Merge "Remove Rocky-era min compute trusted certs compat check"

Zuul · openstack-gerrit · commit 0a62d9765bc6 · 2019-07-16T14:00:26.000Z
diff --git a/nova/api/openstack/compute/servers.py b/nova/api/openstack/compute/servers.py
@@ -793,8 +793,7 @@ def create(self, req, body):
                 exception.InstanceExists,
                 exception.NetworkAmbiguous,
                 exception.NoUniqueMatch,
-                exception.VolumeTypeSupportNotYetAvailable,
-                exception.CertificateValidationNotYetAvailable) as error:
+                exception.VolumeTypeSupportNotYetAvailable) as error:
             raise exc.HTTPConflict(explanation=error.format_message())
 
         # If the caller wanted a reservation_id, return it
@@ -1110,8 +1109,7 @@ def _action_rebuild(self, req, id, body):
                                      image_href,
                                      password,
                                      **kwargs)
-        except (exception.InstanceIsLocked,
-                exception.CertificateValidationNotYetAvailable) as e:
+        except exception.InstanceIsLocked as e:
             raise exc.HTTPConflict(explanation=e.format_message())
         except exception.InstanceInvalidState as state_error:
             common.raise_http_conflict_for_instance_invalid_state(state_error,
diff --git a/nova/compute/api.py b/nova/compute/api.py
@@ -103,7 +103,6 @@
 AGGREGATE_ACTION_UPDATE_META = 'UpdateMeta'
 AGGREGATE_ACTION_DELETE = 'Delete'
 AGGREGATE_ACTION_ADD = 'Add'
-MIN_COMPUTE_TRUSTED_CERTS = 31
 MIN_COMPUTE_ABORT_QUEUED_LIVE_MIGRATION = 34
 MIN_COMPUTE_VOLUME_TYPE = 36
 MIN_COMPUTE_SYNC_COMPUTE_STATUS_DISABLED = 38
@@ -1163,12 +1162,6 @@ def _retrieve_trusted_certs_object(context, trusted_certs, rebuild=False):
         :returns: nova.objects.TrustedCerts object or None if no user-specified
             trusted cert IDs were given and nova is not configured with
             default trusted cert IDs
-        :raises: nova.exception.CertificateValidationNotYetAvailable: If
-            rebuilding a server with trusted certs on a compute host that is
-            too old to supported trusted image cert validation, or if creating
-            a server with trusted certs and there are no compute hosts in the
-            deployment that are new enough to support trusted image cert
-            validation
         """
         # Retrieve trusted_certs parameter, or use CONF value if certificate
         # validation is enabled
@@ -1182,29 +1175,6 @@ def _retrieve_trusted_certs_object(context, trusted_certs, rebuild=False):
         else:
             return None
 
-        # Confirm trusted_certs are supported by the minimum nova
-        # compute service version
-        # TODO(mriedem): This minimum version compat code can be dropped in the
-        # 19.0.0 Stein release when all computes must be at a minimum running
-        # Rocky code.
-        if rebuild:
-            # we only care about the current cell since this is
-            # a rebuild
-            min_compute_version = objects.Service.get_minimum_version(
-                context, 'nova-compute')
-        else:
-            # we don't know which cell it's going to get scheduled
-            # to, so check all cells
-            # NOTE(mriedem): For multi-create server requests, we're hitting
-            # this for each instance since it's not cached; we could likely
-            # optimize this.
-            min_compute_version = \
-                objects.service.get_minimum_version_all_cells(
-                    context, ['nova-compute'])
-
-        if min_compute_version < MIN_COMPUTE_TRUSTED_CERTS:
-            raise exception.CertificateValidationNotYetAvailable()
-
         return certs_to_return
 
     def _get_bdm_image_metadata(self, context, block_device_mapping,
diff --git a/nova/exception.py b/nova/exception.py
@@ -2379,12 +2379,6 @@ class CertificateValidationFailed(NovaException):
                 "certificate: %(cert_uuid)s. %(reason)s")
 
 
-class CertificateValidationNotYetAvailable(NovaException):
-    msg_fmt = _("Image signature certificate validation support is "
-                "not yet available.")
-    code = 409
-
-
 class InstanceRescueFailure(NovaException):
     msg_fmt = _("Failed to move instance to rescue mode: %(reason)s")
 
diff --git a/nova/tests/unit/api/openstack/compute/test_serversV21.py b/nova/tests/unit/api/openstack/compute/test_serversV21.py
@@ -3442,9 +3442,7 @@ def _rebuild_server(self, mock_get, certs=None,
                 # either not set or empty
                 self.assertIsNone(server['trusted_image_certificates'])
 
-    @mock.patch('nova.objects.Service.get_minimum_version',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS)
-    def test_rebuild_server_with_trusted_certs(self, get_min_ver):
+    def test_rebuild_server_with_trusted_certs(self):
         """Test rebuild with valid trusted_image_certificates argument"""
         self._rebuild_server(
             certs=['0b5d2c72-12cc-4ba6-a8d7-3ff5cc1d8cb8',
@@ -3454,9 +3452,7 @@ def test_rebuild_server_without_trusted_certs(self):
         """Test rebuild without trusted image certificates"""
         self._rebuild_server()
 
