Vendor own option for tls cert file and key file

kajinamit · kajinamit · commit a2739f7e56a3 · 2025-07-05T22:07:34.000+09:00
... instead of using oslo.service. Current usage of oslo.service is
too limited to add the dependency, because
 - oslo.service registers multiple options but only two of these are
   used
 - the wrap implementation from oslo.service is not actually used

Change-Id: I4e8f18951d73e329a54cf6546344c5704fe4aa90
Signed-off-by: Takashi Kajinami &lt;kajinamit@oss.nttdata.com&gt;
diff --git a/ironic_python_agent/api/app.py b/ironic_python_agent/api/app.py
@@ -131,12 +131,8 @@ def __call__(self, environ, start_response):
     def start(self, tls_cert_file=None, tls_key_file=None):
         """Start the API service in the background."""
 
-        ssl_group = getattr(self._conf, 'ssl', {})
-
-        self.tls_cert_file = tls_cert_file or getattr(
-            ssl_group, 'cert_file', None)
-        self.tls_key_file = tls_key_file or getattr(
-            ssl_group, 'key_file', None)
+        self.tls_cert_file = tls_cert_file or self._conf.tls_cert_file
+        self.tls_key_file = tls_key_file or self._conf.tls_key_file
 
         bind_addr = (self.agent.listen_address.hostname,
                      self.agent.listen_address.port)
diff --git a/ironic_python_agent/cmd/agent.py b/ironic_python_agent/cmd/agent.py
@@ -16,7 +16,6 @@
 
 from oslo_config import cfg
 from oslo_log import log
-from oslo_service import sslutils
 from oslo_utils import strutils
 
 from ironic_python_agent import agent
@@ -40,8 +39,6 @@ def run():
         ipa_debug = strutils.bool_from_string(ipa_debug)
         CONF.set_override('debug', ipa_debug)
     log.setup(CONF, 'ironic-python-agent')
-    # Used for TLS configuration
-    sslutils.register_opts(CONF)
 
     logger = log.getLogger(__name__)
     logger.debug("Configuration:")
diff --git a/ironic_python_agent/config.py b/ironic_python_agent/config.py
@@ -60,16 +60,26 @@
                      'Can be supplied as "ipa-listen-port" kernel parameter.'),
 
     # This is intentionally not settable via kernel command line, as it
-    # requires configuration parameters from oslo_service which are not
-    # configurable over the command line and require files-on-disk.
+    # requires configuration parameters which are not configurable over
+    # the command line and require files-on-disk.
     # Operators who want to use this support should configure it statically
     # as part of a ramdisk build.
     cfg.BoolOpt('listen_tls',
                 default=False,
                 help='When true, IPA will host API behind TLS. You will also '
-                     'need to configure [ssl] group options for cert_file, '
-                     'key_file, and, if desired, ca_file to validate client '
-                     'certificates.'),
+                     'need to configure tls_cert_file option and tls_key_file '
+                     'option.'),
+
+    cfg.StrOpt('tls_cert_file',
+               help="Certificate file to use when starting "
+                    "the server securely.",
+               deprecated_group='ssl',
+               deprecated_name='cert_file'),
+    cfg.StrOpt('tls_key_file',
+               help="Private key file to use when starting "
+                    "the server securely.",
+               deprecated_group='ssl',
+               deprecated_name='key_file'),
 
     cfg.BoolOpt('enable_auto_tls',
                 default=True,
diff --git a/ironic_python_agent/tests/unit/base.py b/ironic_python_agent/tests/unit/base.py
@@ -21,7 +21,6 @@
 from oslo_config import cfg
 from oslo_config import fixture as config_fixture
 from oslo_log import log
-from oslo_service import sslutils
 from oslotest import base as test_base
 
 from ironic_python_agent import config
@@ -70,7 +69,6 @@ def _set_config(self):
         self.cfg_fixture = self.useFixture(config_fixture.Config(CONF))
         # Register options from libraries that are explicitly used in the code
         log.register_options(CONF)
-        sslutils.register_opts(CONF)
 
     def config(self, **kw):
         """Override config options for a test."""
diff --git a/releasenotes/notes/tls-opts-50d09bddd5f70ef2.yaml b/releasenotes/notes/tls-opts-50d09bddd5f70ef2.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    The ``[ssl] key_file`` option and the ``[ssl] cert_file`` option are
+    deprecated. Use the ``[DEFAULT] tls_key_file`` option and
+    the ``[DEFAULT] tls_cert_file`` option instead.
diff --git a/requirements.txt b/requirements.txt
@@ -2,7 +2,6 @@ pbr>=6.0.0 # Apache-2.0
 oslo.config>=9.7.1 # Apache-2.0
 oslo.concurrency>=7.1.0 # Apache-2.0
 oslo.log>=7.1.0 # Apache-2.0
-oslo.service>=4.1.1 # Apache-2.0
 oslo.utils>=8.2.0 # Apache-2.0
 Pint>=0.5 # BSD
 psutil>=3.2.2 # BSD
