Allow keystone v3 in the designate driver

Using the loader from keystoneauth1, it is possible to easily use
keystone v3 options in [designate].
For the end user, it means she/he must specify designate.auth_type,
then she/he can specify an Keystone v3 endpoint in designate.auth_url.

Change-Id: I8bb02f11e60767dacdf6ac852979cfa82de1e08b
Closes-bug: #1585976
DocImpact

neutron/conf/services/extdns_designate_driver.py

@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from keystoneauth1 import loading
 from oslo_config import cfg
 
 from neutron._i18n import _
@@ -62,3 +63,4 @@ designate_opts = [
 
 def register_designate_opts(cfg=cfg.CONF):
     cfg.register_opts(designate_opts, 'designate')
+    loading.conf.register_conf_options(cfg, 'designate')

neutron/services/externaldns/drivers/designate/driver.py

@@ -18,6 +18,7 @@ import netaddr
 from designateclient import exceptions as d_exc
 from designateclient.v2 import client as d_client
 from keystoneauth1.identity.generic import password
+from keystoneauth1 import loading
 from keystoneauth1 import session
 from keystoneauth1 import token_endpoint
 from neutron_lib import constants
@@ -50,6 +51,10 @@ def get_clients(context):
 
     auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
     client = d_client.Client(session=_SESSION, auth=auth)
+    if CONF.designate.auth_type:
+        admin_auth = loading.load_auth_from_conf_options(
+            CONF, 'designate')
+    else:
         admin_auth = password.Password(
             auth_url=CONF.designate.admin_auth_url,
             username=CONF.designate.admin_username,

neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py

@@ -15,6 +15,7 @@
 
 import uuid
 
+from keystoneauth1 import loading
 import mock
 import netaddr
 from neutron_lib import constants
@@ -527,7 +528,7 @@ class DNSIntegrationTestCaseDefaultDomain(DNSIntegrationTestCase):
         self._verify_port_dns(net, port, dns_data_db)
 
 
-class TestDesignateClient(testtools.TestCase):
+class TestDesignateClientKeystoneV2(testtools.TestCase):
     """Test case for designate clients """
 
     TEST_URL = 'http://127.0.0.1:9001/v2'
@@ -542,7 +543,7 @@ class TestDesignateClient(testtools.TestCase):
     TEST_CONTEXT.auth_token = uuid.uuid4().hex
 
     def setUp(self):
-        super(TestDesignateClient, self).setUp()
+        super(TestDesignateClientKeystoneV2, self).setUp()
         config.cfg.CONF.set_override('url',
                                      self.TEST_URL,
                                      group='designate')
@@ -565,8 +566,12 @@ class TestDesignateClient(testtools.TestCase):
         # enforce session recalculation
         mock.patch.object(driver, '_SESSION', new=None).start()
         self.driver_session = (
-            mock.patch.object(driver.session, 'Session').start()
-        )
+            mock.patch.object(driver.session, 'Session').start())
+        self.load_auth = (
+            mock.patch.object(driver.loading,
+                'load_auth_from_conf_options').start())
+        self.password = (
+            mock.patch.object(driver.password, 'Password').start())
 