-    @mock.patch('nova.objects.Service.get_minimum_version',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS)
-    def test_rebuild_server_conf_options_turned_off_set(self, get_min_ver):
+    def test_rebuild_server_conf_options_turned_off_set(self):
         """Test rebuild with feature disabled and certs specified"""
         self._rebuild_server(
             certs=['0b5d2c72-12cc-4ba6-a8d7-3ff5cc1d8cb8'], conf_enabled=False)
@@ -3469,9 +3465,7 @@ def test_rebuild_server_default_trusted_certificates_empty(self):
         """Test rebuild with feature enabled and no certs specified"""
         self._rebuild_server(conf_enabled=True)
 
-    @mock.patch('nova.objects.Service.get_minimum_version',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS)
-    def test_rebuild_server_default_trusted_certificates(self, get_min_ver):
+    def test_rebuild_server_default_trusted_certificates(self):
         """Test rebuild with certificate specified in configurations"""
         self._rebuild_server(conf_enabled=True, conf_certs=['conf-id'])
 
@@ -3530,10 +3524,7 @@ def test_rebuild_server_with_invalid_trusted_certs(self):
                                self.req, FAKE_UUID, body=self.body)
         self.assertIn('is not of type', six.text_type(ex))
 
-    @mock.patch('nova.objects.Service.get_minimum_version',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS)
-    def test_rebuild_server_with_trusted_certs_pre_2_63_fails(self,
-            get_min_ver):
+    def test_rebuild_server_with_trusted_certs_pre_2_63_fails(self):
         """Make sure we can't use trusted_certs before 2.63"""
         self._rebuild_server(certs=['trusted-cert-id'])
         self.req.api_version_request = \
@@ -3568,17 +3559,6 @@ def test_rebuild_server_with_cert_validation_error(
         self.assertIn('test cert validation error',
                       six.text_type(ex))
 
-    @mock.patch('nova.objects.Service.get_minimum_version',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS - 1)
-    def test_rebuild_server_with_cert_validation_not_available(
-            self, get_min_ver):
-        ex = self.assertRaises(webob.exc.HTTPConflict,
-                               self._rebuild_server,
-                               certs=['trusted-cert-id'])
-        self.assertIn('Image signature certificate validation support '
-                      'is not yet available',
-                      six.text_type(ex))
-
 
 class ServersControllerRebuildTestV271(ControllerTest):
     image_uuid = '76fa36fc-c930-4bf3-8c8a-ea2a2420deb6'
@@ -6571,9 +6551,7 @@ def _create_instance_req(self, certs=None):
         self.req.api_version_request = \
             api_version_request.APIVersionRequest('2.63')
 
-    @mock.patch('nova.objects.service.get_minimum_version_all_cells',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS)
-    def test_create_instance_with_trusted_certs(self, get_min_ver):
+    def test_create_instance_with_trusted_certs(self):
         """Test create with valid trusted_image_certificates argument"""
         self._create_instance_req(
             ['0b5d2c72-12cc-4ba6-a8d7-3ff5cc1d8cb8',
@@ -6678,18 +6656,6 @@ def test_create_server_with_cert_validation_error(
         self.assertIn('test cert validation error',
                       six.text_type(ex))
 
-    @mock.patch('nova.objects.service.get_minimum_version_all_cells',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS - 1)
-    def test_create_server_with_cert_validation_not_available(
-            self, mock_get_min_version_all_cells):
-        self._create_instance_req(['trusted-cert-id'])
-        ex = self.assertRaises(webob.exc.HTTPConflict,
-                               self.controller.create, self.req,
-                               body=self.body)
-        self.assertIn('Image signature certificate validation support '
-                      'is not yet available',
-                      six.text_type(ex))
-
 
 class ServersControllerCreateTestV267(ServersControllerCreateTest):
     def setUp(self):
diff --git a/nova/tests/unit/compute/test_compute_api.py b/nova/tests/unit/compute/test_compute_api.py
@@ -3706,8 +3706,6 @@ def test_rebuild_change_keypair(self, _record_action_start,
         self.assertNotEqual(orig_key_name, instance.key_name)
         self.assertNotEqual(orig_key_data, instance.key_data)
 
-    @mock.patch('nova.objects.Service.get_minimum_version',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS)
     @mock.patch.object(objects.RequestSpec, 'get_by_instance_uuid')
     @mock.patch.object(objects.Instance, 'save')
     @mock.patch.object(objects.Instance, 'get_flavor')
@@ -3719,7 +3717,7 @@ def test_rebuild_change_keypair(self, _record_action_start,
     def test_rebuild_change_trusted_certs(self, _record_action_start,
             _checks_for_create_and_rebuild, _check_auto_disk_config,
             _get_image, bdm_get_by_instance_uuid, get_flavor, instance_save,
-            req_spec_get_by_inst_uuid, get_min_version):
+            req_spec_get_by_inst_uuid):
         orig_system_metadata = {}
         orig_trusted_certs = ['orig-trusted-cert-1', 'orig-trusted-cert-2']
         new_trusted_certs = ['new-trusted-cert-1', 'new-trusted-cert-2']
@@ -3765,8 +3763,6 @@ def test_rebuild_change_trusted_certs(self, _record_action_start,
             self.context, None, image, flavor, {}, [], None)
         self.assertEqual(new_trusted_certs, instance.trusted_certs.ids)
 
