Fix to enable NovaClient to use TLS verification

- This patch enables NovaClient to use TLS verification,
  when specifying `nova_verify_cert` and `nova_ca_cert_file`.

Closes-Bug: #2071399
Change-Id: Ife5eee7df4326de0e0500da62049f97ad5c20aab

tacker/sol_refactored/common/config.py

@@ -134,7 +134,15 @@ VNFM_OPTS = [
     cfg.StrOpt('tf_file_dir',
              default='/var/lib/tacker/terraform',
              help=_('Temporary directory for Terraform infra-driver to '
-                    'store terraform config files'))
+                    'store terraform config files')),
+    cfg.BoolOpt('nova_verify_cert',
+                default=False,
+                help=_('Enable certificate verification during SSL/TLS '
+                       'communication to nova server.')),
+    cfg.StrOpt('nova_ca_cert_file',
+               default='',
+               help=_('Specifies the root CA certificate to use when the '
+                      'nova_verify_cert option is True.'))
 ]
 
 CONF.register_opts(VNFM_OPTS, 'v2_vnfm')

tacker/sol_refactored/infra_drivers/openstack/nova_utils.py

@@ -15,22 +15,29 @@
 
 from oslo_log import log as logging
 
+from tacker.sol_refactored.common import config
 from tacker.sol_refactored.common import http_client
 
 
 LOG = logging.getLogger(__name__)
 
+CONF = config.CONF
+
 
 class NovaClient(object):
 
     def __init__(self, vim_info):
+        verify = CONF.v2_vnfm.nova_verify_cert
+        if verify and CONF.v2_vnfm.nova_ca_cert_file:
+            verify = CONF.v2_vnfm.nova_ca_cert_file
         auth = http_client.KeystonePasswordAuthHandle(
             auth_url=vim_info.interfaceInfo['endpoint'],
             username=vim_info.accessInfo['username'],
             password=vim_info.accessInfo['password'],
             project_name=vim_info.accessInfo['project'],
             user_domain_name=vim_info.accessInfo['userDomain'],
-            project_domain_name=vim_info.accessInfo['projectDomain']
+            project_domain_name=vim_info.accessInfo['projectDomain'],
+            verify=verify
         )
         self.client = http_client.HttpClient(auth,
                                              service_type='compute')

tacker/tests/unit/sol_refactored/infra_drivers/openstack/test_openstack.py

@@ -24,6 +24,7 @@ from tacker import context
 from tacker.sol_refactored.common import config
 from tacker.sol_refactored.common import exceptions as sol_ex
 from tacker.sol_refactored.common import vnfd_utils
+from tacker.sol_refactored.infra_drivers.openstack import nova_utils
 from tacker.sol_refactored.infra_drivers.openstack import openstack
 from tacker.sol_refactored import objects
 from tacker.sol_refactored.objects.v2 import fields
@@ -4758,3 +4759,46 @@ class TestOpenstack(base.BaseTestCase):
         # execute
         result = self.driver._get_additional_vdu_id(grant_req, inst)
         self.assertEqual({'VDU1-1', 'VDU1-2'}, result)
+
+    def test_nova_utils_init_no_verify(self):
+        """Test in case `verify` is False.
+
+        `verify` is False when not specifying `nova_verify_cert` and
+        `nova_ca_cert_file`.
+        """
+        vim_info = objects.VimConnectionInfo.from_dict(
+            _vim_connection_info_example)
+        nova_client = nova_utils.NovaClient(vim_info)
+        verify = nova_client.client.auth_handle.verify
+        self.assertEqual(False, verify)
+
+    def test_nova_utils_init_verify(self):
+        """Test in case `verify` is ca_cert path.
+
+        `verify` is ca_cert path when specifying `nova_verify_cert` and
+        `nova_ca_cert_file`.
+        """
+        CONF.v2_vnfm.nova_verify_cert = True
+        ca_cert_path = 'ca_cert_path'
+        CONF.v2_vnfm.nova_ca_cert_file = ca_cert_path
+
+        vim_info = objects.VimConnectionInfo.from_dict(
+            _vim_connection_info_example)
+        nova_client = nova_utils.NovaClient(vim_info)
+        verify = nova_client.client.auth_handle.verify
+        self.assertEqual(ca_cert_path, verify)
+
+    def test_nova_utils_init_verify_no_ca_cert_file(self):
+        """Test in case `verify` is True.
+
+        `verify` is True when specifying `nova_verify_cert` but
+        not specifying `nova_ca_cert_file`.
+        """
+        CONF.v2_vnfm.nova_verify_cert = True
+        CONF.v2_vnfm.nova_ca_cert_file = ''
+
+        vim_info = objects.VimConnectionInfo.from_dict(
+            _vim_connection_info_example)
+        nova_client = nova_utils.NovaClient(vim_info)
+        verify = nova_client.client.auth_handle.verify
+        self.assertEqual(True, verify)