Refactor auth config to eliminate duplication

templates/common/config/ironic.conf

@@ -1,4 +1,5 @@
 {{- define "auth_config" -}}
+auth_url={{ .KeystoneInternalURL }}
 {{ if .UseApplicationCredentials -}}
 auth_type=v3applicationcredential
 application_credential_id = {{ .ACID }}
@@ -62,42 +63,41 @@ deploy_logs_local_path=/var/lib/ironic/ramdisk-logs
 [service_catalog]
 auth_type=none
 endpoint_override={{ .IronicPublicURL }}
+
+[ironic]
+auth_type=none
+endpoint_override={{ .IronicPublicURL }}
 {{else}}
 [keystone_authtoken]
-auth_url={{ .KeystoneInternalURL }}
 www_authenticate_uri={{ .KeystonePublicURL }}
-{{ template "auth_config" . }}
 # This is part of hardening related to CVE-2023-2088
 # https://docs.openstack.org/nova/latest/configuration/config.html#keystone_authtoken.service_token_roles_required
 # when enabled the service token user must have the service role to be considered valid.
 service_token_roles_required = true
+{{ template "auth_config" . }}
 
 [service_catalog]
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [cinder]
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [glance]
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [neutron]
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [nova]
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [swift]
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [inspector]
-auth_url={{ .KeystoneInternalURL }}
+{{ template "auth_config" . }}
+
+[ironic]
 {{ template "auth_config" . }}
 
 [oslo_policy]

templates/ironicapi/config/01-api.conf

@@ -1,21 +1,3 @@
-{{- define "auth_config" -}}
-{{ if .UseApplicationCredentials -}}
-auth_type=v3applicationcredential
-application_credential_id = {{ .ACID }}
-application_credential_secret = {{ .ACSecret }}
-{{- else -}}
-auth_type=password
-username={{ .ServiceUser }}
-password = {{ .ServicePassword }}
-user_domain_name=Default
-project_name=service
-project_domain_name=Default
-{{- end }}
-{{ if (index . "Region") -}}
-region_name={{ .Region }}
-{{ end -}}
-{{- end -}}
-
 [DEFAULT]
 # API-specific configuration overrides
 
@@ -27,44 +9,6 @@ max_age=3600
 allow_methods=GET,POST,PUT,DELETE,OPTIONS,PATCH
 allow_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token
 
-[oslo_middleware]
-enable_proxy_headers_parsing=true
-
-{{if .Standalone}}
-[ironic]
-auth_type=none
-{{else}}
 [ironic]
-auth_url={{ .KeystoneInternalURL }}
-{{ template "auth_config" . }}
 max_retries=6
 retry_interval=10
-
-[keystone_authtoken]
-auth_url={{ .KeystoneInternalURL }}
-www_authenticate_uri={{ .KeystonePublicURL }}
-{{ template "auth_config" . }}
-
-[service_catalog]
-auth_url={{ .KeystoneInternalURL }}
-{{ template "auth_config" . }}
-
-[glance]
-auth_url={{ .KeystoneInternalURL }}
-{{ template "auth_config" . }}
-
-[neutron]
-auth_url={{ .KeystoneInternalURL }}
-{{ template "auth_config" . }}
-
-[nova]
-auth_url={{ .KeystoneInternalURL }}
-{{ template "auth_config" . }}
-{{end}}
-
-{{ if (index . "QuorumQueues") }}
-[oslo_messaging_rabbit]
-rabbit_quorum_queue=true
-rabbit_transient_quorum_queue=true
-amqp_durable_queues=true
-{{ end }}

templates/ironicinspector/config/01-inspector.conf

@@ -1,4 +1,5 @@
 {{- define "auth_config" -}}
+auth_url={{ .KeystoneInternalURL }}
 {{ if .UseApplicationCredentials -}}
 auth_type=v3applicationcredential
 application_credential_id = {{ .ACID }}
@@ -43,22 +44,18 @@ auth_type=none
 endpoint_override={{ .IronicInternalURL }}
 {{else}}
 [ironic]
-auth_url={{ .KeystoneInternalURL }}
-{{ template "auth_config" . }}
 max_retries=6
 retry_interval=10
+{{ template "auth_config" . }}
 
 [keystone_authtoken]
-auth_url={{ .KeystoneInternalURL }}
 www_authenticate_uri={{ .KeystonePublicURL }}
 {{ template "auth_config" . }}
 
 [service_catalog]
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [swift]
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [oslo_policy]

templates/ironicneutronagent/config/01-ironic_neutron_agent.conf

@@ -1,4 +1,5 @@
 {{- define "auth_config" -}}
+auth_url={{ .KeystoneInternalURL }}
 {{ if .UseApplicationCredentials -}}
 auth_type=v3applicationcredential
 application_credential_id = {{ .ACID }}
@@ -22,15 +23,12 @@ transport_url = {{ .TransportURL }}
 
 [keystone_authtoken]
 www_authenticate_uri={{ .KeystonePublicURL }}
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [service_catalog]
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [ironic]
-auth_url={{ .KeystoneInternalURL }}
 {{ template "auth_config" . }}
 
 [agent]

test/functional/ironicapi_controller_test.go

@@ -770,7 +770,7 @@ var _ = Describe("IronicAPI controller", func() {
 				cfgSecret := th.GetSecret(configSecretName)
 				g.Expect(cfgSecret).NotTo(BeNil())
 
-				conf := string(cfgSecret.Data["01-api.conf"])
+				conf := string(cfgSecret.Data["ironic.conf"])
 
 				// AC auth is configured
 				g.Expect(conf).To(ContainSubstring("auth_type=v3applicationcredential"))