Finalize migration to keystoneauth adapters

removes code that allowed some service sections to not have and use
keystoneauth adapter options.

Also deprecates `[keystone]region_name` option in favor of per-client
option of the same name.

Change-Id: Ifd58947b016bfa93b516dd47a170ba8f5abf277e
Closes-Bug: #1699547

6 files changed, 91 insertions, 74 deletions

diff --git a/devstack/lib/ironic b/devstack/lib/ironic
index 04b23579e..82684bdc5 100644
--- a/devstack/lib/ironic
+++ b/devstack/lib/ironic
@@ -1095,14 +1095,6 @@ function configure_client_for {
     iniset $IRONIC_CONF_FILE $service_config_section project_domain_id default
     # keystoneauth session options
     iniset $IRONIC_CONF_FILE $service_config_section cafile $SSL_BUNDLE_FILE
-}
-
-# TODO(pas-ha) this function is for transition period only,
-# after all clients are moved to use keystoneauth adapters, it will be merged
-# into configure_client_for function
-function configure_adapter_for {
-    local service_config_section
-    service_config_section=$1
     # keystoneauth adapter options
     # NOTE(pas-ha) relying on defaults for valid_interfaces being "internal,public" in ironic
     iniset $IRONIC_CONF_FILE $service_config_section region_name $REGION_NAME
@@ -1119,14 +1111,6 @@ function configure_ironic_conductor {
         configure_client_for $conf_section
     done
 
-    # TODO(pas-ha) this block is for transition period only,
-    # after all clients are moved to use keystoneauth adapters,
-    # it will be deleted
-    local sections_with_adapter="service_catalog glance cinder inspector swift neutron"
-    for conf_section in $sections_with_adapter; do
-        configure_adapter_for $conf_section
-    done
-
     configure_rootwrap ironic
 
     # set up drivers / hardware types
diff --git a/doc/source/install/include/configure-ironic-conductor.rst b/doc/source/install/include/configure-ironic-conductor.rst
index cfb473499..4d393d81b 100644
--- a/doc/source/install/include/configure-ironic-conductor.rst
+++ b/doc/source/install/include/configure-ironic-conductor.rst
@@ -67,15 +67,18 @@ Configuring ironic-conductor service
    service users for each service.
 
    Under the hood, Bare Metal service uses ``keystoneauth`` library
-   together with ``Authentication plugin`` and ``Session`` concepts
-   provided by it to instantiate service clients.
+   together with ``Authentication plugin``, ``Session`` and ``Adapter``
+   concepts provided by it to instantiate service clients.
    Please refer to `Keystoneauth documentation`_ for supported plugins,
-   their available options as well as Session-related options
-   for authentication and connection respectively.
+   their available options as well as Session- and Adapter-related options
+   for authentication, connection and endpoint discovery respectively.
 
    In the example below, authentication information for user to access the
    OpenStack Networking service is configured to use:
 
+   * Networking service is deployed in the Identity service region named
+     ``RegionTwo``, with only its ``public`` endpoint interface registered
+     in the service catalog.
    * HTTPS connection with specific CA SSL certificate when making requests
    * the same service user as configured for ironic-api service
    * dynamic ``password`` authentication plugin that will discover
@@ -116,61 +119,46 @@ Configuring ironic-conductor service
       # HTTPs connections. (string value)
       cafile=/opt/stack/data/ca-bundle.pem
 
-#. Notes for configuring the Image service access
-
-   .. note::
-      Swift backend for the Image service must be installed and configured
-      for ``agent_*`` drivers. Ceph Object Gateway (RADOS Gateway) is also
-      supported as the Image service's backend (:ref:`radosgw support`).
-
-   Configure the ironic-conductor service to use specific Image service
-   endpoints - only if you do not want to use Image service endpoint discovery
-   from the keystone service catalog.
-   Replace ``<GLANCE_SERVICE_URL>`` with the address of the image service API:
-
-   .. code-block:: ini
-
-      [glance]
-      endpoint_override = <GLANCE_SERVICE_URL>
-
+      # The default region_name for endpoint URL discovery. (string
+      # value)
+      region_name = RegionTwo
 
-#. Notes for configuring the Network service access
+      # List of interfaces, in order of preference, for endpoint
+      # URL. (list value)
+      valid_interfaces=public
 
-   .. note::
-      To configure the network for ironic-conductor service to perform node
-      cleaning, see :ref:`cleaning` from the admin guide.
 
