Enable custom certificates for keystone communication

Nova creates a session back to keystone to verify project ids for quota and flavor access APIs. The session that was being created was not based on conf options, so it only worked in simple default scenarios. This updates the session by using the newly added keystone section to utilize keystoneauth1 to manage the session creation, which allows for specifying custom site certificates to secure the link between Nova and Keystone. Change-Id: Ice4b226fdabdfb66e60b61de05ac8f3b37610661 Closes-Bug: 1704798
2017-07-09 10:35:23 +08:00 · 2017-07-09 10:35:23 +08:00 · 1d316b6317
commit 1d316b6317
parent 7d84a99cdd
2 changed files with 36 additions and 0 deletions
--- a/nova/conf/init.py
+++ b/nova/conf/init.py
@ -40,6 +40,7 @@ from nova.conf import hyperv
 from nova.conf import ipv6
 from nova.conf import ironic
 from nova.conf import key_manager
+from nova.conf import keystone
 from nova.conf import libvirt
 from nova.conf import mks
 from nova.conf import netconf
@ -93,6 +94,7 @@ mks.register_opts(CONF)
 ipv6.register_opts(CONF)
 ironic.register_opts(CONF)
 key_manager.register_opts(CONF)
+keystone.register_opts(CONF)
 libvirt.register_opts(CONF)
 netconf.register_opts(CONF)
 network.register_opts(CONF)
--- a/nova/conf/keystone.py
+++ b/nova/conf/keystone.py
@ -0,0 +1,34 @@
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from keystoneauth1 import loading as ks_loading
+from oslo_config import cfg
+
+
+keystone_group = cfg.OptGroup(
+    'keystone',
+    title='Keystone Options',
+    help='Configuration options for the identity service')
+
+
+def register_opts(conf):
+    conf.register_group(keystone_group)
+
+    ks_loading.register_session_conf_options(conf, keystone_group.name)
+
+
+def list_opts():
+    return {
+        keystone_group: (
+            ks_loading.get_session_conf_options())
+    }