Support for passing CA certificate in Ironic Glance Communication
Currently Ironic doesn't pass any certificate down for verifying https connections in glance. New ironic config parameter 'glance_cafile' is added to [glance] section in ironic.conf to pass the certificate down for https connection in glance. Change-Id: I29e134d70addb16cd65dbd9c8038a23e76a57016
This commit is contained in:
parent
b3a5325d98
commit
a69eee6e44
@ -1096,6 +1096,11 @@
|
|||||||
# Possible values: keystone, noauth
|
# Possible values: keystone, noauth
|
||||||
#auth_strategy=keystone
|
#auth_strategy=keystone
|
||||||
|
|
||||||
|
# Optional path to a CA certificate bundle to be used to
|
||||||
|
# validate the SSL certificate served by glance. It is used
|
||||||
|
# when glance_api_insecure is set to False. (string value)
|
||||||
|
#glance_cafile=<None>
|
||||||
|
|
||||||
|
|
||||||
[iboot]
|
[iboot]
|
||||||
|
|
||||||
|
@ -80,6 +80,9 @@ def check_image_service(func):
|
|||||||
scheme = 'http'
|
scheme = 'http'
|
||||||
params = {}
|
params = {}
|
||||||
params['insecure'] = CONF.glance.glance_api_insecure
|
params['insecure'] = CONF.glance.glance_api_insecure
|
||||||
|
if (not params['insecure'] and CONF.glance.glance_cafile
|
||||||
|
and use_ssl):
|
||||||
|
params['cacert'] = CONF.glance.glance_cafile
|
||||||
if CONF.glance.auth_strategy == 'keystone':
|
if CONF.glance.auth_strategy == 'keystone':
|
||||||
params['token'] = self.context.auth_token
|
params['token'] = self.context.auth_token
|
||||||
endpoint = '%s://%s:%s' % (scheme, self.glance_host, self.glance_port)
|
endpoint = '%s://%s:%s' % (scheme, self.glance_host, self.glance_port)
|
||||||
|
@ -71,6 +71,10 @@ glance_opts = [
|
|||||||
choices=['keystone', 'noauth'],
|
choices=['keystone', 'noauth'],
|
||||||
help=_('Authentication strategy to use when connecting to '
|
help=_('Authentication strategy to use when connecting to '
|
||||||
'glance.')),
|
'glance.')),
|
||||||
|
cfg.StrOpt('glance_cafile',
|
||||||
|
help=_('Optional path to a CA certificate bundle to be used to '
|
||||||
|
'validate the SSL certificate served by glance. It is '
|
||||||
|
'used when glance_api_insecure is set to False.')),
|
||||||
]
|
]
|
||||||
|
|
||||||
CONF.register_opts(glance_opts, group='glance')
|
CONF.register_opts(glance_opts, group='glance')
|
||||||
|
@ -627,7 +627,8 @@ class TestGlanceImageService(base.TestCase):
|
|||||||
'token': self.context.auth_token})
|
'token': self.context.auth_token})
|
||||||
|
|
||||||
@mock.patch.object(glance_client, 'Client', autospec=True)
|
@mock.patch.object(glance_client, 'Client', autospec=True)
|
||||||
def test_get_image_service__no_client_set_https(self, mock_gclient):
|
def test_get_image_service__no_client_set_https_insecure(self,
|
||||||
|
mock_gclient):
|
||||||
def func(service, *args, **kwargs):
|
def func(service, *args, **kwargs):
|
||||||
return (self.endpoint, args, kwargs)
|
return (self.endpoint, args, kwargs)
|
||||||
|
|
||||||
@ -637,6 +638,7 @@ class TestGlanceImageService(base.TestCase):
|
|||||||
|
|
||||||
params = {'image_href': '%s/image_uuid' % endpoint}
|
params = {'image_href': '%s/image_uuid' % endpoint}
|
||||||
self.config(auth_strategy='keystone', group='glance')
|
self.config(auth_strategy='keystone', group='glance')
|
||||||
|
self.config(glance_api_insecure=True, group='glance')
|
||||||
wrapped_func = base_image_service.check_image_service(func)
|
wrapped_func = base_image_service.check_image_service(func)
|
||||||
|
|
||||||
self.assertEqual((endpoint, (), params),
|
self.assertEqual((endpoint, (), params),
|
||||||
@ -646,6 +648,29 @@ class TestGlanceImageService(base.TestCase):
|
|||||||
**{'insecure': CONF.glance.glance_api_insecure,
|
**{'insecure': CONF.glance.glance_api_insecure,
|
||||||
'token': self.context.auth_token})
|
'token': self.context.auth_token})
|
||||||
|
|
||||||
|
@mock.patch.object(glance_client, 'Client', autospec=True)
|
||||||
|
def test_get_image_service__no_client_set_https_secure(self, mock_gclient):
|
||||||
|
def func(service, *args, **kwargs):
|
||||||
|
return (self.endpoint, args, kwargs)
|
||||||
|
|
||||||
|
endpoint = 'https://123.123.123.123:9292'
|
||||||
|
mock_gclient.return_value.endpoint = endpoint
|
||||||
|
self.service.client = None
|
||||||
|
|
||||||
|
params = {'image_href': '%s/image_uuid' % endpoint}
|
||||||
|
self.config(auth_strategy='keystone', group='glance')
|
||||||
|
self.config(glance_api_insecure=False, group='glance')
|
||||||
|
self.config(glance_cafile='/path/to/certfile', group='glance')
|
||||||
|
wrapped_func = base_image_service.check_image_service(func)
|
||||||
|
|
||||||
|
self.assertEqual((endpoint, (), params),
|
||||||
|
wrapped_func(self.service, **params))
|
||||||
|
mock_gclient.assert_called_once_with(
|
||||||
|
1, endpoint,
|
||||||
|
**{'cacert': CONF.glance.glance_cafile,
|
||||||
|
'insecure': CONF.glance.glance_api_insecure,
|
||||||
|
'token': self.context.auth_token})
|
||||||
|
|
||||||
|
|
||||||
def _create_failing_glance_client(info):
|
def _create_failing_glance_client(info):
|
||||||
class MyGlanceStubClient(stubs.StubGlanceClient):
|
class MyGlanceStubClient(stubs.StubGlanceClient):
|
||||||
|
9
releasenotes/notes/bug-1548086-ed88646061b88faf.yaml
Normal file
9
releasenotes/notes/bug-1548086-ed88646061b88faf.yaml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- Adds support to pass a optional CA certificate using [glance]glance_cafile
|
||||||
|
configuration option to validate the SSL certificate served by glance for
|
||||||
|
secured https communication between Glance and Ironic.
|
||||||
|
upgrade:
|
||||||
|
- Adds a [glance]glance_cafile configuration option to pass a optional
|
||||||
|
certificate for secured https communication. It is used when
|
||||||
|
[glance]glance_api_insecure configuration option is set to False.
|
Loading…
Reference in New Issue
Block a user