diff --git a/designate/backend/impl_pdns4.py b/designate/backend/impl_pdns4.py index d081ba3eb..a7e8cf6e5 100644 --- a/designate/backend/impl_pdns4.py +++ b/designate/backend/impl_pdns4.py @@ -11,6 +11,7 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +import os.path import urllib import netaddr @@ -36,6 +37,7 @@ class PDNS4Backend(base.Backend): self.api_endpoint = self.options.get('api_endpoint') self.api_token = self.options.get('api_token') self.tsigkey_name = self.options.get('tsigkey_name', None) + self.api_ca_cert = self.options.get('api_ca_cert') self.headers = { "X-API-Key": self.api_token @@ -53,6 +55,28 @@ class PDNS4Backend(base.Backend): ) return zone.status_code == 200 + def _verify_ssl(self): + """ + Function to check if variable has been declared. + + If the api_ca_cert is None, left blank or the default value 'changeme', + returns False to disable ssl verification for the request. + + If api_ca_cert is defined, check if the file actually exists. If it + does exist, return its value (should be the location of a CA + certificate) + """ + ca_cert = self.api_ca_cert + + if ca_cert is None or ca_cert == 'changeme' or ca_cert == '': + return False + if not os.path.exists(ca_cert): + LOG.error("Could not find %s CA certificate." + "No such file or directory", + ca_cert) + return False + return ca_cert + def create_zone(self, context, zone): """Create a DNS zone""" @@ -87,7 +111,8 @@ class PDNS4Backend(base.Backend): requests.post( self._build_url(), json=data, - headers=self.headers + headers=self.headers, + verify=self._verify_ssl() ).raise_for_status() except requests.HTTPError as e: # check if the zone was actually created - even with errors pdns diff --git a/designate/tests/unit/backend/test_pdns4.py b/designate/tests/unit/backend/test_pdns4.py index 9ac4d9f85..1ee99fe08 100644 --- a/designate/tests/unit/backend/test_pdns4.py +++ b/designate/tests/unit/backend/test_pdns4.py @@ -42,6 +42,7 @@ class PDNS4BackendTestCase(designate.tests.TestCase): 'options': [ {'key': 'api_endpoint', 'value': 'http://localhost:8081'}, {'key': 'api_token', 'value': 'api_key'}, + {'key': 'api_ca_cert', 'value': ''} ], } diff --git a/devstack/designate_plugins/backend-pdns4 b/devstack/designate_plugins/backend-pdns4 index 3b75b2446..406f57bec 100644 --- a/devstack/designate_plugins/backend-pdns4 +++ b/devstack/designate_plugins/backend-pdns4 @@ -79,6 +79,7 @@ function configure_designate_backend { port: $DESIGNATE_SERVICE_PORT_DNS api_endpoint: http://$DESIGNATE_SERVICE_HOST:8081 api_token: changeme + api_ca_cert: changeme EOF # Generate PowerDNS pdns.conf file diff --git a/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml b/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml index 53e2a1cd4..25e7e451b 100644 --- a/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml +++ b/doc/source/admin/backends/sample_yaml_snippets/pdns4.yaml @@ -14,5 +14,6 @@ port: 53 api_endpoint: http://127.0.0.1:8081 api_token: changeme + api_ca_cert: /etc/ssl/certs/ca-certificates.crt # If a tsigkey is needed, uncomment the line below and insert the name # tsigkey_name: diff --git a/releasenotes/notes/bugfix-1971856-3938a55b5494b8b8.yaml b/releasenotes/notes/bugfix-1971856-3938a55b5494b8b8.yaml new file mode 100644 index 000000000..e26df69d9 --- /dev/null +++ b/releasenotes/notes/bugfix-1971856-3938a55b5494b8b8.yaml @@ -0,0 +1,11 @@ +--- +fixes: + - | + Fixes bug where requests to powerDNS fail if the dns is configured for TLS + traffic. + + It does so by adding a configuration variable, `api_ca_cert`, users can + use to declare the location of the CA cert needed to verify TLS + traffic. + + `LP#1971856 `__