From a2739f7e56a3353634f0b74ad26150f17f0002db Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Sat, 5 Jul 2025 22:03:00 +0900
Subject: [PATCH] Vendor own option for tls cert file and key file

... instead of using oslo.service. Current usage of oslo.service is
too limited to add the dependency, because
 - oslo.service registers multiple options but only two of these are
   used
 - the wrap implementation from oslo.service is not actually used

Change-Id: I4e8f18951d73e329a54cf6546344c5704fe4aa90
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
---
 ironic_python_agent/api/app.py                |  8 ++------
 ironic_python_agent/cmd/agent.py              |  3 ---
 ironic_python_agent/config.py                 | 20 ++++++++++++++-----
 ironic_python_agent/tests/unit/base.py        |  2 --
 .../notes/tls-opts-50d09bddd5f70ef2.yaml      |  6 ++++++
 requirements.txt                              |  1 -
 6 files changed, 23 insertions(+), 17 deletions(-)
 create mode 100644 releasenotes/notes/tls-opts-50d09bddd5f70ef2.yaml

diff --git a/ironic_python_agent/api/app.py b/ironic_python_agent/api/app.py
index de6965d88..f646b95c9 100644
--- a/ironic_python_agent/api/app.py
+++ b/ironic_python_agent/api/app.py
@@ -131,12 +131,8 @@ class Application(object):
     def start(self, tls_cert_file=None, tls_key_file=None):
         """Start the API service in the background."""
 
-        ssl_group = getattr(self._conf, 'ssl', {})
-
-        self.tls_cert_file = tls_cert_file or getattr(
-            ssl_group, 'cert_file', None)
-        self.tls_key_file = tls_key_file or getattr(
-            ssl_group, 'key_file', None)
+        self.tls_cert_file = tls_cert_file or self._conf.tls_cert_file
+        self.tls_key_file = tls_key_file or self._conf.tls_key_file
 
         bind_addr = (self.agent.listen_address.hostname,
                      self.agent.listen_address.port)
diff --git a/ironic_python_agent/cmd/agent.py b/ironic_python_agent/cmd/agent.py
index a3670becb..fb6fff898 100644
--- a/ironic_python_agent/cmd/agent.py
+++ b/ironic_python_agent/cmd/agent.py
@@ -16,7 +16,6 @@ import sys
 
 from oslo_config import cfg
 from oslo_log import log
-from oslo_service import sslutils
 from oslo_utils import strutils
 
 from ironic_python_agent import agent
@@ -40,8 +39,6 @@ def run():
         ipa_debug = strutils.bool_from_string(ipa_debug)
         CONF.set_override('debug', ipa_debug)
     log.setup(CONF, 'ironic-python-agent')
-    # Used for TLS configuration
-    sslutils.register_opts(CONF)
 
     logger = log.getLogger(__name__)
     logger.debug("Configuration:")
diff --git a/ironic_python_agent/config.py b/ironic_python_agent/config.py
index 0a26df6d9..d3dc1d621 100644
--- a/ironic_python_agent/config.py
+++ b/ironic_python_agent/config.py
@@ -60,16 +60,26 @@ cli_opts = [
                      'Can be supplied as "ipa-listen-port" kernel parameter.'),
 
     # This is intentionally not settable via kernel command line, as it
-    # requires configuration parameters from oslo_service which are not
-    # configurable over the command line and require files-on-disk.
+    # requires configuration parameters which are not configurable over
+    # the command line and require files-on-disk.
     # Operators who want to use this support should configure it statically
     # as part of a ramdisk build.
     cfg.BoolOpt('listen_tls',
                 default=False,
                 help='When true, IPA will host API behind TLS. You will also '
-                     'need to configure [ssl] group options for cert_file, '
-                     'key_file, and, if desired, ca_file to validate client '
-                     'certificates.'),
+                     'need to configure tls_cert_file option and tls_key_file '
+                     'option.'),
+
+    cfg.StrOpt('tls_cert_file',
+               help="Certificate file to use when starting "
+                    "the server securely.",
+               deprecated_group='ssl',
+               deprecated_name='cert_file'),
+    cfg.StrOpt('tls_key_file',
+               help="Private key file to use when starting "
+                    "the server securely.",
+               deprecated_group='ssl',
+               deprecated_name='key_file'),
 
     cfg.BoolOpt('enable_auto_tls',
                 default=True,
diff --git a/ironic_python_agent/tests/unit/base.py b/ironic_python_agent/tests/unit/base.py
index b77ad8771..8d5826972 100644
--- a/ironic_python_agent/tests/unit/base.py
+++ b/ironic_python_agent/tests/unit/base.py
@@ -21,7 +21,6 @@ from oslo_concurrency import processutils
 from oslo_config import cfg
 from oslo_config import fixture as config_fixture
 from oslo_log import log
-from oslo_service import sslutils
 from oslotest import base as test_base
 
 from ironic_python_agent import config
@@ -70,7 +69,6 @@ class IronicAgentTest(test_base.BaseTestCase):
         self.cfg_fixture = self.useFixture(config_fixture.Config(CONF))
         # Register options from libraries that are explicitly used in the code
         log.register_options(CONF)
-        sslutils.register_opts(CONF)
 
     def config(self, **kw):
         """Override config options for a test."""
diff --git a/releasenotes/notes/tls-opts-50d09bddd5f70ef2.yaml b/releasenotes/notes/tls-opts-50d09bddd5f70ef2.yaml
new file mode 100644
index 000000000..e060b45f2
--- /dev/null
+++ b/releasenotes/notes/tls-opts-50d09bddd5f70ef2.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    The ``[ssl] key_file`` option and the ``[ssl] cert_file`` option are
+    deprecated. Use the ``[DEFAULT] tls_key_file`` option and
+    the ``[DEFAULT] tls_cert_file`` option instead.
diff --git a/requirements.txt b/requirements.txt
index 81e2ee546..64d74b205 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,6 @@ pbr>=6.0.0 # Apache-2.0
 oslo.config>=9.7.1 # Apache-2.0
 oslo.concurrency>=7.1.0 # Apache-2.0
 oslo.log>=7.1.0 # Apache-2.0
-oslo.service>=4.1.1 # Apache-2.0
 oslo.utils>=8.2.0 # Apache-2.0
 Pint>=0.5 # BSD
 psutil>=3.2.2 # BSD