diff --git a/rally/deploy/engines/existing.py b/rally/deploy/engines/existing.py index e240fe5c0b..0c20fba402 100644 --- a/rally/deploy/engines/existing.py +++ b/rally/deploy/engines/existing.py @@ -32,7 +32,9 @@ class ExistingCloud(engine.EngineFactory): "username": "admin", "password": "password", "tenant_name": "demo" - } + }, + "https_insecure": False, + "https_cacert": "", } Or, using keystone v3 API endpoint: @@ -48,7 +50,9 @@ class ExistingCloud(engine.EngineFactory): "user_domain_name": "admin", "project_name": "admin", "project_domain_name": "admin", - } + }, + "https_insecure": False, + "https_cacert": "", } """ @@ -91,6 +95,8 @@ class ExistingCloud(engine.EngineFactory): "enum": [consts.EndpointType.ADMIN, consts.EndpointType.INTERNAL, consts.EndpointType.PUBLIC]}, + "https_insecure": {"type": "boolean"}, + "https_cacert": {"type": "string"}, }, "anyOf": [ { @@ -120,7 +126,9 @@ class ExistingCloud(engine.EngineFactory): endpoint=common.get("endpoint"), domain_name=user.get("domain_name"), user_domain_name=user.get("user_domain_name", "Default"), - project_domain_name=user.get("project_domain_name", "Default") + project_domain_name=user.get("project_domain_name", "Default"), + https_insecure=common.get("https_insecure", False), + https_cacert=common.get("https_cacert") ) def deploy(self): diff --git a/rally/objects/endpoint.py b/rally/objects/endpoint.py index 200e048239..24ac9077f7 100644 --- a/rally/objects/endpoint.py +++ b/rally/objects/endpoint.py @@ -22,7 +22,8 @@ class Endpoint(object): permission=consts.EndpointPermission.USER, region_name=None, endpoint_type=consts.EndpointType.PUBLIC, admin_port=None, domain_name=None, endpoint=None, - user_domain_name="Default", project_domain_name="Default"): + user_domain_name="Default", project_domain_name="Default", + https_insecure=None, https_cacert=None): self.auth_url = auth_url self.username = username self.password = password @@ -34,6 +35,8 @@ class Endpoint(object): self.user_domain_name = user_domain_name self.project_domain_name = project_domain_name self.endpoint = endpoint + self.insecure = https_insecure + self.cacert = https_cacert if admin_port: import warnings warnings.warn("'admin_port' argument is deprecated and will " @@ -46,6 +49,8 @@ class Endpoint(object): "endpoint_type": self.endpoint_type, "domain_name": self.domain_name, "endpoint": self.endpoint, + "https_insecure": self.insecure, + "https_cacert": self.cacert, "user_domain_name": self.user_domain_name, "project_domain_name": self.project_domain_name} if include_permission: diff --git a/rally/osclients.py b/rally/osclients.py index 610af32061..3030c725a9 100644 --- a/rally/osclients.py +++ b/rally/osclients.py @@ -30,9 +30,11 @@ OSCLIENTS_OPTS = [ cfg.FloatOpt("openstack_client_http_timeout", default=180.0, help="HTTP timeout for any of OpenStack service in seconds"), cfg.BoolOpt("https_insecure", default=False, - help="Use SSL for all OpenStack API interfaces"), + help="Use SSL for all OpenStack API interfaces", + deprecated_for_removal=True), cfg.StrOpt("https_cacert", default=None, - help="Path to CA server cetrificate for SSL") + help="Path to CA server cetrificate for SSL", + deprecated_for_removal=True) ] CONF.register_opts(OSCLIENTS_OPTS) @@ -73,6 +75,12 @@ class Clients(object): def __init__(self, endpoint): self.endpoint = endpoint + # NOTE(kun) Apply insecure/cacert settings from rally.conf if those are + # not set in deployment config. Remove