Vendor own option for tls cert file and key file

... instead of using oslo.service. Current usage of oslo.service is
too limited to add the dependency, because
 - oslo.service registers multiple options but only two of these are
   used
 - the wrap implementation from oslo.service is not actually used

Change-Id: I4e8f18951d73e329a54cf6546344c5704fe4aa90
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
This commit is contained in:
Takashi Kajinami
2025-07-05 22:03:00 +09:00
parent 883e3cf057
commit a2739f7e56
6 changed files with 23 additions and 17 deletions

View File

@@ -131,12 +131,8 @@ class Application(object):
def start(self, tls_cert_file=None, tls_key_file=None):
"""Start the API service in the background."""
ssl_group = getattr(self._conf, 'ssl', {})
self.tls_cert_file = tls_cert_file or getattr(
ssl_group, 'cert_file', None)
self.tls_key_file = tls_key_file or getattr(
ssl_group, 'key_file', None)
self.tls_cert_file = tls_cert_file or self._conf.tls_cert_file
self.tls_key_file = tls_key_file or self._conf.tls_key_file
bind_addr = (self.agent.listen_address.hostname,
self.agent.listen_address.port)

View File

@@ -16,7 +16,6 @@ import sys
from oslo_config import cfg
from oslo_log import log
from oslo_service import sslutils
from oslo_utils import strutils
from ironic_python_agent import agent
@@ -40,8 +39,6 @@ def run():
ipa_debug = strutils.bool_from_string(ipa_debug)
CONF.set_override('debug', ipa_debug)
log.setup(CONF, 'ironic-python-agent')
# Used for TLS configuration
sslutils.register_opts(CONF)
logger = log.getLogger(__name__)
logger.debug("Configuration:")

View File

@@ -60,16 +60,26 @@ cli_opts = [
'Can be supplied as "ipa-listen-port" kernel parameter.'),
# This is intentionally not settable via kernel command line, as it
# requires configuration parameters from oslo_service which are not
# configurable over the command line and require files-on-disk.
# requires configuration parameters which are not configurable over
# the command line and require files-on-disk.
# Operators who want to use this support should configure it statically
# as part of a ramdisk build.
cfg.BoolOpt('listen_tls',
default=False,
help='When true, IPA will host API behind TLS. You will also '
'need to configure [ssl] group options for cert_file, '
'key_file, and, if desired, ca_file to validate client '
'certificates.'),
'need to configure tls_cert_file option and tls_key_file '
'option.'),
cfg.StrOpt('tls_cert_file',
help="Certificate file to use when starting "
"the server securely.",
deprecated_group='ssl',
deprecated_name='cert_file'),
cfg.StrOpt('tls_key_file',
help="Private key file to use when starting "
"the server securely.",
deprecated_group='ssl',
deprecated_name='key_file'),
cfg.BoolOpt('enable_auto_tls',
default=True,

View File

@@ -21,7 +21,6 @@ from oslo_concurrency import processutils
from oslo_config import cfg
from oslo_config import fixture as config_fixture
from oslo_log import log
from oslo_service import sslutils
from oslotest import base as test_base
from ironic_python_agent import config
@@ -70,7 +69,6 @@ class IronicAgentTest(test_base.BaseTestCase):
self.cfg_fixture = self.useFixture(config_fixture.Config(CONF))
# Register options from libraries that are explicitly used in the code
log.register_options(CONF)
sslutils.register_opts(CONF)
def config(self, **kw):
"""Override config options for a test."""

View File

@@ -0,0 +1,6 @@
---
deprecations:
- |
The ``[ssl] key_file`` option and the ``[ssl] cert_file`` option are
deprecated. Use the ``[DEFAULT] tls_key_file`` option and
the ``[DEFAULT] tls_cert_file`` option instead.

View File

@@ -2,7 +2,6 @@ pbr>=6.0.0 # Apache-2.0
oslo.config>=9.7.1 # Apache-2.0
oslo.concurrency>=7.1.0 # Apache-2.0
oslo.log>=7.1.0 # Apache-2.0
oslo.service>=4.1.1 # Apache-2.0
oslo.utils>=8.2.0 # Apache-2.0
Pint>=0.5 # BSD
psutil>=3.2.2 # BSD