     def test_insecure_client(self):
         config.cfg.CONF.set_override('insecure',
@@ -584,3 +589,96 @@ class TestDesignateClient(testtools.TestCase):
                                      group='designate')
         driver.get_clients(self.TEST_CONTEXT)
         self.driver_session.assert_called_with(verify=self.TEST_CA_CERT)
+
+    def test_auth_type_not_defined(self):
+        driver.get_clients(self.TEST_CONTEXT)
+        self.load_auth.assert_not_called()
+        self.password.assert_called_with(
+            auth_url=self.TEST_ADMIN_AUTH_URL,
+            password=self.TEST_ADMIN_PASSWORD,
+            tenant_id=self.TEST_ADMIN_TENANT_ID,
+            tenant_name=self.TEST_ADMIN_TENANT_NAME,
+            username=self.TEST_ADMIN_USERNAME)
+
+
+class TestDesignateClientKeystoneV3(testtools.TestCase):
+    """Test case for designate clients """
+
+    TEST_URL = 'http://127.0.0.1:9001/v2'
+    TEST_ADMIN_USERNAME = uuid.uuid4().hex
+    TEST_ADMIN_PASSWORD = uuid.uuid4().hex
+    TEST_ADMIN_USER_DOMAIN_ID = 'Default'
+    TEST_ADMIN_PROJECT_ID = uuid.uuid4().hex
+    TEST_ADMIN_PROJECT_DOMAIN_ID = 'Default'
+    TEST_ADMIN_AUTH_URL = 'http://127.0.0.1:35357/v3'
+    TEST_CA_CERT = uuid.uuid4().hex
+
+    TEST_CONTEXT = mock.Mock()
+    TEST_CONTEXT.auth_token = uuid.uuid4().hex
+
+    def setUp(self):
+        super(TestDesignateClientKeystoneV3, self).setUp()
+        # Register the Password auth plugin options,
+        # so we can use CONF.set_override
+        config.cfg.CONF.register_opts(
+            loading.get_auth_plugin_conf_options('password'),
+            group='designate')
+        config.cfg.CONF.set_override('url',
+                                     self.TEST_URL,
+                                     group='designate')
+        config.cfg.CONF.set_override('auth_type',
+                                     'password',
+                                     group='designate')
+        config.cfg.CONF.set_override('username',
+                                     self.TEST_ADMIN_USERNAME,
+                                     group='designate')
+        config.cfg.CONF.set_override('password',
+                                     self.TEST_ADMIN_PASSWORD,
+                                     group='designate')
+        config.cfg.CONF.set_override('user_domain_id',
+                                     self.TEST_ADMIN_USER_DOMAIN_ID,
+                                     group='designate')
+        config.cfg.CONF.set_override('project_domain_id',
+                                     self.TEST_ADMIN_PROJECT_DOMAIN_ID,
+                                     group='designate')
+        config.cfg.CONF.set_override('auth_url',
+                                     self.TEST_ADMIN_AUTH_URL,
+                                     group='designate')
+
+        # enforce session recalculation
+        mock.patch.object(driver, '_SESSION', new=None).start()
+        self.driver_session = (
+            mock.patch.object(driver.session, 'Session').start())
+        self.load_auth = (
+            mock.patch.object(driver.loading,
+                'load_auth_from_conf_options').start())
+        self.password = (
+            mock.patch.object(driver.password, 'Password').start())
+
+    def tearDown(self):
+        super(TestDesignateClientKeystoneV3, self).tearDown()
+        config.cfg.CONF.unregister_opts(
+            loading.get_auth_plugin_conf_options('password'),
+            group='designate')
+
+    def test_insecure_client(self):
+        config.cfg.CONF.set_override('insecure',
+                                     True,
+                                     group='designate')
+        driver.get_clients(self.TEST_CONTEXT)
+        self.driver_session.assert_called_with(verify=False)
+
+    def test_secure_client(self):
+        config.cfg.CONF.set_override('insecure',
+                                     False,
+                                     group='designate')
+        config.cfg.CONF.set_override('ca_cert',
+                                     self.TEST_CA_CERT,
+                                     group='designate')
+        driver.get_clients(self.TEST_CONTEXT)
+        self.driver_session.assert_called_with(verify=self.TEST_CA_CERT)
+
+    def test_auth_type_password(self):
+        driver.get_clients(self.TEST_CONTEXT)
+        self.load_auth.assert_called_with(config.cfg.CONF, 'designate')
+        self.password.assert_not_called()

releasenotes/notes/designate-driver-keystonev3-8e70d152e84388e0.yaml

@@ -0,0 +1,9 @@
+---
+prelude: >
+    Designate driver can use Keystone v3 auth options.
+features:
+  - "[designate] section accepts now auth_type parameter,
+    and the usual keystoneauth options (e.g. auth_url,
+    username, user_domain_name, password, project_name,
+    project_domain_name), so Keystone v3 endpoints can
+    be used."