Support for passing CA certificate in Ironic Glance Communication

Currently Ironic doesn't pass any certificate down for verifying https connections in glance. New ironic config parameter 'glance_cafile' is added to [glance] section in ironic.conf to pass the certificate down for https connection in glance. Change-Id: I29e134d70addb16cd65dbd9c8038a23e76a57016
2016-02-15 11:19:26 +00:00 · 2016-02-15 11:19:26 +00:00 · a69eee6e44
commit a69eee6e44
parent b3a5325d98
5 changed files with 47 additions and 1 deletions
--- a/etc/ironic/ironic.conf.sample
+++ b/etc/ironic/ironic.conf.sample
@ -1096,6 +1096,11 @@
 # Possible values: keystone, noauth
 #auth_strategy=keystone

+# Optional path to a CA certificate bundle to be used to
+# validate the SSL certificate served by glance. It is used
+# when glance_api_insecure is set to False. (string value)
+#glance_cafile=<None>
+

 [iboot]

--- a/ironic/common/glance_service/base_image_service.py
+++ b/ironic/common/glance_service/base_image_service.py
@ -80,6 +80,9 @@ def check_image_service(func):
            scheme = 'http'
        params = {}
        params['insecure'] = CONF.glance.glance_api_insecure
+        if (not params['insecure'] and CONF.glance.glance_cafile
+                and use_ssl):
+            params['cacert'] = CONF.glance.glance_cafile
        if CONF.glance.auth_strategy == 'keystone':
            params['token'] = self.context.auth_token
        endpoint = '%s://%s:%s' % (scheme, self.glance_host, self.glance_port)
--- a/ironic/common/image_service.py
+++ b/ironic/common/image_service.py
@ -71,6 +71,10 @@ glance_opts = [
               choices=['keystone', 'noauth'],
               help=_('Authentication strategy to use when connecting to '
                      'glance.')),
+    cfg.StrOpt('glance_cafile',
+               help=_('Optional path to a CA certificate bundle to be used to '
+                      'validate the SSL certificate served by glance. It is '
+                      'used when glance_api_insecure is set to False.')),
 ]

 CONF.register_opts(glance_opts, group='glance')
--- a/ironic/tests/unit/common/test_glance_service.py
+++ b/ironic/tests/unit/common/test_glance_service.py
@ -627,7 +627,8 @@ class TestGlanceImageService(base.TestCase):
               'token': self.context.auth_token})

    @mock.patch.object(glance_client, 'Client', autospec=True)
-    def test_get_image_service__no_client_set_https(self, mock_gclient):
+    def test_get_image_service__no_client_set_https_insecure(self,
+                                                             mock_gclient):
        def func(service, *args, **kwargs):
            return (self.endpoint, args, kwargs)

@ -637,6 +638,7 @@ class TestGlanceImageService(base.TestCase):

        params = {'image_href': '%s/image_uuid' % endpoint}
        self.config(auth_strategy='keystone', group='glance')
+        self.config(glance_api_insecure=True, group='glance')
        wrapped_func = base_image_service.check_image_service(func)

        self.assertEqual((endpoint, (), params),
@ -646,6 +648,29 @@ class TestGlanceImageService(base.TestCase):
            **{'insecure': CONF.glance.glance_api_insecure,
               'token': self.context.auth_token})

+    @mock.patch.object(glance_client, 'Client', autospec=True)
+    def test_get_image_service__no_client_set_https_secure(self, mock_gclient):
+        def func(service, *args, **kwargs):
+            return (self.endpoint, args, kwargs)
+
+        endpoint = 'https://123.123.123.123:9292'
+        mock_gclient.return_value.endpoint = endpoint
+        self.service.client = None
+
+        params = {'image_href': '%s/image_uuid' % endpoint}
+        self.config(auth_strategy='keystone', group='glance')
+        self.config(glance_api_insecure=False, group='glance')
+        self.config(glance_cafile='/path/to/certfile', group='glance')
+        wrapped_func = base_image_service.check_image_service(func)
+
+        self.assertEqual((endpoint, (), params),
+                         wrapped_func(self.service, **params))
+        mock_gclient.assert_called_once_with(
+            1, endpoint,
+            **{'cacert': CONF.glance.glance_cafile,
+               'insecure': CONF.glance.glance_api_insecure,
+               'token': self.context.auth_token})
+

 def _create_failing_glance_client(info):
    class MyGlanceStubClient(stubs.StubGlanceClient):
--- a/releasenotes/notes/bug-1548086-ed88646061b88faf.yaml
+++ b/releasenotes/notes/bug-1548086-ed88646061b88faf.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - Adds support to pass a optional CA certificate using [glance]glance_cafile
+    configuration option to validate the SSL certificate served by glance for
+    secured https communication between Glance and Ironic.
+upgrade:
+  - Adds a [glance]glance_cafile configuration option to pass a optional
+    certificate for secured https communication. It is used  when
+    [glance]glance_api_insecure configuration option is set to False.