Fix designate dns driver for SSL based endpoints
Allow setting options in designate section to specify if want to skip SSL cert check. This makes it possible to work with HTTPS based endpoints, the default behavior of keystoneclient is to always set verify=True however in current code, one cannot either provide a valid CA cert or skip the verification. DocImpact: Introduce two additional options for `[designate]` section in neutron.conf CONF.designate.insecure to allow insecure connections over SSL. CONF.designate.ca_cert for a valid cert when connecting over SSL Change-Id: Ic371cc11d783618c38ee40a18206b0c2a197bb3e Closes-Bug: #1588067
This commit is contained in:
parent
081601706f
commit
9cd95366a0
@ -55,6 +55,11 @@ designate_opts = [
|
||||
cfg.StrOpt('admin_auth_url',
|
||||
help=_('Authorization URL for connecting to designate in admin '
|
||||
'context')),
|
||||
cfg.BoolOpt('insecure', default=False,
|
||||
help=_('Skip cert validation for SSL based admin_auth_url')),
|
||||
cfg.StrOpt('ca_cert',
|
||||
help=_('CA certificate file to use to verify '
|
||||
'connecting clients')),
|
||||
cfg.BoolOpt('allow_reverse_dns_lookup', default=True,
|
||||
help=_('Allow the creation of PTR records')),
|
||||
cfg.IntOpt('ipv4_ptr_zone_prefix_size', default=24,
|
||||
@ -83,7 +88,11 @@ def get_clients(context):
|
||||
global _SESSION
|
||||
|
||||
if not _SESSION:
|
||||
_SESSION = session.Session()
|
||||
if CONF.designate.insecure:
|
||||
verify = False
|
||||
else:
|
||||
verify = CONF.designate.ca_cert or True
|
||||
_SESSION = session.Session(verify=verify)
|
||||
|
||||
auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
|
||||
client = d_client.Client(session=_SESSION, auth=auth)
|
||||
|
@ -13,9 +13,12 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import uuid
|
||||
|
||||
import mock
|
||||
import netaddr
|
||||
from neutron_lib import constants
|
||||
import testtools
|
||||
|
||||
from neutron import context
|
||||
from neutron.db import dns_db
|
||||
@ -24,6 +27,7 @@ from neutron.extensions import providernet as pnet
|
||||
from neutron import manager
|
||||
from neutron.plugins.ml2 import config
|
||||
from neutron.plugins.ml2.extensions import dns_integration
|
||||
from neutron.services.externaldns.drivers.designate import driver
|
||||
from neutron.tests.unit.plugins.ml2 import test_plugin
|
||||
|
||||
|
||||
@ -497,3 +501,58 @@ class DNSIntegrationTestCase(test_plugin.Ml2PluginV2TestCase):
|
||||
config.cfg.CONF.set_override('dns_domain', DNSDOMAIN)
|
||||
net, port, dns_data_db = self._create_port_for_test()
|
||||
self._verify_port_dns(net, port, dns_data_db)
|
||||
|
||||
|
||||
class TestDesignateClient(testtools.TestCase):
|
||||
"""Test case for designate clients """
|
||||
|
||||
TEST_URL = 'http://127.0.0.1:9001/v2'
|
||||
TEST_ADMIN_USERNAME = uuid.uuid4().hex
|
||||
TEST_ADMIN_PASSWORD = uuid.uuid4().hex
|
||||
TEST_ADMIN_TENANT_NAME = uuid.uuid4().hex
|
||||
TEST_ADMIN_TENANT_ID = uuid.uuid4().hex
|
||||
TEST_ADMIN_AUTH_URL = 'http://127.0.0.1:35357/v2.0'
|
||||
TEST_CA_CERT = uuid.uuid4().hex
|
||||
|
||||
TEST_CONTEXT = mock.Mock()
|
||||
TEST_CONTEXT.auth_token = uuid.uuid4().hex
|
||||
|
||||
def setUp(self):
|
||||
super(TestDesignateClient, self).setUp()
|
||||
config.cfg.CONF.set_override('url',
|
||||
self.TEST_URL,
|
||||
group='designate')
|
||||
config.cfg.CONF.set_override('admin_username',
|
||||
self.TEST_ADMIN_USERNAME,
|
||||
group='designate')
|
||||
config.cfg.CONF.set_override('admin_password',
|
||||
self.TEST_ADMIN_PASSWORD,
|
||||
group='designate')
|
||||
config.cfg.CONF.set_override('admin_auth_url',
|
||||
self.TEST_ADMIN_AUTH_URL,
|
||||
group='designate')
|
||||
config.cfg.CONF.set_override('admin_tenant_id',
|
||||
self.TEST_ADMIN_TENANT_ID,
|
||||
group='designate')
|
||||
config.cfg.CONF.set_override('admin_tenant_name',
|
||||
self.TEST_ADMIN_TENANT_NAME,
|
||||
group='designate')
|
||||
|
||||
driver.session.Session = mock.MagicMock()
|
||||
|
||||
def test_insecure_client(self):
|
||||
config.cfg.CONF.set_override('insecure',
|
||||
True,
|
||||
group='designate')
|
||||
driver.get_clients(self.TEST_CONTEXT)
|
||||
driver.session.Session.assert_called_with(verify=False)
|
||||
|
||||
def test_secure_client(self):
|
||||
config.cfg.CONF.set_override('insecure',
|
||||
False,
|
||||
group='designate')
|
||||
config.cfg.CONF.set_override('ca_cert',
|
||||
self.TEST_CA_CERT,
|
||||
group='designate')
|
||||
driver.get_clients(self.TEST_CONTEXT)
|
||||
driver.session.Session.assert_called_with(verify=self.TEST_CA_CERT)
|
||||
|
@ -0,0 +1,16 @@
|
||||
---
|
||||
prelude: >
|
||||
Add options to designate external dns driver
|
||||
of neutron for SSL based connections. This makes
|
||||
it possible to use neutron with designate in scenario
|
||||
where endpoints are SSL based. Users can specify to
|
||||
skip cert validation or specify path to a valid cert
|
||||
in [designate] section of neutron.conf file.
|
||||
features:
|
||||
- Two new options are added to `[designate]` section to
|
||||
support SSL.
|
||||
- First option `insecure` allows to skip SSL validation
|
||||
when creating a keystone session to initate a designate client.
|
||||
Default value is False, which means to always verify connection.
|
||||
- Second option `ca_cert` allows setting path to a valid cert file.
|
||||
Default is None.
|
Loading…
Reference in New Issue
Block a user