[RFE] unify endpoint discovery for services by using keystoneauth adapters

when the sort of 'noauth' auth plugin becomes available in keystoneauth (proposed patch [0]),
we could even further unify clients loading for keystone and noauth modes.

[0] https://review.openstack.org/#/c/469863/

Pavlo sez:

12:33 pas-ha: re configurartion scheme - it is based on conf options exported by ksa auth plugins (we use those already), sessions (we have those but do not use everywhere) and adapters (the new thing for our config)
12:33 pas-ha: the adapter options specify service_type, service_name, interface and region_name to find appropriate endpoint in catalog, or endpoint_override to set the endpoint manually

I'm good with this RFE. I don't think it requires a spec, although it might be good to list the names of the new configs, and the deprecated configs. I think that's all that affects the operators/users.

Conceptually, I'm good with this, but I'll need to see it code wise. We've also allowed this stuff to be partially refactored before without much of a headache. As for noauth, I doubt we can expect to see a plugin land to simplify it. The impression I've gotten previously (when the idea was floated last) is that it is exclusively for keystone authentication, and that if we want to bypass/support noauth, that admin_token needs to be utilized where we explicitly submit that.

Thx Julia. I think we're good with approving this then!

As for deprecated options the (probably non-exhaustive) proposed list is:

- [keystone]region_name - replaced by 'region_name' option in every client-specific config section (from keystoneauth Adapter)
  - as this was a single option in [keystone] section, the whole section can be deprecated too..
    - but we could use it later.

- [conductor]api_url - replaced by [service_catalog]endpoint_override

- [glance]glance_host, [glance]glance_port, [glance]protocol, [glance]glance_api_servers - all being replaced by [glance]endpoint_override (from keystoneauth Adapter) to set a specific (possibly load-balanced) glance API url
- [glance]glance_api_insecure - replaced by [glance]insecure (from keystoneauth Session)
- [glance]glance_cafile - replaced by [glance]cafile (from keystoneauth Session)

- [neutron]url - replaced by [neutron]endpoint_override (from keystoneauth Adapter)
- [neutron]url_timeout - replaced by [neutron]timeout (from keystoneauth Session)

- [cinder]url - replaced by [cinder]endpoint_override (from keystoneauth Adapter)

- [inspector]service_url - replaced by [inspector]endpoint_override (from keystoneauth Adapter)

Fix proposed to branch: master
Review: https://review.openstack.org/476974

Fix proposed to branch: master
Review: https://review.openstack.org/478825

Reviewed: https://review.openstack.org/476974
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=7337fefd978b14d8a5e04314565e696e86879f21
Submitter: Jenkins
Branch: master

commit 7337fefd978b14d8a5e04314565e696e86879f21
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Fri Jun 23 12:03:16 2017 +0000

    Refactor common keystone methods

    - Split loading session and auth from config to separate functions,
      allow to override options loaded from config.
      This will lay ground to more efficiently load clients that allow
      passing in both session and auth plugin objects separately.

    - When resoving a service endpoint, either fetch the requested interface,
      or first try 'internal' and then 'public'.
      This is done due to our config lacking any options to set the default
      interface for service endpoints to use, and we've used 'internal' by
      default, although DevStack has no such endpoints for most services
      any more [0].
      This will be changed again when gradually introducing usage of
      keystoneauth Adapters to ironic.

    - Remove get_admin_token method, it was used only in glance-related code
      once, and was simply moved there.

    [0] https://review.openstack.org/#/c/433272

    Change-Id: I73b21098f15af4d0445f89fdd6ad4e4a42177df6
    Partial-Bug: #1699547

Reviewed: https://review.openstack.org/469627
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=308e414a57941675acf6cd825daafc653cf5927e
Submitter: Jenkins
Branch: master

commit 308e414a57941675acf6cd825daafc653cf5927e
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Fri Jun 23 14:17:26 2017 +0000

    Introduce keystoneauth adapters for clients

    Currently ironic explicitly or implicitly sets the API urls
    for most services in the config.
    This is quite fragile and we should move to discovery from
    the keystone catalog eventually.

