Merge "Fix designate dns driver for SSL based endpoints"

2016-06-16 21:15:18 +00:00
parent de0456db7c 9cd95366a0
commit 27c0d3ca81
3 changed files with 85 additions and 1 deletions
--- a/neutron/services/externaldns/drivers/designate/driver.py
+++ b/neutron/services/externaldns/drivers/designate/driver.py
@@ -55,6 +55,11 @@ designate_opts = [
    cfg.StrOpt('admin_auth_url',
               help=_('Authorization URL for connecting to designate in admin '
                      'context')),
    cfg.BoolOpt('insecure', default=False,
                help=_('Skip cert validation for SSL based admin_auth_url')),
    cfg.StrOpt('ca_cert',
               help=_('CA certificate file to use to verify '
                      'connecting clients')),
    cfg.BoolOpt('allow_reverse_dns_lookup', default=True,
                help=_('Allow the creation of PTR records')),
    cfg.IntOpt('ipv4_ptr_zone_prefix_size', default=24,
@@ -83,7 +88,11 @@ def get_clients(context):
    global _SESSION
    if not _SESSION:
-        _SESSION = session.Session()
+        if CONF.designate.insecure:
            verify = False
        else:
            verify = CONF.designate.ca_cert or True
        _SESSION = session.Session(verify=verify)
    auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
    client = d_client.Client(session=_SESSION, auth=auth)
--- a/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py
+++ b/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py
@@ -13,9 +13,12 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 import uuid
 import mock
 import netaddr
 from neutron_lib import constants
 import testtools
 from neutron import context
 from neutron.db import dns_db
@@ -24,6 +27,7 @@ from neutron.extensions import providernet as pnet
 from neutron import manager
 from neutron.plugins.ml2 import config
 from neutron.plugins.ml2.extensions import dns_integration
 from neutron.services.externaldns.drivers.designate import driver
 from neutron.tests.unit.plugins.ml2 import test_plugin
@@ -497,3 +501,58 @@ class DNSIntegrationTestCase(test_plugin.Ml2PluginV2TestCase):
        config.cfg.CONF.set_override('dns_domain', DNSDOMAIN)
        net, port, dns_data_db = self._create_port_for_test()
        self._verify_port_dns(net, port, dns_data_db)
 class TestDesignateClient(testtools.TestCase):
    """Test case for designate clients """
    TEST_URL = 'http://127.0.0.1:9001/v2'
    TEST_ADMIN_USERNAME = uuid.uuid4().hex
    TEST_ADMIN_PASSWORD = uuid.uuid4().hex
    TEST_ADMIN_TENANT_NAME = uuid.uuid4().hex
    TEST_ADMIN_TENANT_ID = uuid.uuid4().hex
    TEST_ADMIN_AUTH_URL = 'http://127.0.0.1:35357/v2.0'
    TEST_CA_CERT = uuid.uuid4().hex
    TEST_CONTEXT = mock.Mock()
    TEST_CONTEXT.auth_token = uuid.uuid4().hex
    def setUp(self):
        super(TestDesignateClient, self).setUp()
        config.cfg.CONF.set_override('url',
                                     self.TEST_URL,
                                     group='designate')
        config.cfg.CONF.set_override('admin_username',
                                     self.TEST_ADMIN_USERNAME,
                                     group='designate')
        config.cfg.CONF.set_override('admin_password',
                                     self.TEST_ADMIN_PASSWORD,
                                     group='designate')
        config.cfg.CONF.set_override('admin_auth_url',
                                     self.TEST_ADMIN_AUTH_URL,
                                     group='designate')
        config.cfg.CONF.set_override('admin_tenant_id',
                                     self.TEST_ADMIN_TENANT_ID,
                                     group='designate')
        config.cfg.CONF.set_override('admin_tenant_name',
                                     self.TEST_ADMIN_TENANT_NAME,
                                     group='designate')
        driver.session.Session = mock.MagicMock()
    def test_insecure_client(self):
        config.cfg.CONF.set_override('insecure',
                                     True,
                                     group='designate')
        driver.get_clients(self.TEST_CONTEXT)
        driver.session.Session.assert_called_with(verify=False)
    def test_secure_client(self):
        config.cfg.CONF.set_override('insecure',
                                     False,
                                     group='designate')
        config.cfg.CONF.set_override('ca_cert',
                                     self.TEST_CA_CERT,
                                     group='designate')
        driver.get_clients(self.TEST_CONTEXT)
        driver.session.Session.assert_called_with(verify=self.TEST_CA_CERT)
--- a/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml
+++ b/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml
@@ -0,0 +1,16 @@
 ---
 prelude: >
    Add options to designate external dns driver
    of neutron for SSL based connections. This makes
    it possible to use neutron with designate in scenario
    where endpoints are SSL based. Users can specify to
    skip cert validation or specify path to a valid cert
    in [designate] section of neutron.conf file.
 features:
  - Two new options are added to `[designate]` section to
    support SSL.
  - First option `insecure` allows to skip SSL validation
    when creating a keystone session to initate a designate client.
    Default value is False, which means to always verify connection.
  - Second option `ca_cert` allows setting path to a valid cert file.
    Default is None.