Added support for TLS/SSL Openstack APIs

TLS/SSL support is enabled by adding os-cacert option to point to a CA cert file. All Openstack client commands now pass the cacert location as a parameter. Change-Id: I72d9582d82381fd990e8d35b6320d0bea7cc203e
2015-06-18 21:49:58 +00:00 · 2015-06-18 21:49:58 +00:00 · 3ca4ef2198
commit 3ca4ef2198
parent 6d85a73a9e
13 changed files with 43 additions and 17 deletions
--- a/doc/source/tools/shaker-cleanup.txt
+++ b/doc/source/tools/shaker-cleanup.txt
@ -8,6 +8,7 @@ usage: shaker-cleanup [-h] [--cleanup-on-error] [--config-dir DIR]
                      [--log-file PATH] [--log-format FORMAT]
                      [--nocleanup-on-error] [--nodebug] [--nouse-syslog]
                      [--nouse-syslog-rfc-format] [--noverbose]
+                      [--os-cacert <auth-cacert>]
                      [--os-password <auth-password>]
                      [--os-region-name <auth-region-name>]
                      [--os-tenant-name <auth-tenant-name>]
@ -70,6 +71,9 @@ optional arguments:
  --nouse-syslog-rfc-format
                        The inverse of --use-syslog-rfc-format
  --noverbose           The inverse of --verbose
+  --os-cacert <auth-cacert>
+                        Location of CA Certificate, defaults to
+                        env[OS_CACERT].
  --os-password <auth-password>
                        Authentication password, defaults to env[OS_PASSWORD].
  --os-region-name <auth-region-name>
--- a/doc/source/tools/shaker-image-builder.txt
+++ b/doc/source/tools/shaker-image-builder.txt
@ -10,6 +10,7 @@ usage: shaker-image-builder [-h] [--cleanup-on-error] [--config-dir DIR]
                            [--log-format FORMAT] [--nocleanup-on-error]
                            [--nodebug] [--nouse-syslog]
                            [--nouse-syslog-rfc-format] [--noverbose]
+                            [--os-cacert <auth-cacert>]
                            [--os-password <auth-password>]
                            [--os-region-name <auth-region-name>]
                            [--os-tenant-name <auth-tenant-name>]
@ -72,6 +73,9 @@ optional arguments:
  --nouse-syslog-rfc-format
                        The inverse of --use-syslog-rfc-format
  --noverbose           The inverse of --verbose
+  --os-cacert <auth-cacert>
+                        Location of CA Certificate, defaults to
+                        env[OS_CACERT].
  --os-password <auth-password>
                        Authentication password, defaults to env[OS_PASSWORD].
  --os-region-name <auth-region-name>
--- a/doc/source/tools/shaker.txt
+++ b/doc/source/tools/shaker.txt
@ -7,7 +7,8 @@ usage: shaker [-h] [--agent-join-timeout AGENT_JOIN_TIMEOUT]
              [--log-file PATH] [--log-format FORMAT] [--no-report-on-error]
              [--nocleanup-on-error] [--nodebug] [--nono-report-on-error]
              [--nouse-syslog] [--nouse-syslog-rfc-format] [--noverbose]
-              [--os-auth-url <auth-url>] [--os-password <auth-password>]
+              [--os-auth-url <auth-url>] [--os-cacert <auth-cacert>]
+              [--os-password <auth-password>]
              [--os-region-name <auth-region-name>]
              [--os-tenant-name <auth-tenant-name>]
              [--os-username <auth-username>] [--output OUTPUT]
@ -78,6 +79,9 @@ optional arguments:
  --noverbose           The inverse of --verbose
  --os-auth-url <auth-url>
                        Authentication URL, defaults to env[OS_AUTH_URL].
+  --os-cacert <auth-cacert>
+                        Location of CA Certificate, defaults to
+                        env[OS_CACERT].
  --os-password <auth-password>
                        Authentication password, defaults to env[OS_PASSWORD].
  --os-region-name <auth-region-name>
--- a/etc/shaker.conf
+++ b/etc/shaker.conf
@ -111,6 +111,9 @@
 # Authentication password, defaults to env[OS_PASSWORD]. (string value)
 #os_password =

+# Location of CA Certificate, defaults to env[OS_CACERT]. (string value)
+#os_cacert =
+
 # Authentication region name, defaults to env[OS_REGION_NAME]. (string value)
 #os_region_name = RegionOne

--- a/shaker/engine/config.py
+++ b/shaker/engine/config.py
@ -69,6 +69,10 @@ OPENSTACK_OPTS = [
               default=utils.env('OS_PASSWORD'),
               sample_default='',
               help='Authentication password, defaults to env[OS_PASSWORD].'),
+    cfg.StrOpt('os-cacert', metavar='<auth-cacert>',
+               default=utils.env('OS_CACERT'),
+               sample_default='',
+               help='Location of CA Certificate, defaults to env[OS_CACERT].'),
    cfg.StrOpt('os-region-name', metavar='<auth-region-name>',
               default=utils.env('OS_REGION_NAME') or 'RegionOne',
               help='Authentication region name, defaults to '
--- a/shaker/engine/deploy.py
+++ b/shaker/engine/deploy.py
@ -128,13 +128,13 @@ class Deployment(object):

    def connect_to_openstack(self, os_username, os_password, os_tenant_name,
                             os_auth_url, os_region_name, external_net,
-                             flavor_name, image_name):
+                             flavor_name, image_name, os_cacert):
        LOG.debug('Connecting to OpenStack')

        self.openstack_client = openstack.OpenStackClient(
            username=os_username, password=os_password,
            tenant_name=os_tenant_name, auth_url=os_auth_url,
-            region_name=os_region_name)
+            region_name=os_region_name, cacert=os_cacert)