    To support this, this patch registers `keystoneauth1.adapter.Adapter`
    options to all config sections for service clients auth.
    Among others it exports `interfaces` option that we set to
    ['internal', 'public'] by default.
    Other exported options are `service_type`, `service_name`, `region_name`
    and `endpoint_override`.
    The latter will eventually be used by all clients to specify a specific
    endpoint to use (for example in noauth mode).

    Effectively this patch starts to move all clients code to load client
    configuration from config for all of auth, session and adapter.

    The first to move is [service_catalog] section, with [conductor]api_url
    option being deprecated in favor of [service_catalog]endpoint_override.
    A sane default of 'service_type' = 'baremetal' is set for this config
    section as well.

    More patches moving other clients to consume these new options and
    deprecate some other options will follow.

    Change-Id: I1283ef3b4d736ac089df0cc74a5850a93b24b6ab
    Partial-Bug: #1699547
    Related-Bug: #1699542

Reviewed: https://review.openstack.org/467728
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=63e0ff2f6ce3a8275c262127e046fffbb1f1ff65
Submitter: Zuul
Branch: master

commit 63e0ff2f6ce3a8275c262127e046fffbb1f1ff65
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Tue Jun 6 14:15:42 2017 +0000

    Rework keystone auth for glance

    this patch changes the way glance client is instantiated, using
    keystoneauth sessions and adapters.

    In order to support glance API endpoint discovery from keystone catalog
    and more unified way of client loading,
    many options in `[glance]` config sections are deprecated,
    mostly those that specified a (set of) glance API endpoint(s)
    or parts of glance API address.
    Instead, a single option `[glance]endpoint_override` must be used when
    required to access a specific (possibly load-balanced)
    glance API endpoint without discovering it from keystone catalog.

    Another set of deprecated options are those that are duplicating
    keystoneauth session options in [glance] section.

    Also, intrinsic support for parsing the glance API URL from image ref
    set to the full glance REST path to the image is removed as it was not
    working any way since an 'http(s)://' image ref is not treated
    as a glance image.

    Change-Id: I6a93b71ac097e951dfc93fd1ee4d7ef483514f2c
    Partial-Bug: #1699547
    Closes-Bug: #1699542

Reviewed: https://review.openstack.org/476171
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=3e84bdb6db67856558aa8ed167721e5e6e2599e6
Submitter: Zuul
Branch: master

commit 3e84bdb6db67856558aa8ed167721e5e6e2599e6
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Wed Jun 21 07:48:04 2017 +0000

    Use adapters for cinderclient

    deprecates the `[cinder]url` option in favor of
    [cinder]endpoint_override.

    Change-Id: Idd02e8cf0892965a3138479e49ec40cfeda7c96d
    Partial-Bug: #1699547

Reviewed: https://review.openstack.org/476172
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=303ac3f835f6741ac922abcdf5f153b7e9e1d07b
Submitter: Zuul
Branch: master

commit 303ac3f835f6741ac922abcdf5f153b7e9e1d07b
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Wed Jun 21 07:48:35 2017 +0000

    Use adapters for inspectorclient

    Inspector-client is a bit lacking behind other clients, as it does not
    have Adapter-based SessionClient and thus does not support all
    adapter-related options.
    That's why we construct a session and an adapter from config section,
    use adapter to resolve inspector API from service catalog
    (or return the fixed endpoint_override one)
    and then pass the session and inspector API endpoint to client.

    This patch also deprecates `[inspector]service_url` in favor of
    `[inspector]endpoint_override`.

    As a side-effect, addressig inspector service now supports both regions
    and interfaces to specify entry in service catalog.

    Also, inspectorclient calls are now being made with the user token
    (wrapped with a service token) when there is a token in the task's
    request context.

    Change-Id: I21836e712fa9764468ac2654525554b5b4f03741
    Partial-Bug: #1699547

Change abandoned by Paul Belanger (<email address hidden>) on branch: master
Review: https://review.openstack.org/476173
Reason: We are dealing with an issue in zuulv3 today, as such we need to abandon / restore this patch to correct the issue. Apologies for the inconvenience.

Change abandoned by Paul Belanger (<email address hidden>) on branch: master
Review: https://review.openstack.org/476170
Reason: We are dealing with an issue in zuulv3 today, as such we need to abandon / restore this patch to correct the issue. Apologies for the inconvenience.

