Merge pull request #40752 from Enquier/nova_ssl_2

Add ability to specify a custom SSL certificate or disable SSL verification in KeystoneAuth v3
2024-11-08 09:23:56 +00:00 · 2017-04-27 11:29:08 -06:00 · 2017-04-27 11:29:08 -06:00 · 26be306b5c
commit 26be306b5c
parent 0f2ec1e1db 817f49296e
2 changed files with 15 additions and 3 deletions
--- a/salt/cloud/clouds/nova.py
+++ b/salt/cloud/clouds/nova.py
@ -60,11 +60,19 @@ option in the provider config.
      compute_name: nova
      compute_region: RegionOne
      service_type: compute
+      verify: '/path/to/custom/certs/ca-bundle.crt'
      tenant: admin
      user: admin
      password: passwordgoeshere
      driver: nova

+Note: by default the nova driver will attempt to verify its connection
+utilizing the system certificates. If you need to verify against another bundle
+of CA certificates or want to skip verification altogether you will need to
+specify the verify option. You can specify True or False to verify (or not)
+against system certificates, a path to a bundle or CA certs to check against, or
+None to allow keystoneauth to search for the certificates on its own.(defaults to True)
+
 For local installations that only use private IP address ranges, the
 following option may be useful. Using the old syntax:

@ -301,6 +309,10 @@ def get_conn():
    if 'password' in vm_:
        kwargs['password'] = vm_['password']

+    if 'verify' in vm_ and vm_['use_keystoneauth'] is True:
+        kwargs['verify'] = vm_['verify']
+    elif 'verify' in vm_ and vm_['use_keystoneauth'] is False:
+        log.warning('SSL Certificate verification option is specified but use_keystoneauth is False or not present')
    conn = nova.SaltNova(**kwargs)

    return conn
@ -608,7 +620,7 @@ def request_instance(vm_=None, call=None):
        'security_groups', vm_, __opts__, search_global=False
    )
    if security_groups is not None:
-        vm_groups = security_groups.split(',')
+        vm_groups = security_groups
        avail_groups = conn.secgroup_list()
        group_list = []

--- a/salt/utils/openstack/nova.py
+++ b/salt/utils/openstack/nova.py
@ -241,7 +241,7 @@ class SaltNova(object):
                           os_auth_plugin=os_auth_plugin,
                           **kwargs)

-    def _new_init(self, username, project_id, auth_url, region_name, password, os_auth_plugin, auth=None, **kwargs):
+    def _new_init(self, username, project_id, auth_url, region_name, password, os_auth_plugin, auth=None, verify=True, **kwargs):
        if auth is None:
            auth = {}

@ -281,7 +281,7 @@ class SaltNova(object):

        self.client_kwargs = sanatize_novaclient(self.client_kwargs)
        options = loader.load_from_options(**self.kwargs)
-        self.session = keystoneauth1.session.Session(auth=options)
+        self.session = keystoneauth1.session.Session(auth=options, verify=verify)
        conn = client.Client(version=self.version, session=self.session, **self.client_kwargs)
        self.kwargs['auth_token'] = conn.client.session.get_token()
        self.catalog = conn.client.session.get('/auth/catalog', endpoint_filter={'service_type': 'identity'}).json().get('catalog', [])