From 784524a53370209607d92e73bc605783e3bbfdbb Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Wed, 13 Dec 2023 11:48:16 +0000 Subject: [PATCH] Add support for specifying a custom CA bundle Adds the new config option ``cafile``, which is passed into the Session invocations for SSL verification. Partial-Bug: #2045281 Change-Id: I2ec5bc7ac929534175d380d2e3e535a5e7abd962 (cherry picked from commit 0481ad4ad9d72b9d65d42ef2d489b653c9f76bed) --- blazar/config.py | 4 +++- blazar/utils/openstack/base.py | 20 +++++++++++++++++-- blazar/utils/openstack/neutron.py | 7 ++++++- blazar/utils/openstack/nova.py | 10 +++++++++- blazar/utils/openstack/placement.py | 7 ++++++- ...ing-custom-ca-bundle-df71047568cd82f6.yaml | 7 +++++++ 6 files changed, 49 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/support-passing-custom-ca-bundle-df71047568cd82f6.yaml diff --git a/blazar/config.py b/blazar/config.py index c52f35ff6..621dc8927 100644 --- a/blazar/config.py +++ b/blazar/config.py @@ -65,7 +65,9 @@ help='A domain name the os_admin_username belongs to.'), cfg.StrOpt('os_admin_project_domain_name', default='Default', - help='A domain name the os_admin_project_name belongs to') + help='A domain name the os_admin_project_name belongs to'), + cfg.StrOpt('cafile', + help='Path of the custom CA certificates bundle.'), ] api_opts = [ diff --git a/blazar/utils/openstack/base.py b/blazar/utils/openstack/base.py index d71ab04f5..ff8f5e66d 100644 --- a/blazar/utils/openstack/base.py +++ b/blazar/utils/openstack/base.py @@ -85,7 +85,15 @@ def client_kwargs(**_kwargs): auth_kwargs.update(project_name=project_name) auth = v3.Password(**auth_kwargs) - sess = session.Session(auth=auth) + + sess_kwargs = dict( + auth=auth + ) + + if CONF.cafile: + sess_kwargs.update(verify=CONF.cafile) + + sess = session.Session(**sess_kwargs) kwargs.setdefault('session', sess) kwargs.setdefault('region_name', region_name) @@ -117,7 +125,15 @@ def client_user_kwargs(**_kwargs): data = admin_ks_client.tokens.get_token_data(ctx.auth_token) access_info = create_access_info(body=data, auth_token=ctx.auth_token) auth = access.AccessInfoPlugin(access_info, auth_url=auth_url) - sess = session.Session(auth=auth) + + sess_kwargs = dict( + auth=auth + ) + + if CONF.cafile: + sess_kwargs.update(verify=CONF.cafile) + + sess = session.Session(**sess_kwargs) kwargs.setdefault('session', sess) kwargs.setdefault('region_name', region_name) diff --git a/blazar/utils/openstack/neutron.py b/blazar/utils/openstack/neutron.py index 897284c90..a87a1262f 100644 --- a/blazar/utils/openstack/neutron.py +++ b/blazar/utils/openstack/neutron.py @@ -81,7 +81,12 @@ def __init__(self, **kwargs): project_name=project_name, user_domain_name=user_domain_name, project_domain_name=project_domain_name) - sess = session.Session(auth=auth) + sess_kwargs = dict( + auth=auth + ) + if CONF.cafile: + sess_kwargs.update(verify=CONF.cafile) + sess = session.Session(**sess_kwargs) kwargs.setdefault('session', sess) kwargs.setdefault('region_name', region_name) kwargs.setdefault('endpoint_type', CONF.neutron.endpoint_type + 'URL') diff --git a/blazar/utils/openstack/nova.py b/blazar/utils/openstack/nova.py index 1e87a8dca..26803b0af 100644 --- a/blazar/utils/openstack/nova.py +++ b/blazar/utils/openstack/nova.py @@ -153,10 +153,18 @@ def __init__(self, **kwargs): if "v2.0" not in auth_url: kwargs.setdefault('project_domain_name', project_domain_name) kwargs.setdefault('user_domain_name', user_domain_name) + + if CONF.cafile: + kwargs.setdefault('cacert', CONF.cafile) else: auth = token_endpoint.Token(endpoint_override, auth_token) - sess = session.Session(auth=auth) + sess_kwargs = dict( + auth=auth + ) + if CONF.cafile: + sess_kwargs.update(verify=CONF.cafile) + sess = session.Session(**sess_kwargs) kwargs.setdefault('session', sess) kwargs.setdefault('endpoint_type', CONF.nova.endpoint_type + 'URL') diff --git a/blazar/utils/openstack/placement.py b/blazar/utils/openstack/placement.py index 1a787e4ae..8a3b217d7 100644 --- a/blazar/utils/openstack/placement.py +++ b/blazar/utils/openstack/placement.py @@ -83,7 +83,12 @@ def _create_client(self, **kwargs): project_name=project_name, user_domain_name=user_domain_name, project_domain_name=project_domain_name) - sess = session.Session(auth=auth) + sess_kwargs = dict( + auth=auth + ) + if CONF.cafile: + sess_kwargs.update(verify=CONF.cafile) + sess = session.Session(**sess_kwargs) # Set accept header on every request to ensure we notify placement # service of our response body media type preferences. headers = {'accept': 'application/json'} diff --git a/releasenotes/notes/support-passing-custom-ca-bundle-df71047568cd82f6.yaml b/releasenotes/notes/support-passing-custom-ca-bundle-df71047568cd82f6.yaml new file mode 100644 index 000000000..54ab3c9cc --- /dev/null +++ b/releasenotes/notes/support-passing-custom-ca-bundle-df71047568cd82f6.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + The Blazar service now supports using a custom CA certificate bundle with + the ``[DEFAULT]/cafile`` option. This allows for deployment on OpenStack + clouds that are using HTTPS endpoints with certificates signed by a custom + CA. `LP#2045281 `__