Merge "Support for passing CA certificate in Ironic Glance Communication"

This commit is contained in:
Jenkins 2016-03-14 05:33:10 +00:00 committed by Gerrit Code Review
commit f009574162
5 changed files with 47 additions and 1 deletions

View File

@ -1096,6 +1096,11 @@
# Possible values: keystone, noauth
#auth_strategy=keystone
# Optional path to a CA certificate bundle to be used to
# validate the SSL certificate served by glance. It is used
# when glance_api_insecure is set to False. (string value)
#glance_cafile=<None>
[iboot]

View File

@ -80,6 +80,9 @@ def check_image_service(func):
scheme = 'http'
params = {}
params['insecure'] = CONF.glance.glance_api_insecure
if (not params['insecure'] and CONF.glance.glance_cafile
and use_ssl):
params['cacert'] = CONF.glance.glance_cafile
if CONF.glance.auth_strategy == 'keystone':
params['token'] = self.context.auth_token
endpoint = '%s://%s:%s' % (scheme, self.glance_host, self.glance_port)

View File

@ -71,6 +71,10 @@ glance_opts = [
choices=['keystone', 'noauth'],
help=_('Authentication strategy to use when connecting to '
'glance.')),
cfg.StrOpt('glance_cafile',
help=_('Optional path to a CA certificate bundle to be used to '
'validate the SSL certificate served by glance. It is '
'used when glance_api_insecure is set to False.')),
]
CONF.register_opts(glance_opts, group='glance')

View File

@ -627,7 +627,8 @@ class TestGlanceImageService(base.TestCase):
'token': self.context.auth_token})
@mock.patch.object(glance_client, 'Client', autospec=True)
def test_get_image_service__no_client_set_https(self, mock_gclient):
def test_get_image_service__no_client_set_https_insecure(self,
mock_gclient):
def func(service, *args, **kwargs):
return (self.endpoint, args, kwargs)
@ -637,6 +638,7 @@ class TestGlanceImageService(base.TestCase):
params = {'image_href': '%s/image_uuid' % endpoint}
self.config(auth_strategy='keystone', group='glance')
self.config(glance_api_insecure=True, group='glance')
wrapped_func = base_image_service.check_image_service(func)
self.assertEqual((endpoint, (), params),
@ -646,6 +648,29 @@ class TestGlanceImageService(base.TestCase):
**{'insecure': CONF.glance.glance_api_insecure,
'token': self.context.auth_token})
@mock.patch.object(glance_client, 'Client', autospec=True)
def test_get_image_service__no_client_set_https_secure(self, mock_gclient):
def func(service, *args, **kwargs):
return (self.endpoint, args, kwargs)
endpoint = 'https://123.123.123.123:9292'
mock_gclient.return_value.endpoint = endpoint
self.service.client = None
params = {'image_href': '%s/image_uuid' % endpoint}
self.config(auth_strategy='keystone', group='glance')
self.config(glance_api_insecure=False, group='glance')
self.config(glance_cafile='/path/to/certfile', group='glance')
wrapped_func = base_image_service.check_image_service(func)
self.assertEqual((endpoint, (), params),
wrapped_func(self.service, **params))
mock_gclient.assert_called_once_with(
1, endpoint,
**{'cacert': CONF.glance.glance_cafile,
'insecure': CONF.glance.glance_api_insecure,
'token': self.context.auth_token})
def _create_failing_glance_client(info):
class MyGlanceStubClient(stubs.StubGlanceClient):

View File

@ -0,0 +1,9 @@
---
features:
- Adds support to pass a optional CA certificate using [glance]glance_cafile
configuration option to validate the SSL certificate served by glance for
secured https communication between Glance and Ironic.
upgrade:
- Adds a [glance]glance_cafile configuration option to pass a optional
certificate for secured https communication. It is used when
[glance]glance_api_insecure configuration option is set to False.