Finalize migration to keystoneauth adapters
removes code that allowed some service sections to not have and use keystoneauth adapter options. Also deprecates `[keystone]region_name` option in favor of per-client option of the same name. Change-Id: Ifd58947b016bfa93b516dd47a170ba8f5abf277e Closes-Bug: #1699547
This commit is contained in:
parent
4d43262955
commit
ba53acb279
@ -1095,14 +1095,6 @@ function configure_client_for {
|
||||
iniset $IRONIC_CONF_FILE $service_config_section project_domain_id default
|
||||
# keystoneauth session options
|
||||
iniset $IRONIC_CONF_FILE $service_config_section cafile $SSL_BUNDLE_FILE
|
||||
}
|
||||
|
||||
# TODO(pas-ha) this function is for transition period only,
|
||||
# after all clients are moved to use keystoneauth adapters, it will be merged
|
||||
# into configure_client_for function
|
||||
function configure_adapter_for {
|
||||
local service_config_section
|
||||
service_config_section=$1
|
||||
# keystoneauth adapter options
|
||||
# NOTE(pas-ha) relying on defaults for valid_interfaces being "internal,public" in ironic
|
||||
iniset $IRONIC_CONF_FILE $service_config_section region_name $REGION_NAME
|
||||
@ -1119,14 +1111,6 @@ function configure_ironic_conductor {
|
||||
configure_client_for $conf_section
|
||||
done
|
||||
|
||||
# TODO(pas-ha) this block is for transition period only,
|
||||
# after all clients are moved to use keystoneauth adapters,
|
||||
# it will be deleted
|
||||
local sections_with_adapter="service_catalog glance cinder inspector swift neutron"
|
||||
for conf_section in $sections_with_adapter; do
|
||||
configure_adapter_for $conf_section
|
||||
done
|
||||
|
||||
configure_rootwrap ironic
|
||||
|
||||
# set up drivers / hardware types
|
||||
|
@ -67,15 +67,18 @@ Configuring ironic-conductor service
|
||||
service users for each service.
|
||||
|
||||
Under the hood, Bare Metal service uses ``keystoneauth`` library
|
||||
together with ``Authentication plugin`` and ``Session`` concepts
|
||||
provided by it to instantiate service clients.
|
||||
together with ``Authentication plugin``, ``Session`` and ``Adapter``
|
||||
concepts provided by it to instantiate service clients.
|
||||
Please refer to `Keystoneauth documentation`_ for supported plugins,
|
||||
their available options as well as Session-related options
|
||||
for authentication and connection respectively.
|
||||
their available options as well as Session- and Adapter-related options
|
||||
for authentication, connection and endpoint discovery respectively.
|
||||
|
||||
In the example below, authentication information for user to access the
|
||||
OpenStack Networking service is configured to use:
|
||||
|
||||
* Networking service is deployed in the Identity service region named
|
||||
``RegionTwo``, with only its ``public`` endpoint interface registered
|
||||
in the service catalog.
|
||||
* HTTPS connection with specific CA SSL certificate when making requests
|
||||
* the same service user as configured for ironic-api service
|
||||
* dynamic ``password`` authentication plugin that will discover
|
||||
@ -116,61 +119,46 @@ Configuring ironic-conductor service
|
||||
# HTTPs connections. (string value)
|
||||
cafile=/opt/stack/data/ca-bundle.pem
|
||||
|
||||
#. Notes for configuring the Image service access
|
||||
# The default region_name for endpoint URL discovery. (string
|
||||
# value)
|
||||
region_name = RegionTwo
|
||||
|
||||
.. note::
|
||||
Swift backend for the Image service must be installed and configured
|
||||
for ``agent_*`` drivers. Ceph Object Gateway (RADOS Gateway) is also
|
||||
supported as the Image service's backend (:ref:`radosgw support`).
|
||||
|
||||
Configure the ironic-conductor service to use specific Image service
|
||||
endpoints - only if you do not want to use Image service endpoint discovery
|
||||
from the keystone service catalog.
