Adds api_ca_cert configuration variable to pools.yaml

Adds a configuration variable that allows a user to
declare the CA certificate to be used to verify
traffic with a PowerDNS API endpoint.

Closes-Bug: #1971856
Signed-off-by: Juan Pablo Suazo <jsuazo@whitestack.com>
Change-Id: I57f3d5a1d1f79186cc5b38e76d30f62e01b60482

designate/backend/impl_pdns4.py

@@ -11,6 +11,7 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
+import os.path
 import urllib
 
 import netaddr
@@ -36,6 +37,7 @@ class PDNS4Backend(base.Backend):
         self.api_endpoint = self.options.get('api_endpoint')
         self.api_token = self.options.get('api_token')
         self.tsigkey_name = self.options.get('tsigkey_name', None)
+        self.api_ca_cert = self.options.get('api_ca_cert')
 
         self.headers = {
             "X-API-Key": self.api_token
@@ -53,6 +55,28 @@ class PDNS4Backend(base.Backend):
         )
         return zone.status_code == 200
 
+    def _verify_ssl(self):
+        """
+        Function to check if variable has been declared.
+
+        If the api_ca_cert is None, left blank or the default value 'changeme',
+        returns False to disable ssl verification for the request.
+
+        If api_ca_cert is defined, check if the file actually exists. If it
+        does exist, return its value (should be the location of a CA
+        certificate)
+        """
+        ca_cert = self.api_ca_cert
+
+        if ca_cert is None or ca_cert == 'changeme' or ca_cert == '':
+            return False
+        if not os.path.exists(ca_cert):
+            LOG.error("Could not find %s CA certificate."
+                      "No such file or directory",
+                      ca_cert)
+            return False
+        return ca_cert
+
     def create_zone(self, context, zone):
         """Create a DNS zone"""
 
@@ -87,7 +111,8 @@ class PDNS4Backend(base.Backend):
             requests.post(
                 self._build_url(),
                 json=data,
-                headers=self.headers
+                headers=self.headers,
+                verify=self._verify_ssl()
             ).raise_for_status()
         except requests.HTTPError as e:
             # check if the zone was actually created - even with errors pdns

designate/tests/unit/backend/test_pdns4.py

@@ -42,6 +42,7 @@ class PDNS4BackendTestCase(designate.tests.TestCase):
             'options': [
                 {'key': 'api_endpoint', 'value': 'http://localhost:8081'},
                 {'key': 'api_token', 'value': 'api_key'},
+                {'key': 'api_ca_cert', 'value': ''}
             ],
         }
 

devstack/designate_plugins/backend-pdns4

@@ -79,6 +79,7 @@ function configure_designate_backend {
         port: $DESIGNATE_SERVICE_PORT_DNS
         api_endpoint: http://$DESIGNATE_SERVICE_HOST:8081
         api_token: changeme
+        api_ca_cert: changeme
 EOF
 
     # Generate PowerDNS pdns.conf file

doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml

@@ -14,5 +14,6 @@
         port: 53
         api_endpoint: http://127.0.0.1:8081
         api_token: changeme
+        api_ca_cert: /etc/ssl/certs/ca-certificates.crt
         # If a tsigkey is needed, uncomment the line below and insert the name
         # tsigkey_name: <keyname>

releasenotes/notes/bugfix-1971856-3938a55b5494b8b8.yaml

@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    Fixes bug where requests to powerDNS fail if the dns is configured for TLS
+    traffic.
+
+    It does so by adding a configuration variable, `api_ca_cert`, users can
+    use to declare the location of the CA cert needed to verify TLS
+    traffic.
+
+    `LP#1971856 <https://bugs.launchpad.net/designate/+bug/1971856>`__