diff --git a/templates/common/config/ironic.conf b/templates/common/config/ironic.conf index 68b64813..ceecb8d8 100644 --- a/templates/common/config/ironic.conf +++ b/templates/common/config/ironic.conf @@ -1,4 +1,5 @@ {{- define "auth_config" -}} +auth_url={{ .KeystoneInternalURL }} {{ if .UseApplicationCredentials -}} auth_type=v3applicationcredential application_credential_id = {{ .ACID }} @@ -62,42 +63,41 @@ deploy_logs_local_path=/var/lib/ironic/ramdisk-logs [service_catalog] auth_type=none endpoint_override={{ .IronicPublicURL }} + +[ironic] +auth_type=none +endpoint_override={{ .IronicPublicURL }} {{else}} [keystone_authtoken] -auth_url={{ .KeystoneInternalURL }} www_authenticate_uri={{ .KeystonePublicURL }} -{{ template "auth_config" . }} # This is part of hardening related to CVE-2023-2088 # https://docs.openstack.org/nova/latest/configuration/config.html#keystone_authtoken.service_token_roles_required # when enabled the service token user must have the service role to be considered valid. service_token_roles_required = true +{{ template "auth_config" . }} [service_catalog] -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [cinder] -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [glance] -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [neutron] -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [nova] -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [swift] -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [inspector] -auth_url={{ .KeystoneInternalURL }} +{{ template "auth_config" . }} + +[ironic] {{ template "auth_config" . }} [oslo_policy] diff --git a/templates/ironicapi/config/01-api.conf b/templates/ironicapi/config/01-api.conf index 2cc7eb78..1c9b43a0 100644 --- a/templates/ironicapi/config/01-api.conf +++ b/templates/ironicapi/config/01-api.conf @@ -1,21 +1,3 @@ -{{- define "auth_config" -}} -{{ if .UseApplicationCredentials -}} -auth_type=v3applicationcredential -application_credential_id = {{ .ACID }} -application_credential_secret = {{ .ACSecret }} -{{- else -}} -auth_type=password -username={{ .ServiceUser }} -password = {{ .ServicePassword }} -user_domain_name=Default -project_name=service -project_domain_name=Default -{{- end }} -{{ if (index . "Region") -}} -region_name={{ .Region }} -{{ end -}} -{{- end -}} - [DEFAULT] # API-specific configuration overrides @@ -27,44 +9,6 @@ max_age=3600 allow_methods=GET,POST,PUT,DELETE,OPTIONS,PATCH allow_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token -[oslo_middleware] -enable_proxy_headers_parsing=true - -{{if .Standalone}} -[ironic] -auth_type=none -{{else}} [ironic] -auth_url={{ .KeystoneInternalURL }} -{{ template "auth_config" . }} max_retries=6 retry_interval=10 - -[keystone_authtoken] -auth_url={{ .KeystoneInternalURL }} -www_authenticate_uri={{ .KeystonePublicURL }} -{{ template "auth_config" . }} - -[service_catalog] -auth_url={{ .KeystoneInternalURL }} -{{ template "auth_config" . }} - -[glance] -auth_url={{ .KeystoneInternalURL }} -{{ template "auth_config" . }} - -[neutron] -auth_url={{ .KeystoneInternalURL }} -{{ template "auth_config" . }} - -[nova] -auth_url={{ .KeystoneInternalURL }} -{{ template "auth_config" . }} -{{end}} - -{{ if (index . "QuorumQueues") }} -[oslo_messaging_rabbit] -rabbit_quorum_queue=true -rabbit_transient_quorum_queue=true -amqp_durable_queues=true -{{ end }} diff --git a/templates/ironicinspector/config/01-inspector.conf b/templates/ironicinspector/config/01-inspector.conf index 5d6b5ff9..8a11db94 100644 --- a/templates/ironicinspector/config/01-inspector.conf +++ b/templates/ironicinspector/config/01-inspector.conf @@ -1,4 +1,5 @@ {{- define "auth_config" -}} +auth_url={{ .KeystoneInternalURL }} {{ if .UseApplicationCredentials -}} auth_type=v3applicationcredential application_credential_id = {{ .ACID }} @@ -43,22 +44,18 @@ auth_type=none endpoint_override={{ .IronicInternalURL }} {{else}} [ironic] -auth_url={{ .KeystoneInternalURL }} -{{ template "auth_config" . }} max_retries=6 retry_interval=10 +{{ template "auth_config" . }} [keystone_authtoken] -auth_url={{ .KeystoneInternalURL }} www_authenticate_uri={{ .KeystonePublicURL }} {{ template "auth_config" . }} [service_catalog] -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [swift] -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [oslo_policy] diff --git a/templates/ironicneutronagent/config/01-ironic_neutron_agent.conf b/templates/ironicneutronagent/config/01-ironic_neutron_agent.conf index 989e53ed..a50624ab 100644 --- a/templates/ironicneutronagent/config/01-ironic_neutron_agent.conf +++ b/templates/ironicneutronagent/config/01-ironic_neutron_agent.conf @@ -1,4 +1,5 @@ {{- define "auth_config" -}} +auth_url={{ .KeystoneInternalURL }} {{ if .UseApplicationCredentials -}} auth_type=v3applicationcredential application_credential_id = {{ .ACID }} @@ -22,15 +23,12 @@ transport_url = {{ .TransportURL }} [keystone_authtoken] www_authenticate_uri={{ .KeystonePublicURL }} -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [service_catalog] -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [ironic] -auth_url={{ .KeystoneInternalURL }} {{ template "auth_config" . }} [agent] diff --git a/test/functional/ironicapi_controller_test.go b/test/functional/ironicapi_controller_test.go index a23b2974..4081f487 100644 --- a/test/functional/ironicapi_controller_test.go +++ b/test/functional/ironicapi_controller_test.go @@ -770,7 +770,7 @@ var _ = Describe("IronicAPI controller", func() { cfgSecret := th.GetSecret(configSecretName) g.Expect(cfgSecret).NotTo(BeNil()) - conf := string(cfgSecret.Data["01-api.conf"]) + conf := string(cfgSecret.Data["ironic.conf"]) // AC auth is configured g.Expect(conf).To(ContainSubstring("auth_type=v3applicationcredential"))