From 6c27d05d8faa2fb284a0c9eeb57480bb5e82942f Mon Sep 17 00:00:00 2001
From: Gyorgy Szombathelyi <gyurco@freemail.hu>
Date: Sat, 20 Feb 2016 19:34:48 +0100
Subject: [PATCH] Support https keystone CA checking in volume quotas

Currently connecting to https secured keystone instance mostly
fail in cinder quotas, since neither CA certificate nor the
insecure option is passed to keystone client. Fixing this by
passing these options from keystone_authtoken, converting them
to a verify option for the keystone session object.

Change-Id: Ifd9214b837d87d7bf6d78406a8cef447c2b7c39e
Closes-Bug: #1537783
---
 cinder/quota_utils.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cinder/quota_utils.py b/cinder/quota_utils.py
index d7cd82a4754..ddb2021057b 100644
--- a/cinder/quota_utils.py
+++ b/cinder/quota_utils.py
@@ -232,6 +232,9 @@ def _keystone_client(context, version=(3, 0)):
         auth_url=CONF.keystone_authtoken.auth_uri,
         token=context.auth_token,
         project_id=context.project_id)
-    client_session = session.Session(auth=auth_plugin)
+    client_session = session.Session(auth=auth_plugin,
+                                     verify=False if
+                                     CONF.keystone_authtoken.insecure else
+                                     (CONF.keystone_authtoken.cafile or True))
     return client.Client(auth_url=CONF.keystone_authtoken.auth_uri,
                          session=client_session, version=version)