Fix verification of certificates signed by a private CA

When using a certificate that was signed by a private CA (including
self-signed certs) on Neutron endpoints, certificate verification fails.

This was because the custom certificate was not used when creating
user's session even though the custom certificate file path is provided
in octavia.conf.

Fixing by feeding neutron cafile as a keyword argument.

Closes-Bug: #2046382
Co-authored-by: Ilia Kerbs <ikerbs@protonmail.com>

Change-Id: Ia92fa6140b0fc608281e846d0635dd28217f2630
This commit is contained in:
Seunghun Lee 2024-09-23 16:38:26 +01:00 committed by Pierre Riteau
parent 9f0634c23a
commit b0aa2a36f1
2 changed files with 12 additions and 1 deletions

View File

@ -111,6 +111,7 @@ class NeutronAuth:
client.
"""
sess = keystone.KeystoneSession('neutron').get_session()
kwargs = {}
neutron_endpoint = CONF.neutron.endpoint_override
if neutron_endpoint is None:
endpoint_data = sess.get_endpoint_data(
@ -119,8 +120,13 @@ class NeutronAuth:
region_name=CONF.neutron.region_name)
neutron_endpoint = endpoint_data.catalog_url
neutron_cafile = getattr(CONF.neutron, "cafile", None)
insecure = getattr(CONF.neutron, "insecure", False)
kwargs['verify'] = not insecure
if neutron_cafile is not None and not insecure:
kwargs['verify'] = neutron_cafile
user_auth = token_endpoint.Token(neutron_endpoint, context.auth_token)
user_sess = session.Session(auth=user_auth)
user_sess = session.Session(auth=user_auth, **kwargs)
conn = openstack.connection.Connection(
session=user_sess, oslo_conf=CONF)

View File

@ -0,0 +1,5 @@
---
fixes:
- |
Fix verification of certificates signed by a private CA when using Neutron
endpoints.