Create dedicated function to manage only keystoneauth options

Using the common function to configure keystoneauth middleware leaves
some options not actually used for service-to-service communication.

Create a dedicated function, which configures only options loaded by
keystoneauth library, to drop unnecessary options.

Change-Id: Idafdd4a3925d09f155d8ec651786ccbcd6a5f2e4
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
This commit is contained in:
Takashi Kajinami
2025-07-12 00:36:21 +09:00
parent a3e37c86ca
commit fe4d1e6059
4 changed files with 29 additions and 61 deletions

View File

@@ -303,15 +303,6 @@ function configure_cinder {
cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI
inicomment $CINDER_API_PASTE_INI filter:authtoken auth_host
inicomment $CINDER_API_PASTE_INI filter:authtoken auth_port
inicomment $CINDER_API_PASTE_INI filter:authtoken auth_protocol
inicomment $CINDER_API_PASTE_INI filter:authtoken cafile
inicomment $CINDER_API_PASTE_INI filter:authtoken admin_tenant_name
inicomment $CINDER_API_PASTE_INI filter:authtoken admin_user
inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password
inicomment $CINDER_API_PASTE_INI filter:authtoken signing_dir
configure_keystone_authtoken_middleware $CINDER_CONF cinder
iniset $CINDER_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
@@ -423,7 +414,7 @@ function configure_cinder {
configure_keystone_authtoken_middleware $CINDER_CONF glance glance
# Set nova credentials (used for os-assisted-snapshots)
configure_keystone_authtoken_middleware $CINDER_CONF nova nova
configure_keystoneauth $CINDER_CONF nova nova
iniset $CINDER_CONF nova region_name "$REGION_NAME"
iniset $CINDER_CONF DEFAULT graceful_shutdown_timeout "$SERVICE_GRACEFUL_SHUTDOWN_TIMEOUT"
@@ -733,8 +724,8 @@ function configure_cinder_volume_upload {
}
function init_cinder_service_user_conf {
configure_keystone_authtoken_middleware $CINDER_CONF cinder service_user
iniset $CINDER_CONF service_user send_service_user_token True
configure_keystoneauth $CINDER_CONF cinder service_user
}
# Restore xtrace

View File

@@ -421,9 +421,27 @@ function create_service_user {
fi
}
# Configure options for keystoneauth
#
# configure_keystoneauth conf_file admin_user section
function configure_keystoneauth {
local conf_file=$1
local admin_user=$2
local section=$3
iniset $conf_file $section auth_type password
iniset $conf_file $section interface public
iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI
iniset $conf_file $section username $admin_user
iniset $conf_file $section password $SERVICE_PASSWORD
iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
}
# Configure a service to use the auth token middleware.
#
# configure_keystone_authtoken_middleware conf_file admin_user IGNORED [section]
# configure_keystone_authtoken_middleware conf_file admin_user [section]
#
# section defaults to keystone_authtoken, which is where auth_token looks in
# the .conf file. If the paste config file is used (api-paste.ini) then
@@ -434,15 +452,7 @@ function configure_keystone_authtoken_middleware {
local section=${3:-keystone_authtoken}
local service_type=$4
iniset $conf_file $section auth_type password
iniset $conf_file $section interface public
iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI
iniset $conf_file $section username $admin_user
iniset $conf_file $section password $SERVICE_PASSWORD
iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
configure_keystoneauth $conf_file $admin_user $section
iniset $conf_file $section cafile $SSL_BUNDLE_FILE
iniset $conf_file $section memcached_servers $MEMCACHE_SERVERS
if [[ -n "$service_type" ]]; then