|
||||
Replace ``<GLANCE_SERVICE_URL>`` with the address of the image service API:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[glance]
|
||||
endpoint_override = <GLANCE_SERVICE_URL>
|
||||
# List of interfaces, in order of preference, for endpoint
|
||||
# URL. (list value)
|
||||
valid_interfaces=public
|
||||
|
||||
|
||||
#. Notes for configuring the Network service access
|
||||
|
||||
.. note::
|
||||
To configure the network for ironic-conductor service to perform node
|
||||
cleaning, see :ref:`cleaning` from the admin guide.
|
||||
|
||||
Set a specific URL (replace ``NETWORKING_SERVICE_ENDPOINT``)
|
||||
for connecting to the Networking service, to be the Networking
|
||||
service endpoint - only for the case when you do not want to use
|
||||
discovery of Networking service endpoint from keystone service catalog:
|
||||
By default, in order to communicate with another service, the Bare
|
||||
Metal service will attempt to discover an appropriate endpoint for
|
||||
that service via the Identity service's service catalog.
|
||||
The relevant configuration options from that service group in the Bare
|
||||
Metal service configuration file are used for this purpose.
|
||||
If you want to use a different endpoint for a particular service,
|
||||
specify this via the ``endpoint_override`` configuration option of
|
||||
that service group, in the Bare Metal service's configuration file.
|
||||
Taking the previous Networking service example, this would be
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[neutron]
|
||||
...
|
||||
endpoint_override = <NEUTRON_API_ADDRESS>
|
||||
|
||||
# URL for connecting to neutron. (string value)
|
||||
endpoint_override = <NETWORKING_SERVICE_ENDPOINT>
|
||||
|
||||
#. Configure a specific ironic-api service URL - only if you do not want
|
||||
to use discovery of the Baremetal service endpoint from keystone catalog
|
||||
(for example when having deployed two separate pools of ironic-api services
|
||||
for security reasons).
|
||||
Replace ``IRONIC_API_IP`` with IP of specific ironic-api service as follows:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[conductor]
|
||||
|
||||
# URL of Ironic API service. If not set ironic can get the
|
||||
# current value from the keystone service catalog. (string
|
||||
# value)
|
||||
endpoint_override=http://IRONIC_API_IP:6385
|
||||
|
||||
(Replace `<NEUTRON_API_ADDRESS>` with actual address of a specific
|
||||
Networking service endpoint.)
|
||||
|
||||
#. Configure enabled drivers and hardware types as described in
|
||||
:doc:`/install/enabling-drivers`.
|
||||
|
||||
A. If you enabled any driver that uses :ref:`direct-deploy`,
|
||||
Swift backend for the Image service must be installed and configured,
|
||||
see :ref:`image-store`.
|
||||
Ceph Object Gateway (RADOS Gateway) is also supported as the Image
|
||||
service's backend, see :ref:`radosgw support`.
|
||||
|
||||
#. Configure the network for ironic-conductor service to perform node
|
||||
cleaning, see :ref:`cleaning` from the admin guide.
|
||||
|
||||
#. Restart the ironic-conductor service:
|
||||
|
||||
.. TODO(mmitchell): Split this based on operating system
|
||||
|
@ -2218,8 +2218,14 @@
|
||||
# From ironic
|
||||
#
|
||||
|
||||
# The region used for getting endpoints of OpenStack services.
|
||||
# (string value)
|
||||
# DEPRECATED: The region used for getting endpoints of
|
||||
# OpenStack services. (string value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: Use 'region_name' option in the following sections -
