Adds api_ca_cert configuration variable to pools.yaml
Adds a configuration variable that allows a user to declare the CA certificate to be used to verify traffic with a PowerDNS API endpoint. Closes-Bug: #1971856 Signed-off-by: Juan Pablo Suazo <jsuazo@whitestack.com> Change-Id: I57f3d5a1d1f79186cc5b38e76d30f62e01b60482
This commit is contained in:
parent
4b516eaccc
commit
c230ddb8c5
@ -11,6 +11,7 @@
|
|||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
import os.path
|
||||||
import urllib
|
import urllib
|
||||||
|
|
||||||
import netaddr
|
import netaddr
|
||||||
@ -36,6 +37,7 @@ class PDNS4Backend(base.Backend):
|
|||||||
self.api_endpoint = self.options.get('api_endpoint')
|
self.api_endpoint = self.options.get('api_endpoint')
|
||||||
self.api_token = self.options.get('api_token')
|
self.api_token = self.options.get('api_token')
|
||||||
self.tsigkey_name = self.options.get('tsigkey_name', None)
|
self.tsigkey_name = self.options.get('tsigkey_name', None)
|
||||||
|
self.api_ca_cert = self.options.get('api_ca_cert')
|
||||||
|
|
||||||
self.headers = {
|
self.headers = {
|
||||||
"X-API-Key": self.api_token
|
"X-API-Key": self.api_token
|
||||||
@ -53,6 +55,28 @@ class PDNS4Backend(base.Backend):
|
|||||||
)
|
)
|
||||||
return zone.status_code == 200
|
return zone.status_code == 200
|
||||||
|
|
||||||
|
def _verify_ssl(self):
|
||||||
|
"""
|
||||||
|
Function to check if variable has been declared.
|
||||||
|
|
||||||
|
If the api_ca_cert is None, left blank or the default value 'changeme',
|
||||||
|
returns False to disable ssl verification for the request.
|
||||||
|
|
||||||
|
If api_ca_cert is defined, check if the file actually exists. If it
|
||||||
|
does exist, return its value (should be the location of a CA
|
||||||
|
certificate)
|
||||||
|
"""
|
||||||
|
ca_cert = self.api_ca_cert
|
||||||
|
|
||||||
|
if ca_cert is None or ca_cert == 'changeme' or ca_cert == '':
|
||||||
|
return False
|
||||||
|
if not os.path.exists(ca_cert):
|
||||||
|
LOG.error("Could not find %s CA certificate."
|
||||||
|
"No such file or directory",
|
||||||
|
ca_cert)
|
||||||
|
return False
|
||||||
|
return ca_cert
|
||||||
|
|
||||||
def create_zone(self, context, zone):
|
def create_zone(self, context, zone):
|
||||||
"""Create a DNS zone"""
|
"""Create a DNS zone"""
|
||||||
|
|
||||||
@ -87,7 +111,8 @@ class PDNS4Backend(base.Backend):
|
|||||||
requests.post(
|
requests.post(
|
||||||
self._build_url(),
|
self._build_url(),
|
||||||
json=data,
|
json=data,
|
||||||
headers=self.headers
|
headers=self.headers,
|
||||||
|
verify=self._verify_ssl()
|
||||||
).raise_for_status()
|
).raise_for_status()
|
||||||
except requests.HTTPError as e:
|
except requests.HTTPError as e:
|
||||||
# check if the zone was actually created - even with errors pdns
|
# check if the zone was actually created - even with errors pdns
|
||||||
|
@ -42,6 +42,7 @@ class PDNS4BackendTestCase(designate.tests.TestCase):
|
|||||||
'options': [
|
'options': [
|
||||||
{'key': 'api_endpoint', 'value': 'http://localhost:8081'},
|
{'key': 'api_endpoint', 'value': 'http://localhost:8081'},
|
||||||
{'key': 'api_token', 'value': 'api_key'},
|
{'key': 'api_token', 'value': 'api_key'},
|
||||||
|
{'key': 'api_ca_cert', 'value': ''}
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -79,6 +79,7 @@ function configure_designate_backend {
|
|||||||
port: $DESIGNATE_SERVICE_PORT_DNS
|
port: $DESIGNATE_SERVICE_PORT_DNS
|
||||||
api_endpoint: http://$DESIGNATE_SERVICE_HOST:8081
|
api_endpoint: http://$DESIGNATE_SERVICE_HOST:8081
|
||||||
api_token: changeme
|
api_token: changeme
|
||||||
|
api_ca_cert: changeme
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Generate PowerDNS pdns.conf file
|
# Generate PowerDNS pdns.conf file
|
||||||
|
@ -14,5 +14,6 @@
|
|||||||
port: 53
|
port: 53
|
||||||
api_endpoint: http://127.0.0.1:8081
|
api_endpoint: http://127.0.0.1:8081
|
||||||
api_token: changeme
|
api_token: changeme
|
||||||
|
api_ca_cert: /etc/ssl/certs/ca-certificates.crt
|
||||||
# If a tsigkey is needed, uncomment the line below and insert the name
|
# If a tsigkey is needed, uncomment the line below and insert the name
|
||||||
# tsigkey_name: <keyname>
|
# tsigkey_name: <keyname>
|
||||||
|
11
releasenotes/notes/bugfix-1971856-3938a55b5494b8b8.yaml
Normal file
11
releasenotes/notes/bugfix-1971856-3938a55b5494b8b8.yaml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixes bug where requests to powerDNS fail if the dns is configured for TLS
|
||||||
|
traffic.
|
||||||
|
|
||||||
|
It does so by adding a configuration variable, `api_ca_cert`, users can
|
||||||
|
use to declare the location of the CA cert needed to verify TLS
|
||||||
|
traffic.
|
||||||
|
|
||||||
|
`LP#1971856 <https://bugs.launchpad.net/designate/+bug/1971856>`__
|
Loading…
x
Reference in New Issue
Block a user