-   Set a specific URL (replace ``NETWORKING_SERVICE_ENDPOINT``)
-   for connecting to the Networking service, to be the Networking
-   service endpoint - only for the case when you do not want to use
-   discovery of Networking service endpoint from keystone service catalog:
+   By default, in order to communicate with another service, the Bare
+   Metal service will attempt to discover an appropriate endpoint for
+   that service via the Identity service's service catalog.
+   The relevant configuration options from that service group in the Bare
+   Metal service configuration file are used for this purpose.
+   If you want to use a different endpoint for a particular service,
+   specify this via the ``endpoint_override`` configuration option of
+   that service group, in the Bare Metal service's configuration file.
+   Taking the previous Networking service example, this would be
 
    .. code-block:: ini
 
       [neutron]
+      ...
+      endpoint_override = <NEUTRON_API_ADDRESS>
 
-      # URL for connecting to neutron. (string value)
-      endpoint_override = <NETWORKING_SERVICE_ENDPOINT>
-
-#. Configure a specific ironic-api service URL - only if you do not want
-   to use discovery of the Baremetal service endpoint from keystone catalog
-   (for example when having deployed two separate pools of ironic-api services
-   for security reasons).
-   Replace ``IRONIC_API_IP`` with IP of specific ironic-api service as follows:
-
-   .. code-block:: ini
-
-      [conductor]
-
-      # URL of Ironic API service. If not set ironic can get the
-      # current value from the keystone service catalog. (string
-      # value)
-      endpoint_override=http://IRONIC_API_IP:6385
-
+   (Replace `<NEUTRON_API_ADDRESS>` with actual address of a specific
+   Networking service endpoint.)
 
 #. Configure enabled drivers and hardware types as described in
    :doc:`/install/enabling-drivers`.
 
+   A. If you enabled any driver that uses :ref:`direct-deploy`,
+      Swift backend for the Image service must be installed and configured,
+      see :ref:`image-store`.
+      Ceph Object Gateway (RADOS Gateway) is also supported as the Image
+      service's backend, see :ref:`radosgw support`.
+
+#. Configure the network for ironic-conductor service to perform node
+   cleaning, see :ref:`cleaning` from the admin guide.
+
 #. Restart the ironic-conductor service:
 
    .. TODO(mmitchell): Split this based on operating system
diff --git a/etc/ironic/ironic.conf.sample b/etc/ironic/ironic.conf.sample
index 9fe966a53..53841311d 100644
--- a/etc/ironic/ironic.conf.sample
+++ b/etc/ironic/ironic.conf.sample
@@ -2218,8 +2218,14 @@
 # From ironic
 #
 
-# The region used for getting endpoints of OpenStack services.
-# (string value)
+# DEPRECATED: The region used for getting endpoints of
+# OpenStack services. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Use 'region_name' option in the following sections -
+# '[service_catalog]', '[neutron]', '[glance]', '[cinder]',
+# '[swift]' and '[inspector]' to configure region for those
+# services individually.
 #region_name = <None>
 
 
@@ -2643,7 +2649,9 @@
 #domain_name = <None>
 
 # Always use this endpoint URL for requests for this client.
-# (string value)
+# NOTE: The unversioned endpoint should be specified here; to
+# request a particular API version, use the `version`, `min-
+# version`, and/or `max-version` options. (string value)
 #endpoint_override = <None>
 
