Finalize migration to keystoneauth adapters

removes code that allowed some service sections to not have and use
keystoneauth adapter options.

Also deprecates `[keystone]region_name` option in favor of per-client
option of the same name.

Change-Id: Ifd58947b016bfa93b516dd47a170ba8f5abf277e
Closes-Bug: #1699547
This commit is contained in:
Pavlo Shchelokovskyy 2017-06-29 09:04:03 +00:00
parent 4d43262955
commit ba53acb279
6 changed files with 91 additions and 74 deletions

View File

@ -1095,14 +1095,6 @@ function configure_client_for {
iniset $IRONIC_CONF_FILE $service_config_section project_domain_id default
# keystoneauth session options
iniset $IRONIC_CONF_FILE $service_config_section cafile $SSL_BUNDLE_FILE
}
# TODO(pas-ha) this function is for transition period only,
# after all clients are moved to use keystoneauth adapters, it will be merged
# into configure_client_for function
function configure_adapter_for {
local service_config_section
service_config_section=$1
# keystoneauth adapter options
# NOTE(pas-ha) relying on defaults for valid_interfaces being "internal,public" in ironic
iniset $IRONIC_CONF_FILE $service_config_section region_name $REGION_NAME
@ -1119,14 +1111,6 @@ function configure_ironic_conductor {
configure_client_for $conf_section
done
# TODO(pas-ha) this block is for transition period only,
# after all clients are moved to use keystoneauth adapters,
# it will be deleted
local sections_with_adapter="service_catalog glance cinder inspector swift neutron"
for conf_section in $sections_with_adapter; do
configure_adapter_for $conf_section
done
configure_rootwrap ironic
# set up drivers / hardware types

View File

@ -67,15 +67,18 @@ Configuring ironic-conductor service
service users for each service.
Under the hood, Bare Metal service uses ``keystoneauth`` library
together with ``Authentication plugin`` and ``Session`` concepts
provided by it to instantiate service clients.
together with ``Authentication plugin``, ``Session`` and ``Adapter``
concepts provided by it to instantiate service clients.
Please refer to `Keystoneauth documentation`_ for supported plugins,
their available options as well as Session-related options
for authentication and connection respectively.
their available options as well as Session- and Adapter-related options
for authentication, connection and endpoint discovery respectively.
In the example below, authentication information for user to access the
OpenStack Networking service is configured to use:
* Networking service is deployed in the Identity service region named
``RegionTwo``, with only its ``public`` endpoint interface registered
in the service catalog.
* HTTPS connection with specific CA SSL certificate when making requests
* the same service user as configured for ironic-api service
* dynamic ``password`` authentication plugin that will discover
@ -116,61 +119,46 @@ Configuring ironic-conductor service
# HTTPs connections. (string value)
cafile=/opt/stack/data/ca-bundle.pem
#. Notes for configuring the Image service access
# The default region_name for endpoint URL discovery. (string
# value)
region_name = RegionTwo
.. note::
Swift backend for the Image service must be installed and configured
for ``agent_*`` drivers. Ceph Object Gateway (RADOS Gateway) is also
supported as the Image service's backend (:ref:`radosgw support`).
Configure the ironic-conductor service to use specific Image service
endpoints - only if you do not want to use Image service endpoint discovery
from the keystone service catalog.
Replace ``<GLANCE_SERVICE_URL>`` with the address of the image service API:
.. code-block:: ini
[glance]
endpoint_override = <GLANCE_SERVICE_URL>
# List of interfaces, in order of preference, for endpoint
# URL. (list value)
valid_interfaces=public
#. Notes for configuring the Network service access
.. note::
To configure the network for ironic-conductor service to perform node
cleaning, see :ref:`cleaning` from the admin guide.
Set a specific URL (replace ``NETWORKING_SERVICE_ENDPOINT``)
for connecting to the Networking service, to be the Networking
service endpoint - only for the case when you do not want to use
discovery of Networking service endpoint from keystone service catalog:
By default, in order to communicate with another service, the Bare
Metal service will attempt to discover an appropriate endpoint for
that service via the Identity service's service catalog.
The relevant configuration options from that service group in the Bare
Metal service configuration file are used for this purpose.
If you want to use a different endpoint for a particular service,
specify this via the ``endpoint_override`` configuration option of
that service group, in the Bare Metal service's configuration file.
Taking the previous Networking service example, this would be
.. code-block:: ini
[neutron]
...
endpoint_override = <NEUTRON_API_ADDRESS>
# URL for connecting to neutron. (string value)
endpoint_override = <NETWORKING_SERVICE_ENDPOINT>
#. Configure a specific ironic-api service URL - only if you do not want
to use discovery of the Baremetal service endpoint from keystone catalog
(for example when having deployed two separate pools of ironic-api services
for security reasons).
Replace ``IRONIC_API_IP`` with IP of specific ironic-api service as follows:
.. code-block:: ini
[conductor]
# URL of Ironic API service. If not set ironic can get the
# current value from the keystone service catalog. (string
# value)
endpoint_override=http://IRONIC_API_IP:6385
(Replace `<NEUTRON_API_ADDRESS>` with actual address of a specific
Networking service endpoint.)
#. Configure enabled drivers and hardware types as described in
:doc:`/install/enabling-drivers`.
A. If you enabled any driver that uses :ref:`direct-deploy`,
Swift backend for the Image service must be installed and configured,
see :ref:`image-store`.
Ceph Object Gateway (RADOS Gateway) is also supported as the Image
service's backend, see :ref:`radosgw support`.
#. Configure the network for ironic-conductor service to perform node
cleaning, see :ref:`cleaning` from the admin guide.
#. Restart the ironic-conductor service:
.. TODO(mmitchell): Split this based on operating system

