Support mTLS when calling the glance API

add glance certfile, keyfile to the glance configurations so they can be used for mTLS connection to glance API Closes-Bug: #1917797 Change-Id: Ic9deaa001482c89cdc4361d4a8c7e0236a5a3885
2021-03-04 19:24:58 +00:00 · 2021-03-04 19:24:58 +00:00 · b406e6d354
parent a01b5bb39e
commit b406e6d354
3 changed files with 14 additions and 0 deletions
--- a/cinder/common/config.py
+++ b/cinder/common/config.py
@ -191,6 +191,12 @@ image_opts = [
    cfg.StrOpt('glance_ca_certificates_file',
               help='Location of ca certificates file to use for glance '
                    'client requests.'),
+    cfg.StrOpt('glance_certfile',
+               help='Location of certificate file to use for glance '
+                    'client requests.'),
+    cfg.StrOpt('glance_keyfile',
+               help='Location of certificate key file to use for glance '
+                    'client requests.'),
    cfg.IntOpt('glance_request_timeout',
               help='http/https timeout value for glance operations. If no '
                    'value (None) is supplied here, the glanceclient default '
--- a/cinder/image/glance.py
+++ b/cinder/image/glance.py
@ -120,6 +120,8 @@ def _create_glance_client(context, netloc, use_ssl):
            config_options = {'insecure': CONF.glance_api_insecure,
                              'cacert': CONF.glance_ca_certificates_file,
                              'timeout': CONF.glance_request_timeout,
+                              'cert': CONF.glance_certfile,
+                              'key': CONF.glance_keyfile,
                              'split_loggers': CONF.split_loggers
                              }
            _SESSION = ks_session.Session().load_from_options(**config_options)
--- a/cinder/tests/unit/image/test_glance.py
+++ b/cinder/tests/unit/image/test_glance.py
@ -1108,6 +1108,8 @@ class TestGlanceImageServiceClient(test.TestCase):

        config_options = {'insecure': False,
                          'cacert': None,
+                          'key': None,
+                          'cert': None,
                          'timeout': None,
                          'split_loggers': False}

@ -1129,6 +1131,8 @@ class TestGlanceImageServiceClient(test.TestCase):
        self.flags(glance_request_timeout=60)
        self.flags(
            glance_ca_certificates_file='/opt/stack/data/ca-bundle.pem')
+        self.flags(glance_certfile='/opt/stack/data/cert.pem')
+        self.flags(glance_keyfile='/opt/stack/data/key.pem')

        class MyGlanceStubClient(object):
            def __init__(inst, version, *args, **kwargs):
@ -1140,6 +1144,8 @@ class TestGlanceImageServiceClient(test.TestCase):

        config_options = {'insecure': False,
                          'cacert': '/opt/stack/data/ca-bundle.pem',
+                          'cert': '/opt/stack/data/cert.pem',
+                          'key': '/opt/stack/data/key.pem',
                          'timeout': 60,
                          'split_loggers': False}