Fix designate dns driver for SSL based endpoints

Allow setting options in designate section to specify if want
to skip SSL cert check. This makes it possible to work with HTTPS
based endpoints, the default behavior of keystoneclient is to always
set verify=True however in current code, one cannot either provide
a valid CA cert or skip the verification.

DocImpact: Introduce two additional options for `[designate]` section
in neutron.conf
CONF.designate.insecure to allow insecure connections over SSL.
CONF.designate.ca_cert for a valid cert when connecting over SSL

Change-Id: Ic371cc11d783618c38ee40a18206b0c2a197bb3e
Closes-Bug: #1588067
changes/58/326958/14
imran malik 7 years ago
parent 081601706f
commit 9cd95366a0
  1. 11
      neutron/services/externaldns/drivers/designate/driver.py
  2. 59
      neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py
  3. 16
      releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml

@ -55,6 +55,11 @@ designate_opts = [
cfg.StrOpt('admin_auth_url',
help=_('Authorization URL for connecting to designate in admin '
'context')),
cfg.BoolOpt('insecure', default=False,
help=_('Skip cert validation for SSL based admin_auth_url')),
cfg.StrOpt('ca_cert',
help=_('CA certificate file to use to verify '
'connecting clients')),
cfg.BoolOpt('allow_reverse_dns_lookup', default=True,
help=_('Allow the creation of PTR records')),
cfg.IntOpt('ipv4_ptr_zone_prefix_size', default=24,
@ -83,7 +88,11 @@ def get_clients(context):
global _SESSION
if not _SESSION:
_SESSION = session.Session()
if CONF.designate.insecure:
verify = False
else:
verify = CONF.designate.ca_cert or True
_SESSION = session.Session(verify=verify)
auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
client = d_client.Client(session=_SESSION, auth=auth)

@ -13,9 +13,12 @@
# License for the specific language governing permissions and limitations
# under the License.
import uuid
import mock
import netaddr
from neutron_lib import constants
import testtools
from neutron import context
from neutron.db import dns_db
@ -24,6 +27,7 @@ from neutron.extensions import providernet as pnet
from neutron import manager
from neutron.plugins.ml2 import config
from neutron.plugins.ml2.extensions import dns_integration
from neutron.services.externaldns.drivers.designate import driver
from neutron.tests.unit.plugins.ml2 import test_plugin
@ -497,3 +501,58 @@ class DNSIntegrationTestCase(test_plugin.Ml2PluginV2TestCase):
config.cfg.CONF.set_override('dns_domain', DNSDOMAIN)
net, port, dns_data_db = self._create_port_for_test()
self._verify_port_dns(net, port, dns_data_db)
class TestDesignateClient(testtools.TestCase):
"""Test case for designate clients """
TEST_URL = 'http://127.0.0.1:9001/v2'
TEST_ADMIN_USERNAME = uuid.uuid4().hex
TEST_ADMIN_PASSWORD = uuid.uuid4().hex
TEST_ADMIN_TENANT_NAME = uuid.uuid4().hex
TEST_ADMIN_TENANT_ID = uuid.uuid4().hex
TEST_ADMIN_AUTH_URL = 'http://127.0.0.1:35357/v2.0'
TEST_CA_CERT = uuid.uuid4().hex
TEST_CONTEXT = mock.Mock()
TEST_CONTEXT.auth_token = uuid.uuid4().hex
def setUp(self):
super(TestDesignateClient, self).setUp()
config.cfg.CONF.set_override('url',
self.TEST_URL,
group='designate')
config.cfg.CONF.set_override('admin_username',
self.TEST_ADMIN_USERNAME,
group='designate')
config.cfg.CONF.set_override('admin_password',
self.TEST_ADMIN_PASSWORD,
group='designate')
config.cfg.CONF.set_override('admin_auth_url',
self.TEST_ADMIN_AUTH_URL,
group='designate')
config.cfg.CONF.set_override('admin_tenant_id',
self.TEST_ADMIN_TENANT_ID,
group='designate')
config.cfg.CONF.set_override('admin_tenant_name',
self.TEST_ADMIN_TENANT_NAME,
group='designate')
driver.session.Session = mock.MagicMock()
def test_insecure_client(self):
config.cfg.CONF.set_override('insecure',
True,
group='designate')
driver.get_clients(self.TEST_CONTEXT)
driver.session.Session.assert_called_with(verify=False)
def test_secure_client(self):
config.cfg.CONF.set_override('insecure',
False,
group='designate')
config.cfg.CONF.set_override('ca_cert',
self.TEST_CA_CERT,
group='designate')
driver.get_clients(self.TEST_CONTEXT)
driver.session.Session.assert_called_with(verify=self.TEST_CA_CERT)

@ -0,0 +1,16 @@
---
prelude: >
Add options to designate external dns driver
of neutron for SSL based connections. This makes
it possible to use neutron with designate in scenario
where endpoints are SSL based. Users can specify to
skip cert validation or specify path to a valid cert
in [designate] section of neutron.conf file.
features:
- Two new options are added to `[designate]` section to
support SSL.
- First option `insecure` allows to skip SSL validation
when creating a keystone session to initate a designate client.
Default value is False, which means to always verify connection.
- Second option `ca_cert` allows setting path to a valid cert file.
Default is None.
Loading…
Cancel
Save