View File

@ -2218,8 +2218,14 @@
# From ironic
#
# The region used for getting endpoints of OpenStack services.
# (string value)
# DEPRECATED: The region used for getting endpoints of
# OpenStack services. (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use 'region_name' option in the following sections -
# '[service_catalog]', '[neutron]', '[glance]', '[cinder]',
# '[swift]' and '[inspector]' to configure region for those
# services individually.
#region_name = <None>
@ -2643,7 +2649,9 @@
#domain_name = <None>
# Always use this endpoint URL for requests for this client.
# (string value)
# NOTE: The unversioned endpoint should be specified here; to
# request a particular API version, use the `version`, `min-
# version`, and/or `max-version` options. (string value)
#endpoint_override = <None>
# Verify HTTPS connections. (boolean value)
@ -2736,16 +2744,16 @@
# Its value may be silently ignored in the future.
# Reason: Use [neutron]/endpoint_override option instead. It
# has no default value and must be set explicitly if required
# to connect to specific neutron URL, for example when
# [neutron]auth_strategy is noauth.
# to connect to specific neutron URL, for example in stand
# alone mode when [neutron]/auth_type is 'none'.
#url = <None>
# DEPRECATED: Timeout value for connecting to neutron in
# seconds. (integer value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use [neutron]/timeout option instead. It has no
# default value and must be set explicitly.
# Reason: Set the desired value explicitly using the
# [neutron]/timeout option instead.
#url_timeout = 30
# User's domain id (string value)
@ -4057,7 +4065,9 @@
#domain_name = <None>
# Always use this endpoint URL for requests for this client.
# (string value)
# NOTE: The unversioned endpoint should be specified here; to
# request a particular API version, use the `version`, `min-
# version`, and/or `max-version` options. (string value)
#endpoint_override = <None>
# Verify HTTPS connections. (boolean value)

View File

@ -32,10 +32,11 @@ def register_auth_opts(conf, group, service_type=None):
"""
kaloading.register_session_conf_options(conf, group)
kaloading.register_auth_conf_options(conf, group)
if service_type:
kaloading.register_adapter_conf_options(conf, group)
conf.set_default('valid_interfaces', DEFAULT_VALID_INTERFACES,
group=group)
conf.set_default('valid_interfaces', DEFAULT_VALID_INTERFACES, group=group)
# TODO(pas-ha) use os-service-type to try find the service_type by the
# config group name assuming it is a project name (e.g. 'glance')
if service_type:
conf.set_default('service_type', service_type, group=group)

View File

@ -18,6 +18,12 @@ from ironic.common.i18n import _
opts = [
cfg.StrOpt('region_name',
deprecated_for_removal=True,
deprecated_reason=_("Use 'region_name' option in the following "
"sections - '[service_catalog]', "
"'[neutron]', '[glance]', '[cinder]', "
"'[swift]' and '[inspector]' to configure "
"region for those services individually."),
help=_('The region used for getting endpoints of OpenStack'
' services.')),
]

View File

@ -0,0 +1,28 @@
---
deprecations:
- |
Configuration option ``[keystone]/region_name`` is deprecated
and will be ignored in the Rocky release.
Instead, provide per-service ``region_name`` option in the following
configuration file sections:
- service_catalog (for ironic API discovery from keystone service catalog)
- glance
- neutron
- cinder
- inspector
- swift
upgrade:
- |
Configuration option ``[keystone]/region_name`` is deprecated
and will be ignored in the Rocky release.
Instead, provide per-service ``region_name`` option in the following
configuration file sections:
- service_catalog (for ironic API discovery from keystone service catalog)
- glance
- neutron
- cinder
- inspector
- swift