Fix VIM registration error

The VIM registration fails in an environment where an admin-endpoint is close even if a reachable public-endpoint is used in the VIM configuration. The cause of this problem is that the endpoint for the keystone API and the endpoint for the authentication are different inside the keystone client. The keystone client implicitly selects admin-endpoint for API requests from service catalogs unless we specify an endpoint URL or interface [1], i.e., the auth_url in the VIM configuration isn't used for API requests. This patch solves the above problem by specifying an endpoint URL when creating a keystone client instance. Note that specifying an interface can be a better solution, as the keystone can provide different interfaces with the same endpoint URL. However, to achieve this, we have to add a new field to the VIM configuration for the interface, which makes a huge modification. Thus, this patch doesn't take this solution. Also, this patch includes a tiny refactoring on the OpenStack driver. [1] d5cb761763/keystoneclient/httpclient.py (L251) Change-Id: Ic743fadbd1ddd59ca6755949e03b77c8715be459 Closes-bug: #1920088 Signed-off-by: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
2021-10-30 02:25:47 +09:00 · 2021-10-30 02:25:47 +09:00 · fff6cec4f2
parent e501198b0f
commit fff6cec4f2
2 changed files with 8 additions and 4 deletions
--- a/tacker/nfvo/drivers/vim/openstack_driver.py
+++ b/tacker/nfvo/drivers/vim/openstack_driver.py
@ -117,8 +117,7 @@ class OpenStack_Driver(abstract_vim_driver.VimAbstractDriver,

        Initialize keystoneclient with provided authentication attributes.
        """
-        verify = 'True' == vim_obj['auth_cred'].get('cert_verify', 'True') \
-                 or False
+        verify = 'True' == vim_obj['auth_cred'].get('cert_verify', 'True')
        auth_url = vim_obj['auth_url']
        keystone_version = NfvoPlugin.validate_keystone_auth_url(
            auth_url=auth_url,
--- a/tacker/vnfm/keystone.py
+++ b/tacker/vnfm/keystone.py
@ -53,13 +53,18 @@ class Keystone(object):
        return ses.get_endpoint(service_type, region_name)

    def initialize_client(self, **kwargs):
-        verify = 'True' == kwargs.pop('cert_verify', 'True') or False
+        verify = 'True' == kwargs.pop('cert_verify', 'True')
        if 'token' in kwargs:
            auth_plugin = identity.v3.Token(**kwargs)
        else:
            auth_plugin = identity.v3.Password(**kwargs)
        ses = self.get_session(auth_plugin=auth_plugin, verify=verify)
-        cli = client.Client(DEFAULT_IDENTITY_VERSION, session=ses)
+        # note: Using `interface` may be an appropriate way to control
+        # the keystone endpoint, e.g., client.Client(DEFAULT_IDENTITY_VERSION,
+        # session=ses, interface=interface), but it requires the modification
+        # in the DB schema. Thus, use `endpoint_override` for now.
+        cli = client.Client(DEFAULT_IDENTITY_VERSION, session=ses,
+                            endpoint_override=auth_plugin.auth_url)
        return cli

    @staticmethod