it when invaild. + if self.endpoint.insecure is None: + self.endpoint.insecure = CONF.https_insecure + if self.endpoint.cacert is None: + self.endpoint.cacert = CONF.https_cacert self.cache = {} @classmethod @@ -95,7 +103,7 @@ class Clients(object): """Return keystone client.""" new_kw = { "timeout": CONF.openstack_client_http_timeout, - "insecure": CONF.https_insecure, "cacert": CONF.https_cacert + "insecure": self.endpoint.insecure, "cacert": self.endpoint.cacert } kw = self.endpoint.to_dict() kw.update(new_kw) @@ -137,8 +145,8 @@ class Clients(object): auth_token=kc.auth_token, http_log_debug=logging.is_debug(), timeout=CONF.openstack_client_http_timeout, - insecure=CONF.https_insecure, - cacert=CONF.https_cacert) + insecure=self.endpoint.insecure, + cacert=self.endpoint.cacert) client.set_management_url(compute_api_url) return client @@ -155,8 +163,8 @@ class Clients(object): token=kc.auth_token, endpoint_url=network_api_url, timeout=CONF.openstack_client_http_timeout, - insecure=CONF.https_insecure, - ca_cert=CONF.https_cacert) + insecure=self.endpoint.insecure, + ca_cert=self.endpoint.cacert) return client @cached @@ -172,8 +180,8 @@ class Clients(object): endpoint=image_api_url, token=kc.auth_token, timeout=CONF.openstack_client_http_timeout, - insecure=CONF.https_insecure, - cacert=CONF.https_cacert) + insecure=self.endpoint.insecure, + cacert=self.endpoint.cacert) return client @cached @@ -189,8 +197,8 @@ class Clients(object): endpoint=orchestration_api_url, token=kc.auth_token, timeout=CONF.openstack_client_http_timeout, - insecure=CONF.https_insecure, - cacert=CONF.https_cacert) + insecure=self.endpoint.insecure, + cacert=self.endpoint.cacert) return client @cached @@ -200,8 +208,8 @@ class Clients(object): client = cinder.Client(version, None, None, http_log_debug=logging.is_debug(), timeout=CONF.openstack_client_http_timeout, - insecure=CONF.https_insecure, - cacert=CONF.https_cacert) + insecure=self.endpoint.insecure, + cacert=self.endpoint.cacert) kc = self.keystone() volume_api_url = kc.service_catalog.url_for( service_type="volume", @@ -230,8 +238,8 @@ class Clients(object): os_endpoint=metering_api_url, token=auth_token, timeout=CONF.openstack_client_http_timeout, - insecure=CONF.https_insecure, - cacert=CONF.https_cacert) + insecure=self.endpoint.insecure, + cacert=self.endpoint.cacert) return client @cached @@ -247,8 +255,8 @@ class Clients(object): os_auth_token=kc.auth_token, ironic_url=baremetal_api_url, timeout=CONF.openstack_client_http_timeout, - insecure=CONF.https_insecure, - cacert=CONF.https_cacert) + insecure=self.endpoint.insecure, + cacert=self.endpoint.cacert) return client @cached @@ -278,7 +286,7 @@ class Clients(object): "os_project_name": self.endpoint.tenant_name, "os_project_id": kc.auth_tenant_id, "os_auth_url": self.endpoint.auth_url, - "insecure": CONF.https_insecure, + "insecure": self.endpoint.insecure, }}} client = zaqar.Client(url=messaging_api_url, version=version, @@ -313,7 +321,7 @@ class Clients(object): client = designate.Client( endpoint=dns_api_url, token=kc.auth_token, - insecure=CONF.https_insecure) + insecure=self.endpoint.insecure) return client @cached @@ -327,8 +335,8 @@ class Clients(object): auth_url=self.endpoint.auth_url, region_name=self.endpoint.region_name, timeout=CONF.openstack_client_http_timeout, - insecure=CONF.https_insecure, - cacert=CONF.https_cacert) + insecure=self.endpoint.insecure, + cacert=self.endpoint.cacert) return