From ec8eacdebf05c23f68eed69ca57c1407c1fc1a3b Mon Sep 17 00:00:00 2001
From: Kaifeng Wang <kaifeng.w@gmail.com>
Date: Mon, 6 Aug 2018 13:42:01 +0800
Subject: [PATCH] Clean up pxe_filter related deprecations

This removes deprecated [iptables]manage_firewall and code.
Other deprecation markers relate to [firewall] are removed as well.

Change-Id: I449e16975b05a331b08dd160e0dec4a7c3cf6734
Story: #1665666
Task: #11358
---
 ironic_inspector/conf/iptables.py                 | 15 ---------------
 ironic_inspector/conf/pxe_filter.py               |  6 +++---
 ironic_inspector/pxe_filter/base.py               |  4 ----
 ironic_inspector/test/unit/test_pxe_filter.py     | 14 --------------
 ...emove-opt-group-firewall-96266983e476c29e.yaml |  5 +++++
 5 files changed, 8 insertions(+), 36 deletions(-)
 create mode 100644 releasenotes/notes/remove-opt-group-firewall-96266983e476c29e.yaml

diff --git a/ironic_inspector/conf/iptables.py b/ironic_inspector/conf/iptables.py
index ea0e0859d..6b0c55340 100644
--- a/ironic_inspector/conf/iptables.py
+++ b/ironic_inspector/conf/iptables.py
@@ -17,29 +17,14 @@ from ironic_inspector.common.i18n import _
 
 
 _OPTS = [
-    cfg.BoolOpt('manage_firewall',
-                default=True,
-                # NOTE(milan) this filter driver will be replaced by
-                # a dnsmasq filter driver
-                deprecated_for_removal=True,
-                deprecated_group='firewall',
-                help=_('Whether to manage firewall rules for PXE port. '
-                       'This configuration option was deprecated in favor of '
-                       'the ``driver`` option in the ``pxe_filter`` section. '
-                       'Please, use the ``noop`` filter driver to disable the '
-                       'firewall filtering or the ``iptables`` filter driver '
-                       'to enable it.')),
     cfg.StrOpt('dnsmasq_interface',
                default='br-ctlplane',
-               deprecated_group='firewall',
                help=_('Interface on which dnsmasq listens, the default is for '
                       'VM\'s.')),
     cfg.StrOpt('firewall_chain',
                default='ironic-inspector',
-               deprecated_group='firewall',
                help=_('iptables chain name to use.')),
     cfg.ListOpt('ethoib_interfaces',
-                deprecated_group='firewall',
                 default=[],
                 help=_('List of Etherent Over InfiniBand interfaces '
                        'on the Inspector host which are used for physical '
diff --git a/ironic_inspector/conf/pxe_filter.py b/ironic_inspector/conf/pxe_filter.py
index b095720a5..2e1d915ad 100644
--- a/ironic_inspector/conf/pxe_filter.py
+++ b/ironic_inspector/conf/pxe_filter.py
@@ -18,10 +18,10 @@ from ironic_inspector.common.i18n import _
 
 _OPTS = [
     cfg.StrOpt('driver', default='iptables',
-               help=_('PXE boot filter driver to use, such as iptables')),
+               help=_('PXE boot filter driver to use, possible filters are: '
+                      '"iptables", "dnsmasq" and "noop". Set "noop " to '
+                      'disable the firewall filtering.')),
     cfg.IntOpt('sync_period', default=15, min=0,
-               deprecated_name='firewall_update_period',
-               deprecated_group='firewall',
                help=_('Amount of time in seconds, after which repeat periodic '
                       'update of the filter.')),
 ]
diff --git a/ironic_inspector/pxe_filter/base.py b/ironic_inspector/pxe_filter/base.py
index 3b78b6af0..1427690a0 100644
--- a/ironic_inspector/pxe_filter/base.py
+++ b/ironic_inspector/pxe_filter/base.py
@@ -218,10 +218,6 @@ def _driver_manager():
     global _DRIVER_MANAGER
 
     name = CONF.pxe_filter.driver
-    # FIXME(milan): to be removed after the transition period of deprecating
-    # the firewall option group
-    if name == 'iptables' and not CONF.iptables.manage_firewall:
-        name = 'noop'
 
     if _DRIVER_MANAGER is None:
         _DRIVER_MANAGER = stevedore.driver.DriverManager(
diff --git a/ironic_inspector/test/unit/test_pxe_filter.py b/ironic_inspector/test/unit/test_pxe_filter.py
index 7e1631c0b..e96d941f0 100644
--- a/ironic_inspector/test/unit/test_pxe_filter.py
+++ b/ironic_inspector/test/unit/test_pxe_filter.py
@@ -63,20 +63,6 @@ class TestDriverManager(test_base.BaseTest):
         self.stevedore_driver_mock.assert_not_called()
         self.assertIs(pxe_filter._DRIVER_MANAGER, driver_manager)
 
-    def test_manage_firewall(self):
-        # FIXME(milan): to be removed after the transition period of
-        # deprecating the firewall option group
-        # NOTE(milan) the default filter driver is iptables
-        # this should revert it to noop
-        CONF.set_override('manage_firewall', False, 'iptables')
-        driver_manager = pxe_filter._driver_manager()
-        self.stevedore_driver_mock.assert_called_once_with(
-            pxe_filter._STEVEDORE_DRIVER_NAMESPACE,
-            name='noop',
-            invoke_on_load=True)
-        self.assertIsNotNone(driver_manager)
-        self.assertIs(pxe_filter._DRIVER_MANAGER, driver_manager)
-
 
 class TestDriverManagerLoading(test_base.BaseTest):
     def setUp(self):
diff --git a/releasenotes/notes/remove-opt-group-firewall-96266983e476c29e.yaml b/releasenotes/notes/remove-opt-group-firewall-96266983e476c29e.yaml
new file mode 100644
index 000000000..0cd8eccb0
--- /dev/null
+++ b/releasenotes/notes/remove-opt-group-firewall-96266983e476c29e.yaml
@@ -0,0 +1,5 @@
+---
+other:
+  - |
+    The deprecated configuration option ``[iptables]manage_firewall`` was
+    removed, use ``[pxe_filter]driver`` to set filtering driver.