|
||||
# '[service_catalog]', '[neutron]', '[glance]', '[cinder]',
|
||||
# '[swift]' and '[inspector]' to configure region for those
|
||||
# services individually.
|
||||
#region_name = <None>
|
||||
|
||||
|
||||
@ -2643,7 +2649,9 @@
|
||||
#domain_name = <None>
|
||||
|
||||
# Always use this endpoint URL for requests for this client.
|
||||
# (string value)
|
||||
# NOTE: The unversioned endpoint should be specified here; to
|
||||
# request a particular API version, use the `version`, `min-
|
||||
# version`, and/or `max-version` options. (string value)
|
||||
#endpoint_override = <None>
|
||||
|
||||
# Verify HTTPS connections. (boolean value)
|
||||
@ -2736,16 +2744,16 @@
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: Use [neutron]/endpoint_override option instead. It
|
||||
# has no default value and must be set explicitly if required
|
||||
# to connect to specific neutron URL, for example when
|
||||
# [neutron]auth_strategy is noauth.
|
||||
# to connect to specific neutron URL, for example in stand
|
||||
# alone mode when [neutron]/auth_type is 'none'.
|
||||
#url = <None>
|
||||
|
||||
# DEPRECATED: Timeout value for connecting to neutron in
|
||||
# seconds. (integer value)
|
||||
# This option is deprecated for removal.
|
||||
# Its value may be silently ignored in the future.
|
||||
# Reason: Use [neutron]/timeout option instead. It has no
|
||||
# default value and must be set explicitly.
|
||||
# Reason: Set the desired value explicitly using the
|
||||
# [neutron]/timeout option instead.
|
||||
#url_timeout = 30
|
||||
|
||||
# User's domain id (string value)
|
||||
@ -4057,7 +4065,9 @@
|
||||
#domain_name = <None>
|
||||
|
||||
# Always use this endpoint URL for requests for this client.
|
||||
# (string value)
|
||||
# NOTE: The unversioned endpoint should be specified here; to
|
||||
# request a particular API version, use the `version`, `min-
|
||||
# version`, and/or `max-version` options. (string value)
|
||||
#endpoint_override = <None>
|
||||
|
||||
# Verify HTTPS connections. (boolean value)
|
||||
|
@ -32,10 +32,11 @@ def register_auth_opts(conf, group, service_type=None):
|
||||
"""
|
||||
kaloading.register_session_conf_options(conf, group)
|
||||
kaloading.register_auth_conf_options(conf, group)
|
||||
if service_type:
|
||||
kaloading.register_adapter_conf_options(conf, group)
|
||||
conf.set_default('valid_interfaces', DEFAULT_VALID_INTERFACES,
|
||||
group=group)
|
||||
conf.set_default('valid_interfaces', DEFAULT_VALID_INTERFACES, group=group)
|
||||
# TODO(pas-ha) use os-service-type to try find the service_type by the
|
||||
# config group name assuming it is a project name (e.g. 'glance')
|
||||
if service_type:
|
||||
conf.set_default('service_type', service_type, group=group)
|
||||
|
||||
|
||||
|
@ -18,6 +18,12 @@ from ironic.common.i18n import _
|
||||
|
||||
opts = [
|
||||
cfg.StrOpt('region_name',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_reason=_("Use 'region_name' option in the following "
|
||||
"sections - '[service_catalog]', "
|
||||
"'[neutron]', '[glance]', '[cinder]', "
|
||||
"'[swift]' and '[inspector]' to configure "
|
||||
"region for those services individually."),
|
||||
help=_('The region used for getting endpoints of OpenStack'
|
||||
' services.')),
|
||||
]
|
||||
|
@ -0,0 +1,28 @@
|
||||
---
|
||||
deprecations:
|
||||
- |
|
||||
Configuration option ``[keystone]/region_name`` is deprecated
|
||||
and will be ignored in the Rocky release.
|
||||
Instead, provide per-service ``region_name`` option in the following
|
||||
configuration file sections:
|
||||
|
||||
- service_catalog (for ironic API discovery from keystone service catalog)
|
||||
- glance
|
||||
- neutron
|
||||
- cinder
|
||||
- inspector
|
||||
- swift
|
||||
|
||||
upgrade:
|
||||
- |
|
||||
Configuration option ``[keystone]/region_name`` is deprecated
|
||||
and will be ignored in the Rocky release.
|
||||
Instead, provide per-service ``region_name`` option in the following
|
||||
configuration file sections:
|
||||
|
||||
- service_catalog (for ironic API discovery from keystone service catalog)
|
||||
- glance
|
||||
- neutron
|
||||
- cinder
|
||||
- inspector
|
||||
- swift
|
Loading…
Reference in New Issue
Block a user