Change abandoned by Paul Belanger (<email address hidden>) on branch: master
Review: https://review.openstack.org/478825
Reason: We are dealing with an issue in zuulv3 today, as such we need to abandon / restore this patch to correct the issue. Apologies for the inconvenience.

Reviewed: https://review.openstack.org/476173
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=9ee28252a4ecb9b79676b2a00ea7b5c6c7e4c936
Submitter: Zuul
Branch: master

commit 9ee28252a4ecb9b79676b2a00ea7b5c6c7e4c936
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Thu Jun 29 09:03:18 2017 +0000

    Fix swiftclient creation

    in the change I52f1386df45ebe0a43b11fe1583e012dfa3af532
    we lost most of swiftclient options in a belief that those are handled
    by the keystoneauth session passed to the swiftclient.

    In fact though, swiftclient only uses this session to get itself an
    endpoint and a token, but it has no SessionClient, and does not use that
    passed in session to make further requests to swift itself.

    This patch restores all the logic that we had to decompose the session
    object loaded from config to options that are passed to swiftclient
    explicitly.

    Change-Id: I08f382aa9d2ad22f7dbd65f7b54a8dd0a765ba44
    Partial-Bug: #1699547
    Closes-Bug: #1736158

Reviewed: https://review.openstack.org/476170
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=4d43262955f8882cdeee2a042e852eaa8396178b
Submitter: Zuul
Branch: master

commit 4d43262955f8882cdeee2a042e852eaa8396178b
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Wed Jun 21 07:46:03 2017 +0000

    Use adapters for neutronclient

    deprecates the following options in [neutron] section:
    - url
    - url_timeout
    - auth_strategy

    Changes some internal networking-related functions/methods
    to accept a request context as optional keyword argument (defaults to
    None).
    This allows to pass a global request id to neutron client and
    in future will simplify creating a user auth plugin from request
    context.
    For backward compatibility, when calling those functions/methods
    without a request context, a dummy request context will be generated
    automatically.

    Change-Id: Ib327c7a141cfbca63b870027ad8e901c0f48bb2d
    Partial-Bug: #1699547

Reviewed: https://review.openstack.org/478825
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=ba53acb279e21b8644363bfaa7242ed6517c87c5
Submitter: Zuul
Branch: master

commit ba53acb279e21b8644363bfaa7242ed6517c87c5
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Thu Jun 29 09:04:03 2017 +0000

    Finalize migration to keystoneauth adapters

    removes code that allowed some service sections to not have and use
    keystoneauth adapter options.

    Also deprecates `[keystone]region_name` option in favor of per-client
    option of the same name.

    Change-Id: Ifd58947b016bfa93b516dd47a170ba8f5abf277e
    Closes-Bug: #1699547

This issue was fixed in the openstack/ironic 10.0.0 release.

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/552515

Related fix proposed to branch: stable/pike
Review: https://review.openstack.org/553330

Change abandoned by Jacek Tomasiak (<email address hidden>) on branch: stable/pike
Review: https://review.openstack.org/552515
Reason: Closing in favor of: https://review.openstack.org/#/c/553330/

Reviewed: https://review.openstack.org/553330
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=ca4fb9b1cfe2693771e6b0d346d5923db66696e8
Submitter: Zuul
Branch: stable/pike

commit ca4fb9b1cfe2693771e6b0d346d5923db66696e8
Author: Jacek Tomasiak <email address hidden>
Date: Thu Mar 15 11:59:07 2018 +0100

    Allow Swift endpoint override

    Swiftclient uses public endpoint by default. Ironic uses the base URL
    from Swift connection to build TempURLs for generated images.
    Some drivers (e.g. iLO) use those TempURLs to mount images as vmedia.
    With public URLs it will fail if the BMC doesn't have access to the
    public network.

    This change introduces an option to explicitly set the endpoint URL
    used for Swift.

    This is a stable-only change as the problem is fixed by refactoring
    changes in later releases. This is the only version where Ironic uses
    public Swift endpoints and there is no option to override this.

    Change-Id: I639a421fa06fff7ab07b8eab557531b8f36c5ed9
    Closes-Bug: #1755164
    Related-Bug: #1699547