILE
}
# TODO(pas-ha) this function is for transition period only,
# after all clients are moved to use keystoneauth adapters, it will be merged
# into configure_client_for function
function configure_adapter_for {
local service_config_section
service_config_section=$1
# keystoneauth adapter options # keystoneauth adapter options
# NOTE(pas-ha) relying on defaults for valid_interfaces being "internal,public" in ironic # NOTE(pas-ha) relying on defaults for valid_interfaces being "internal,public" in ironic
iniset $IRONIC_CONF_FILE $service_config_section region_name $REGION_NAME iniset $IRONIC_CONF_FILE $service_config_section region_name $REGION_NAME
@ -1119,14 +1111,6 @@ function configure_ironic_conductor {
configure_client_for $conf_section configure_client_for $conf_section
done done
# TODO(pas-ha) this block is for transition period only,
# after all clients are moved to use keystoneauth adapters,
# it will be deleted
local sections_with_adapter="service_catalog glance cinder inspector swift neutron"
for conf_section in $sections_with_adapter; do
configure_adapter_for $conf_section
done
configure_rootwrap ironic configure_rootwrap ironic
# set up drivers / hardware types # set up drivers / hardware types

View File

@ -67,15 +67,18 @@ Configuring ironic-conductor service
service users for each service. service users for each service.
Under the hood, Bare Metal service uses ``keystoneauth`` library Under the hood, Bare Metal service uses ``keystoneauth`` library
together with ``Authentication plugin`` and ``Session`` concepts together with ``Authentication plugin``, ``Session`` and ``Adapter``
provided by it to instantiate service clients. concepts provided by it to instantiate service clients.
Please refer to `Keystoneauth documentation`_ for supported plugins, Please refer to `Keystoneauth documentation`_ for supported plugins,
their available options as well as Session-related options their available options as well as Session- and Adapter-related options
for authentication and connection respectively. for authentication, connection and endpoint discovery respectively.
In the example below, authentication information for user to access the In the example below, authentication information for user to access the
OpenStack Networking service is configured to use: OpenStack Networking service is configured to use:
* Networking service is deployed in the Identity service region named
``RegionTwo``, with only its ``public`` endpoint interface registered
in the service catalog.
* HTTPS connection with specific CA SSL certificate when making requests * HTTPS connection with specific CA SSL certificate when making requests
* the same service user as configured for ironic-api service * the same service user as configured for ironic-api service
* dynamic ``password`` authentication plugin that will discover * dynamic ``password`` authentication plugin that will discover
@ -116,61 +119,46 @@ Configuring ironic-conductor service
# HTTPs connections. (string value) # HTTPs connections. (string value)
cafile=/opt/stack/data/ca-bundle.pem cafile=/opt/stack/data/ca-bundle.pem
#. Notes for configuring the Image service access # The default region_name for endpoint URL discovery. (string
# value)
region_name = RegionTwo
.. note:: # List of interfaces, in order of preference, for endpoint
Swift backend for the Image service must be installed and configured # URL. (list value)
for ``agent_*`` drivers. Ceph Object Gateway (RADOS Gateway) is also valid_interfaces=public
supported as the Image service's backend (:ref:`radosgw support`).
Configure the ironic-conductor service to use specific Image service
endpoints - only if you do not want to use Image service endpoint discovery
from the keystone service catalog.
Replace ``<GLANCE_SERVICE_URL>`` with the address of the image service API:
.. code-block:: ini
[glance]
endpoint_override = <GLANCE_SERVICE_URL>
#. Notes for configuring the Network service access By default, in order to communicate with another service, the Bare
Metal service will attempt to discover an appropriate endpoint for
.. note:: that service via the Identity service's service catalog.
To configure the network for ironic-conductor service to perform node The relevant configuration options from that service group in the Bare
cleaning, see :ref:`cleaning` from the admin guide. Metal service configuration file are used for this purpose.
If you want to use a different endpoint for a particular service,
Set a specific URL (replace ``NETWORKING_SERVICE_ENDPOINT``) specify this via the ``endpoint_override`` configuration option of
for connecting to the Networking service, to be the Networking that service group, in the Bare Metal service's configuration file.
service endpoint - only for the case when you do not want to use Taking the previous Networking service example, this would be
discovery of Networking service endpoint from keystone service catalog:
.. code-block:: ini .. code-block:: ini
[neutron] [neutron]
...
endpoint_override = <NEUTRON_API_ADDRESS>
# URL for connecting to neutron. (string value) (Replace `<NEUTRON_API_ADDRESS>` with actual address of a specific
endpoint_override = <NETWORKING_SERVICE_ENDPOINT> Networking service endpoint.)
#. Configure a specific ironic-api service URL - only if you do not want
to use discovery of the Baremetal service endpoint from keystone catalog
(for example when having deployed two separate pools of ironic-api services
for security reasons).
Replace ``IRONIC_API_IP`` with IP of specific ironic-api service as follows:
.. code-block:: ini
[conductor]
# URL of Ironic API service. If not set ironic can get the
# current value from the keystone service catalog. (string
# value)
endpoint_override=http://IRONIC_API_IP:6385
#. Configure enabled drivers and hardware types as described in #. Configure enabled drivers and hardware types as described in
:doc:`/install/enabling-drivers`. :doc:`/install/enabling-drivers`.
A. If you enabled any driver that uses :ref:`direct-deploy`,
Swift backend for the Image service must be installed and configured,
see :ref:`image-store`.
Ceph Object Gateway (RADOS Gateway) is also supported as the Image
service's backend, see :ref:`radosgw support`.
#. Configure the network for ironic-conductor service to perform node
cleaning, see :ref:`cleaning` from the admin guide.
#. Restart the ironic-conductor service: #. Restart the ironic-conductor service:
.. TODO(mmitchell): Split this based on operating system .. TODO(mmitchell): Split this based on operating system