client @cached @@ -359,8 +367,8 @@ class Clients(object): client = swift.Connection(retries=1, preauthurl=object_api_url, preauthtoken=kc.auth_token, - insecure=CONF.https_insecure, - cacert=CONF.https_cacert) + insecure=self.endpoint.insecure, + cacert=self.endpoint.cacert) return client @cached @@ -382,7 +390,7 @@ class Clients(object): url=ec2_api_url, aws_access_key_id=ec2_credential.access, aws_secret_access_key=ec2_credential.secret, - is_secure=CONF.https_insecure) + is_secure=self.endpoint.insecure) return client @cached diff --git a/samples/deployments/existing-keystone-v3.json b/samples/deployments/existing-keystone-v3.json index c5d97a08ce..6d7bcfc379 100644 --- a/samples/deployments/existing-keystone-v3.json +++ b/samples/deployments/existing-keystone-v3.json @@ -9,5 +9,7 @@ "user_domain_name": "admin", "project_name": "admin", "project_domain_name": "admin", - } + }, + "https_insecure": False, + "https_cacert": "", } diff --git a/samples/deployments/existing-with-given-endpoint.json b/samples/deployments/existing-with-given-endpoint.json index 89af49e142..1b058fa0d7 100644 --- a/samples/deployments/existing-with-given-endpoint.json +++ b/samples/deployments/existing-with-given-endpoint.json @@ -8,5 +8,7 @@ "username": "admin", "password": "pa55word", "tenant_name": "demo" - } + }, + "https_insecure": False, + "https_cacert": "", } diff --git a/samples/deployments/existing.json b/samples/deployments/existing.json index b445f62ac3..532bf5afd0 100644 --- a/samples/deployments/existing.json +++ b/samples/deployments/existing.json @@ -7,5 +7,7 @@ "username": "admin", "password": "myadminpass", "tenant_name": "demo" - } + }, + "https_insecure": False, + "https_cacert": "", } diff --git a/tests/unit/deploy/engines/test_existing.py b/tests/unit/deploy/engines/test_existing.py index c534059fb0..35d9758cd1 100644 --- a/tests/unit/deploy/engines/test_existing.py +++ b/tests/unit/deploy/engines/test_existing.py @@ -32,6 +32,8 @@ class TestExistingCloud(test.TestCase): "auth_url": "http://example.net:5000/v2.0/", "region_name": "RegionOne", "endpoint_type": consts.EndpointType.INTERNAL, + "https_insecure": False, + "https_cacert": None, "admin": { "username": "admin", "password": "myadminpass", diff --git a/tests/unit/objects/test_endpoint.py b/tests/unit/objects/test_endpoint.py index f401ac057b..909a2751b1 100644 --- a/tests/unit/objects/test_endpoint.py +++ b/tests/unit/objects/test_endpoint.py @@ -33,6 +33,8 @@ class EndpointTestCase(test.TestCase): "domain_name": None, "endpoint": None, "endpoint_type": consts.EndpointType.PUBLIC, + "https_insecure": None, + "https_cacert": None, "project_domain_name": "Default", "user_domain_name": "Default"}) @@ -50,6 +52,8 @@ class EndpointTestCase(test.TestCase): "endpoint": None, "permission": consts.EndpointPermission.ADMIN, "endpoint_type": consts.EndpointType.PUBLIC, + "https_insecure": None, + "https_cacert": None, "project_domain_name": "Default", "user_domain_name": "Default"}) @@ -67,5 +71,7 @@ class EndpointTestCase(test.TestCase): "domain_name": None, "endpoint": "foo_endpoint", "endpoint_type": consts.EndpointType.PUBLIC, + "https_insecure": None, + "https_cacert": None, "project_domain_name": "Default", "user_domain_name": "Default"}) diff --git a/tests/unit/test_api.py b/tests/unit/test_api.py index d6c22df0b0..b0a819ccde 100644 --- a/tests/unit/test_api.py +++ b/tests/unit/test_api.py @@ -177,6 +177,8 @@ class BaseDeploymentTestCase(test.TestCase): admin_endpoint["endpoint"] = None admin_endpoint.update(admin_endpoint.pop("admin")) admin_endpoint["permission"] = consts.EndpointPermission.ADMIN + admin_endpoint["https_insecure"] = False + admin_endpoint["https_cacert"] = None self.endpoints = {"admin": admin_endpoint, "users": []} self.deployment = { "uuid": self.deployment_uuid, diff --git a/tests/unit/test_osclients.py b/tests/unit/test_osclients.py index 69ef324aaf..2aba7ad17d 100644 --- a/tests/unit/test_osclients.py +++ b/tests/unit/test_osclients.py @@ -31,7 +31,8 @@ class TestCreateKeystoneClient(test.TestCase): def setUp(self): super(TestCreateKeystoneClient, self).setUp() self.kwargs = {"auth_url": "http://auth_url", "username": "user", - "password": "password", "tenant_name": "tenant"} + "password": "password", "tenant_name": "tenant", + "https_insecure": False, "https_cacert": None} def test_create_keystone_client_v2(self): mock_keystone = mock.MagicMock() @@ -179,8 +180,8 @@ class OSClientsTestCase(test.TestCase): "token": self.fake_keystone.auth_token, "endpoint_url": self.service_catalog.url_for.return_value, "timeout": cfg.CONF.openstack_client_http_timeout, - "insecure": cfg.CONF.https_insecure, - "ca_cert": cfg.CONF.https_cacert + "insecure": self.endpoint.insecure, + "ca_cert": self.endpoint.cacert } self.service_catalog.url_for.assert_called_once_with( service_type="network", @@ -270,8 +271,8 @@ class OSClientsTestCase(test.TestCase): "os_auth_token": self.fake_keystone.auth_token, "ironic_url": self.service_catalog.url_for.return_value, "timeout": cfg.CONF.openstack_client_http_timeout, - "insecure": cfg.CONF.https_insecure, - "cacert": cfg.CONF.https_cacert + "insecure": self.endpoint.insecure, + "cacert": self.endpoint.cacert } mock_ironic.client.get_client.assert_called_once_with("1.0", **kw) self.assertEqual(fake_ironic, self.clients.cache["ironic"]) @@ -313,7 +314,7 @@ class OSClientsTestCase(test.TestCase): "os_project_name": self.endpoint.tenant_name, "os_project_id": self.fake_keystone.auth_tenant_id, "os_auth_url": self.endpoint.auth_url, - "insecure": cfg.CONF.https_insecure, + "insecure": self.endpoint.insecure, }}} mock_zaqar.client.Client.assert_called_once_with( url=fake_zaqar_url, version=1.1, conf=conf) @@ -334,8 +335,8 @@ class OSClientsTestCase(test.TestCase): "auth_url": self.endpoint.auth_url, "region_name": self.endpoint.region_name, "timeout": cfg.CONF.openstack_client_http_timeout, - "insecure": cfg.CONF.https_insecure, - "cacert": cfg.CONF.https_cacert + "insecure": self.endpoint.insecure, + "cacert": self.endpoint.cacert } mock_trove.client.Client.assert_called_once_with("1.0", **kw) self.assertEqual(fake_trove, self.clients.cache["trove"]) @@ -405,7 +406,7 @@ class OSClientsTestCase(test.TestCase): "url": "http://fake.to:1/fake", "aws_access_key_id": "fake_access", "aws_secret_access_key": "fake_secret", - "is_secure": cfg.CONF.https_insecure, + "is_secure": self.endpoint.insecure, } mock_boto.connect_ec2_endpoint.assert_called_once_with(**kw) self.assertEqual(fake_ec2, self.clients.cache["ec2"]) @@ -417,7 +418,7 @@ class OSClientsTestCase(test.TestCase): "unknown_service": {}} mock_keystone.return_value = mock.Mock(service_catalog=mock.Mock( get_endpoints=lambda: available_services)) - clients = osclients.Clients({}) + clients = osclients.Clients(self.endpoint) self.assertEqual( {consts.ServiceType.IDENTITY: consts.Service.KEYSTONE,