        self.flavor_name = flavor_name
        self.image_name = image_name
--- a/shaker/engine/image_builder.py
+++ b/shaker/engine/image_builder.py
@ -39,11 +39,12 @@ def init():
        openstack_client = openstack.OpenStackClient(
            username=cfg.CONF.os_username, password=cfg.CONF.os_password,
            tenant_name=cfg.CONF.os_tenant_name, auth_url=cfg.CONF.os_auth_url,
-            region_name=cfg.CONF.os_region_name)
+            region_name=cfg.CONF.os_region_name, cacert=cfg.CONF.os_cacert)
    except Exception as e:
        LOG.error('Error establishing connection to OpenStack: %s. '
                  'Please verify OpenStack credentials (--os-username, '
-                  '--os-password, --os-tenant-name, --os-auth-url)', e)
+                  '--os-password, --os-tenant-name, --os-auth-url, '
+                  '--os-cacert)', e)
        exit(1)

    return openstack_client
--- a/shaker/engine/server.py
+++ b/shaker/engine/server.py
@ -121,7 +121,8 @@ def play_scenario(scenario):
                cfg.CONF.os_username, cfg.CONF.os_password,
                cfg.CONF.os_tenant_name, cfg.CONF.os_auth_url,
                cfg.CONF.os_region_name, cfg.CONF.external_net,
-                cfg.CONF.flavor_name, cfg.CONF.image_name)
+                cfg.CONF.flavor_name, cfg.CONF.image_name,
+                cfg.CONF.os_cacert)

        base_dir = os.path.dirname(scenario['file_name'])
        agents = deployment.deploy(scenario['deployment'], base_dir=base_dir)
--- a/shaker/openstack/clients/glance.py
+++ b/shaker/openstack/clients/glance.py
@ -19,12 +19,13 @@ from glanceclient import client as glance_client_pkg
 GLANCE_VERSION = '1'


-def create_client(keystone_client, os_region_name):
+def create_client(keystone_client, os_region_name, cacert):
    image_api_url = keystone_client.service_catalog.url_for(
        service_type='image', region_name=os_region_name)
    return glance_client_pkg.Client(GLANCE_VERSION,
                                    endpoint=image_api_url,
-                                    token=keystone_client.auth_token)
+                                    token=keystone_client.auth_token,
+                                    cacert=cacert)


 def get_image(glance_client, image_name):
--- a/shaker/openstack/clients/heat.py
+++ b/shaker/openstack/clients/heat.py
@ -25,12 +25,13 @@ LOG = logging.getLogger(__name__)
 HEAT_VERSION = '1'


-def create_client(keystone_client, os_region_name):
+def create_client(keystone_client, os_region_name, cacert):
    orchestration_api_url = keystone_client.service_catalog.url_for(
        service_type='orchestration', region_name=os_region_name)
    return heat_client_pkg.Client(HEAT_VERSION,
                                  endpoint=orchestration_api_url,
-                                  token=keystone_client.auth_token)
+                                  token=keystone_client.auth_token,
+                                  ca_file=cacert)


 def wait_stack_completion(heat_client, stack_id):
--- a/shaker/openstack/clients/keystone.py
+++ b/shaker/openstack/clients/keystone.py
@ -32,6 +32,6 @@ def create_keystone_client(**kwargs):
        'Failed to discover keystone version for url %(auth_url)s.', **kwargs)


-def create_keystone_session(**kwargs):
+def create_keystone_session(cacert, **kwargs):
    auth = auth_v2.Password(**kwargs)
-    return session.Session(auth=auth)
+    return session.Session(auth=auth, verify=cacert)
--- a/shaker/openstack/clients/openstack.py
+++ b/shaker/openstack/clients/openstack.py
@ -61,15 +61,17 @@ class OpenStackClientProxy(object):


 class OpenStackClient(object):
-    def __init__(self, username, password, tenant_name, auth_url, region_name):
+    def __init__(self, username, password, tenant_name, auth_url, region_name,
+                 cacert):
        self.region_name = region_name or 'RegionOne'
+        self.cacert = cacert or ''
        self._osc_cache = {}
        self.keystone_creator = functools.partial(
            keystone.create_keystone_client,
            username=username, password=password,
-            tenant_name=tenant_name, auth_url=auth_url)
+            tenant_name=tenant_name, auth_url=auth_url, cacert=cacert)
        self.session_creator = functools.partial(
-            keystone.create_keystone_session,
+            keystone.create_keystone_session, cacert,
            username=username, password=password,
            tenant_name=tenant_name, auth_url=auth_url)
        # ping OpenStack
@ -85,7 +87,8 @@ class OpenStackClient(object):
            client = MODERN_CLIENT_MAKERS[name](session, self.region_name)
        elif name in OLD_CLIENT_MAKERS:
            client_creator = functools.partial(
-                OLD_CLIENT_MAKERS[name], os_region_name=self.region_name)
+                OLD_CLIENT_MAKERS[name], os_region_name=self.region_name,
+                cacert=self.cacert)
            client = OpenStackClientProxy(self.keystone_creator,
                                          client_creator)

--- a/tests/test_server.py
+++ b/tests/test_server.py
@ -180,7 +180,7 @@ class TestServerPlayScenario(testtools.TestCase):
            self.deployment, base_dir='folder')
        deploy_obj.connect_to_openstack.assert_called_once_with(
            'user', 'password', 'tenant', 'auth-url', 'RegionOne', None,
-            'shaker-flavor', 'shaker-image'
+            'shaker-flavor', 'shaker-image', None
        )
        deploy_obj.cleanup.assert_called_once_with()