View File

@ -2218,8 +2218,14 @@
# From ironic # From ironic
# #
# The region used for getting endpoints of OpenStack services. # DEPRECATED: The region used for getting endpoints of
# (string value) # OpenStack services. (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use 'region_name' option in the following sections -
# '[service_catalog]', '[neutron]', '[glance]', '[cinder]',
# '[swift]' and '[inspector]' to configure region for those
# services individually.
#region_name = <None> #region_name = <None>
@ -2643,7 +2649,9 @@
#domain_name = <None> #domain_name = <None>
# Always use this endpoint URL for requests for this client. # Always use this endpoint URL for requests for this client.
# (string value) # NOTE: The unversioned endpoint should be specified here; to
# request a particular API version, use the `version`, `min-
# version`, and/or `max-version` options. (string value)
#endpoint_override = <None> #endpoint_override = <None>
# Verify HTTPS connections. (boolean value) # Verify HTTPS connections. (boolean value)
@ -2736,16 +2744,16 @@
# Its value may be silently ignored in the future. # Its value may be silently ignored in the future.
# Reason: Use [neutron]/endpoint_override option instead. It # Reason: Use [neutron]/endpoint_override option instead. It
# has no default value and must be set explicitly if required # has no default value and must be set explicitly if required
# to connect to specific neutron URL, for example when # to connect to specific neutron URL, for example in stand
# [neutron]auth_strategy is noauth. # alone mode when [neutron]/auth_type is 'none'.
#url = <None> #url = <None>
# DEPRECATED: Timeout value for connecting to neutron in # DEPRECATED: Timeout value for connecting to neutron in
# seconds. (integer value) # seconds. (integer value)
# This option is deprecated for removal. # This option is deprecated for removal.
# Its value may be silently ignored in the future. # Its value may be silently ignored in the future.
# Reason: Use [neutron]/timeout option instead. It has no # Reason: Set the desired value explicitly using the
# default value and must be set explicitly. # [neutron]/timeout option instead.
#url_timeout = 30 #url_timeout = 30
# User's domain id (string value) # User's domain id (string value)
@ -4057,7 +4065,9 @@
#domain_name = <None> #domain_name = <None>
# Always use this endpoint URL for requests for this client. # Always use this endpoint URL for requests for this client.
# (string value) # NOTE: The unversioned endpoint should be specified here; to
# request a particular API version, use the `version`, `min-
# version`, and/or `max-version` options. (string value)
#endpoint_override = <None> #endpoint_override = <None>
# Verify HTTPS connections. (boolean value) # Verify HTTPS connections. (boolean value)

View File

@ -32,10 +32,11 @@ def register_auth_opts(conf, group, service_type=None):
""" """
kaloading.register_session_conf_options(conf, group) kaloading.register_session_conf_options(conf, group)
kaloading.register_auth_conf_options(conf, group) kaloading.register_auth_conf_options(conf, group)
kaloading.register_adapter_conf_options(conf, group)
conf.set_default('valid_interfaces', DEFAULT_VALID_INTERFACES, group=group)
# TODO(pas-ha) use os-service-type to try find the service_type by the
# config group name assuming it is a project name (e.g. 'glance')
if service_type: if service_type:
kaloading.register_adapter_conf_options(conf, group)
conf.set_default('valid_interfaces', DEFAULT_VALID_INTERFACES,
group=group)
conf.set_default('service_type', service_type, group=group) conf.set_default('service_type', service_type, group=group)

View File

@ -18,6 +18,12 @@ from ironic.common.i18n import _
opts = [ opts = [
cfg.StrOpt('region_name', cfg.StrOpt('region_name',
deprecated_for_removal=True,
deprecated_reason=_("Use 'region_name' option in the following "
"sections - '[service_catalog]', "
"'[neutron]', '[glance]', '[cinder]', "
"'[swift]' and '[inspector]' to configure "
"region for those services individually."),
help=_('The region used for getting endpoints of OpenStack' help=_('The region used for getting endpoints of OpenStack'
' services.')), ' services.')),
] ]

View File

@ -0,0 +1,28 @@
---
deprecations:
- |
Configuration option ``[keystone]/region_name`` is deprecated
and will be ignored in the Rocky release.
Instead, provide per-service ``region_name`` option in the following
configuration file sections:
- service_catalog (for ironic API discovery from keystone service catalog)
- glance
- neutron
- cinder
- inspector
- swift
upgrade:
- |
Configuration option ``[keystone]/region_name`` is deprecated
and will be ignored in the Rocky release.
Instead, provide per-service ``region_name`` option in the following
configuration file sections:
- service_catalog (for ironic API discovery from keystone service catalog)
- glance
- neutron
- cinder
- inspector
- swift