View File

@@ -460,14 +460,7 @@ function configure_neutron_nova {
function create_nova_conf_neutron {
local conf=${1:-$NOVA_CONF}
iniset $conf neutron auth_type "password"
iniset $conf neutron auth_url "$KEYSTONE_SERVICE_URI"
iniset $conf neutron username nova
iniset $conf neutron password "$SERVICE_PASSWORD"
iniset $conf neutron user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf neutron project_name "$SERVICE_PROJECT_NAME"
iniset $conf neutron project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf neutron auth_strategy "$Q_AUTH_STRATEGY"
configure_keystoneauth $conf nova neutron
iniset $conf neutron region_name "$REGION_NAME"
# optionally set options in nova_conf
@@ -1011,10 +1004,10 @@ function _configure_neutron_service {
iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_status_changes $Q_NOTIFY_NOVA_PORT_STATUS_CHANGES
iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_data_changes $Q_NOTIFY_NOVA_PORT_DATA_CHANGES
configure_keystone_authtoken_middleware $NEUTRON_CONF nova nova
configure_keystoneauth $NEUTRON_CONF nova nova
# Configuration for placement client
configure_keystone_authtoken_middleware $NEUTRON_CONF placement placement
configure_keystoneauth $NEUTRON_CONF placement placement
# Configure plugin
neutron_plugin_configure_service

View File

@@ -628,32 +628,19 @@ function create_nova_conf {
function configure_placement_nova_compute {
# Use the provided config file path or default to $NOVA_CONF.
local conf=${1:-$NOVA_CONF}
iniset $conf placement auth_type "password"
iniset $conf placement auth_url "$KEYSTONE_SERVICE_URI"
iniset $conf placement username nova
iniset $conf placement password "$SERVICE_PASSWORD"
iniset $conf placement user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf placement project_name "$SERVICE_TENANT_NAME"
iniset $conf placement project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $conf placement region_name "$REGION_NAME"
configure_keystoneauth $conf nova placement
}
# Configure access to cinder.
function configure_cinder_access {
iniset $NOVA_CONF cinder os_region_name "$REGION_NAME"
iniset $NOVA_CONF cinder auth_type "password"
iniset $NOVA_CONF cinder auth_url "$KEYSTONE_SERVICE_URI"
# NOTE(mriedem): This looks a bit weird but we use the nova user here
# since it has the admin role and the cinder user does not. This is
# similar to using the nova user in init_nova_service_user_conf. We need
# to use a user with the admin role for background tasks in nova to
# be able to GET block-storage API resources owned by another project
# since cinder has low-level "is_admin" checks in its DB API.
iniset $NOVA_CONF cinder username nova
iniset $NOVA_CONF cinder password "$SERVICE_PASSWORD"
iniset $NOVA_CONF cinder user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF cinder project_name "$SERVICE_TENANT_NAME"
iniset $NOVA_CONF cinder project_domain_name "$SERVICE_DOMAIN_NAME"
configure_keystoneauth $conf nova cinder
if is_service_enabled tls-proxy; then
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
@@ -663,14 +650,7 @@ function configure_cinder_access {
# Configure access to manila.
function configure_manila_access {
iniset $NOVA_CONF manila os_region_name "$REGION_NAME"
iniset $NOVA_CONF manila auth_type "password"
iniset $NOVA_CONF manila auth_url "$KEYSTONE_SERVICE_URI"
iniset $NOVA_CONF manila username nova
iniset $NOVA_CONF manila password "$SERVICE_PASSWORD"
iniset $NOVA_CONF manila user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF manila project_name "$SERVICE_TENANT_NAME"
iniset $NOVA_CONF manila project_domain_name "$SERVICE_DOMAIN_NAME"
configure_keystoneauth $conf nova manila
}
function configure_console_compute {
@@ -836,13 +816,7 @@ function configure_nova_unified_limits {
function init_nova_service_user_conf {
iniset $NOVA_CONF service_user send_service_user_token True
iniset $NOVA_CONF service_user auth_type password
iniset $NOVA_CONF service_user auth_url "$KEYSTONE_SERVICE_URI"
iniset $NOVA_CONF service_user username nova
iniset $NOVA_CONF service_user password "$SERVICE_PASSWORD"
iniset $NOVA_CONF service_user user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF service_user project_name "$SERVICE_PROJECT_NAME"
iniset $NOVA_CONF service_user project_domain_name "$SERVICE_DOMAIN_NAME"
configure_keystoneauth $NOVA_CONF nova service_user
}
function conductor_conf {