Use proper ceritificate when TLS-e is configured

When the Openstack auth-url is based on https, using the openstackclient requires to provide the path to the certificate file from the undercloud. This patch also fixes the octavia deploy_ipv4_lb method: it tries to find the external IPv4 subnet using its name. With this patch, the external network is found (only one external network is supported so far) and then its IPv4 subnet is returned Change-Id: I58f7aae796478eda0bff87ec60b62c940a67e677
2023-05-29 13:19:50 +02:00 · 2023-05-29 13:19:50 +02:00 · e3231d1384
commit e3231d1384
parent da0d344f5f
3 changed files with 34 additions and 5 deletions
--- a/tobiko/openstack/octavia/_deployers.py
+++ b/tobiko/openstack/octavia/_deployers.py
@ -24,6 +24,26 @@ from tobiko.openstack.octavia import _constants
 LOG = log.getLogger(__name__)


+def get_external_subnet(ip_version=4):
+    try:
+        ext_subnet_list = neutron.find_network(
+            **{'router:external': True})['subnets']
+    except tobiko.ObjectNotFound:
+        LOG.warning('External network not found')
+        return None
+
+    for ext_subnet_id in ext_subnet_list:
+        try:
+            subnet = neutron.find_subnet(id=ext_subnet_id,
+                                         ip_version=ip_version)
+        except tobiko.ObjectNotFound:
+            continue
+        else:
+            return subnet
+
+    LOG.warning('External subnet with IP version %d not found', ip_version)
+
+
 def deploy_ipv4_lb(provider: str,
                   protocol: str,
                   protocol_port: int,
@ -46,11 +66,7 @@ def deploy_ipv4_lb(provider: str,
        LOG.debug(f'Loadbalancer {lb.id} already exists. Skipping its'
                  ' creation')
    else:
-        try:
-            subnet = neutron.find_subnet('external_subnet')
-        except ModuleNotFoundError:
-            subnet = None
-
+        subnet = get_external_subnet()
        if subnet is None:
            tobiko.skip_test('Replacing heat networking resources for '
                             'octavia in tobiko wasn\'t implemented yet')
--- a/tobiko/openstack/openstacksdkclient/_client.py
+++ b/tobiko/openstack/openstacksdkclient/_client.py
@ -18,9 +18,13 @@ from __future__ import absolute_import
 import openstack

 import tobiko
+from tobiko import config
 from tobiko.openstack import keystone


+CONF = config.CONF
+
+
 class OpenstacksdkClientFixture(tobiko.SharedFixture):

    client = None
@ -35,6 +39,8 @@ class OpenstacksdkClientFixture(tobiko.SharedFixture):

    def setup_client(self):
        client = self.client
+        # create a new connection if it was not created before or if TLS-e is
+        # enabled (otherwise, an SSLError exception is raised)
        if not client:
            credentials = keystone.keystone_credentials()
            tmp_auth = {
@ -49,6 +55,9 @@ class OpenstacksdkClientFixture(tobiko.SharedFixture):
            }
            if credentials.api_version == 3:
                tmp_auth['os-identity-api-version'] = credentials.api_version
+            if 'https://' in credentials.auth_url and not credentials.cacert:
+                tmp_auth['os-cacert'] = \
+                    CONF.tobiko.tripleo.undercloud_cacert_file
            self.client = client = openstack.connect(**tmp_auth)
        return client

--- a/tobiko/tripleo/config.py
+++ b/tobiko/tripleo/config.py
@ -41,6 +41,10 @@ OPTIONS = [
               default='undercloud',
               help='undercloud cloud name to be used for loading credentials '
                    'from the undercloud clouds files'),
+    cfg.StrOpt('undercloud_cacert_file',
+               default='/etc/pki/tls/certs/ca-bundle.trust.crt',
+               help='Path to cacert file that can be used to send https '
+                    'request from the undercloud'),


    # Overcloud options