 # Verify HTTPS connections. (boolean value)
@@ -2736,16 +2744,16 @@
 # Its value may be silently ignored in the future.
 # Reason: Use [neutron]/endpoint_override option instead. It
 # has no default value and must be set explicitly if required
-# to connect to specific neutron URL, for example when
-# [neutron]auth_strategy is noauth.
+# to connect to specific neutron URL, for example in stand
+# alone mode when [neutron]/auth_type is 'none'.
 #url = <None>
 
 # DEPRECATED: Timeout value for connecting to neutron in
 # seconds. (integer value)
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
-# Reason: Use [neutron]/timeout option instead. It has no
-# default value and must be set explicitly.
+# Reason: Set the desired value explicitly using the
+# [neutron]/timeout option instead.
 #url_timeout = 30
 
 # User's domain id (string value)
@@ -4057,7 +4065,9 @@
 #domain_name = <None>
 
 # Always use this endpoint URL for requests for this client.
-# (string value)
+# NOTE: The unversioned endpoint should be specified here; to
+# request a particular API version, use the `version`, `min-
+# version`, and/or `max-version` options. (string value)
 #endpoint_override = <None>
 
 # Verify HTTPS connections. (boolean value)
diff --git a/ironic/conf/auth.py b/ironic/conf/auth.py
index 35b3f492c..122d84f97 100644
--- a/ironic/conf/auth.py
+++ b/ironic/conf/auth.py
@@ -32,10 +32,11 @@ def register_auth_opts(conf, group, service_type=None):
     """
     kaloading.register_session_conf_options(conf, group)
     kaloading.register_auth_conf_options(conf, group)
+    kaloading.register_adapter_conf_options(conf, group)
+    conf.set_default('valid_interfaces', DEFAULT_VALID_INTERFACES, group=group)
+    # TODO(pas-ha) use os-service-type to try find the service_type by the
+    # config group name assuming it is a project name (e.g. 'glance')
     if service_type:
-        kaloading.register_adapter_conf_options(conf, group)
-        conf.set_default('valid_interfaces', DEFAULT_VALID_INTERFACES,
-                         group=group)
         conf.set_default('service_type', service_type, group=group)
 
 
diff --git a/ironic/conf/keystone.py b/ironic/conf/keystone.py
index 981e648a7..95ea5f047 100644
--- a/ironic/conf/keystone.py
+++ b/ironic/conf/keystone.py
@@ -18,6 +18,12 @@ from ironic.common.i18n import _
 
 opts = [
     cfg.StrOpt('region_name',
+               deprecated_for_removal=True,
+               deprecated_reason=_("Use 'region_name' option in the following "
+                                   "sections - '[service_catalog]', "
+                                   "'[neutron]', '[glance]', '[cinder]', "
+                                   "'[swift]' and '[inspector]' to configure "
+                                   "region for those services individually."),
                help=_('The region used for getting endpoints of OpenStack'
                       ' services.')),
 ]
diff --git a/releasenotes/notes/deprecate-global-region-4dbea91de71ebf59.yaml b/releasenotes/notes/deprecate-global-region-4dbea91de71ebf59.yaml
new file mode 100644
index 000000000..8f4166cee
--- /dev/null
+++ b/releasenotes/notes/deprecate-global-region-4dbea91de71ebf59.yaml
@@ -0,0 +1,28 @@
+---
+deprecations:
+  - |
+    Configuration option ``[keystone]/region_name`` is deprecated
+    and will be ignored in the Rocky release.
+    Instead, provide per-service ``region_name`` option in the following
+    configuration file sections:
+
+    - service_catalog (for ironic API discovery from keystone service catalog)
+    - glance
+    - neutron
+    - cinder
+    - inspector
+    - swift
+
+upgrade:
+  - |
+    Configuration option ``[keystone]/region_name`` is deprecated
+    and will be ignored in the Rocky release.
+    Instead, provide per-service ``region_name`` option in the following
+    configuration file sections:
+
+    - service_catalog (for ironic API discovery from keystone service catalog)
+    - glance
+    - neutron
+    - cinder
+    - inspector
+    - swift