-    @mock.patch('nova.objects.Service.get_minimum_version',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS)
     @mock.patch.object(objects.RequestSpec, 'get_by_instance_uuid')
     @mock.patch.object(objects.Instance, 'save')
     @mock.patch.object(objects.Instance, 'get_flavor')
@@ -3780,8 +3776,7 @@ def test_rebuild_unset_trusted_certs(self, _record_action_start,
                                           _check_auto_disk_config,
                                           _get_image, bdm_get_by_instance_uuid,
                                           get_flavor, instance_save,
-                                          req_spec_get_by_inst_uuid,
-                                          get_min_version):
+                                          req_spec_get_by_inst_uuid):
         """Tests the scenario that the server was created with some trusted
         certs and then rebuilt without trusted_image_certificates=None
         explicitly to unset the trusted certs on the server.
@@ -3831,8 +3826,6 @@ def test_rebuild_unset_trusted_certs(self, _record_action_start,
             self.context, None, image, flavor, {}, [], None)
         self.assertIsNone(instance.trusted_certs)
 
-    @mock.patch('nova.objects.Service.get_minimum_version',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS)
     @mock.patch.object(compute_utils, 'is_volume_backed_instance',
                        return_value=True)
     @mock.patch.object(objects.Instance, 'get_flavor')
@@ -3842,8 +3835,7 @@ def test_rebuild_unset_trusted_certs(self, _record_action_start,
     @mock.patch.object(compute_api.API, '_record_action_start')
     def test_rebuild_volume_backed_instance_with_trusted_certs(
             self, _record_action_start, _check_auto_disk_config, _get_image,
-            bdm_get_by_instance_uuid, get_flavor, instance_is_volume_backed,
-            get_min_version):
+            bdm_get_by_instance_uuid, get_flavor, instance_is_volume_backed):
         orig_system_metadata = {}
         new_trusted_certs = ['new-trusted-cert-1', 'new-trusted-cert-2']
         instance = fake_instance.fake_instance_obj(
@@ -5969,28 +5961,15 @@ def test_populate_instance_for_create_neutron_secgroups(self):
             False)
         self.assertEqual(0, len(instance.security_groups))
 
-    @mock.patch('nova.objects.service.get_minimum_version_all_cells',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS)
-    def test_retrieve_trusted_certs_object(self, get_min_version):
+    def test_retrieve_trusted_certs_object(self):
         ids = ['0b5d2c72-12cc-4ba6-a8d7-3ff5cc1d8cb8',
                '674736e3-f25c-405c-8362-bbf991e0ce0a']
 
         retrieved_certs = self.compute_api._retrieve_trusted_certs_object(
             self.context, ids)
         self.assertEqual(ids, retrieved_certs.ids)
 
-    @mock.patch('nova.objects.service.get_minimum_version_all_cells',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS - 1)
-    def test_retrieve_trusted_certs_object_old_compute(self, get_min_version):
-        ids = ['trusted-cert-id']
-
-        self.assertRaises(exception.CertificateValidationNotYetAvailable,
-            self.compute_api._retrieve_trusted_certs_object,
-            self.context, ids)
-
-    @mock.patch('nova.objects.service.get_minimum_version_all_cells',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS)
-    def test_retrieve_trusted_certs_object_conf(self, get_min_version):
+    def test_retrieve_trusted_certs_object_conf(self):
         ids = ['conf-trusted-cert-1', 'conf-trusted-cert-2']
 
         self.flags(verify_glance_signatures=True, group='glance')
@@ -6013,16 +5992,6 @@ def test_retrieve_trusted_certs_object_empty(self):
         self.assertIsNone(self.compute_api._retrieve_trusted_certs_object(
             self.context, []))
 
-    @mock.patch('nova.objects.Service.get_minimum_version',
-                return_value=compute_api.MIN_COMPUTE_TRUSTED_CERTS - 1)
-    def test_retrieve_trusted_certs_object_old_compute_rebuild(
-            self, get_min_version):
-        ids = ['trusted-cert-id']
-        self.assertRaises(exception.CertificateValidationNotYetAvailable,
-            self.compute_api._retrieve_trusted_certs_object,
-            self.context, ids, rebuild=True)
-        get_min_version.assert_called_once_with(self.context, 'nova-compute')
-
     @mock.patch('nova.objects.HostMapping.get_by_host')
     @mock.patch('nova.objects.ComputeNode.get_by_host_and_nodename')
     @mock.patch('nova.scheduler.client.report.SchedulerReportClient.'
