Deprecate os-certificates

Coming out of the Nova midcycle we decided we really needed to deprecate the os-certificates API and service. It is not used by any of the rest of Nova. It's an API that requires a dedicated daemon to be run. It's making Nova assume the responsibility for generating secure certificates, even though it's not really managing entropy in any sane way (which is why nova-cert is a service, so you could stick these on all your computes so as to not run out of entropy). Change-Id: I0ffa9200d8b4f52da4751e731aecffe09fd3d4be
2016-07-26 10:42:41 -04:00 · 2016-07-26 10:42:41 -04:00 · 789edad0e8
parent 08c84ca7ab
commit 789edad0e8
4 changed files with 20 additions and 5 deletions
--- a/api-ref/source/index.rst
+++ b/api-ref/source/index.rst
@ -36,7 +36,6 @@
 .. include:: os-assisted-volume-snapshots.inc
 .. include:: os-availability-zone.inc
 .. include:: os-cells.inc
-.. include:: os-certificates.inc
 .. include:: os-cloudpipe.inc
 .. include:: os-consoles.inc
 .. include:: os-hosts.inc
@ -50,6 +49,7 @@
 .. include:: os-simple-tenant-usage.inc
 .. include:: os-server-external-events.inc
 .. include:: extensions.inc
+.. include:: os-certificates.inc
 .. include:: os-networks.inc
 .. include:: os-volumes.inc
 .. include:: images.inc
--- a/api-ref/source/os-certificates.inc
+++ b/api-ref/source/os-certificates.inc
@ -6,13 +6,12 @@

 Creates and shows details for a root certificate.

-.. note::
+.. warning::

   This API existed solely because of the need to build euca bundles
   when Nova had an in tree EC2 API. It no longer interacts with any
-   parts of the system besides it's own certificate daemon. It should
-   be considered vestigial, and will likely be deprecated and removed
-   in the near future.
+   parts of the system besides it's own certificate daemon. It is
+   deprecated and will be removed in the near future.

 Create Root Certificate
 =======================
--- a/nova/cmd/cert.py
+++ b/nova/cmd/cert.py
@ -17,10 +17,12 @@
 import sys

 from oslo_log import log as logging
+from oslo_log import versionutils
 from oslo_reports import guru_meditation_report as gmr

 import nova.conf
 from nova import config
+from nova.i18n import _LW
 from nova import objects
 from nova import service
 from nova import utils
@ -34,6 +36,11 @@ def main():
    logging.setup(CONF, "nova")
    utils.monkey_patch()
    objects.register_all()
+    log = logging.getLogger(__name__)
+    versionutils.report_deprecated_feature(
+        log,
+        _LW('The nova-cert service is deprecated and will be removed '
+            'in a future release.'))

    gmr.TextGuruMeditation.setup_autorun(version)

--- a/releasenotes/notes/deprecate_os_cert-f0aa07bab1a229aa.yaml
+++ b/releasenotes/notes/deprecate_os_cert-f0aa07bab1a229aa.yaml
@ -0,0 +1,9 @@
+---
+deprecations:
+
+  - The ``/os-certificates`` API is deprecated, as well as the
+    ``nova-cert`` service which powers it. This is a vestigial part of
+    the Nova API that existed only for EC2 support, which is now
+    maintained out of tree. It does not interact with any of the rest
+    of nova, and should not just be used as a certificates as a
+    service, which is all it is currently good for.