Use proper ceritificate when TLS-e is configured

When the Openstack auth-url is based on https, using the openstackclient
requires to provide the path to the certificate file from the
undercloud.

This patch also fixes the octavia deploy_ipv4_lb method: it tries to
find the external IPv4 subnet using its name. With this patch, the
external network is found (only one external network is supported so
far) and then its IPv4 subnet is returned

Change-Id: I58f7aae796478eda0bff87ec60b62c940a67e677

tobiko/openstack/octavia/_deployers.py

@@ -24,6 +24,26 @@ from tobiko.openstack.octavia import _constants
 LOG = log.getLogger(__name__)
 
 
+def get_external_subnet(ip_version=4):
+    try:
+        ext_subnet_list = neutron.find_network(
+            **{'router:external': True})['subnets']
+    except tobiko.ObjectNotFound:
+        LOG.warning('External network not found')
+        return None
+
+    for ext_subnet_id in ext_subnet_list:
+        try:
+            subnet = neutron.find_subnet(id=ext_subnet_id,
+                                         ip_version=ip_version)
+        except tobiko.ObjectNotFound:
+            continue
+        else:
+            return subnet
+
+    LOG.warning('External subnet with IP version %d not found', ip_version)
+
+
 def deploy_ipv4_lb(provider: str,
                    protocol: str,
                    protocol_port: int,
@@ -46,11 +66,7 @@ def deploy_ipv4_lb(provider: str,
         LOG.debug(f'Loadbalancer {lb.id} already exists. Skipping its'
                   ' creation')
     else:
-        try:
+        subnet = get_external_subnet()
-            subnet = neutron.find_subnet('external_subnet')
-        except ModuleNotFoundError:
-            subnet = None
-
         if subnet is None:
             tobiko.skip_test('Replacing heat networking resources for '
                              'octavia in tobiko wasn\'t implemented yet')

tobiko/openstack/openstacksdkclient/_client.py

@@ -18,9 +18,13 @@ from __future__ import absolute_import
 import openstack
 
 import tobiko
+from tobiko import config
 from tobiko.openstack import keystone
 
 
+CONF = config.CONF
+
+
 class OpenstacksdkClientFixture(tobiko.SharedFixture):
 
     client = None
@@ -35,6 +39,8 @@ class OpenstacksdkClientFixture(tobiko.SharedFixture):
 
     def setup_client(self):
         client = self.client
+        # create a new connection if it was not created before or if TLS-e is
+        # enabled (otherwise, an SSLError exception is raised)
         if not client:
             credentials = keystone.keystone_credentials()
             tmp_auth = {
@@ -49,6 +55,9 @@ class OpenstacksdkClientFixture(tobiko.SharedFixture):
             }
             if credentials.api_version == 3:
                 tmp_auth['os-identity-api-version'] = credentials.api_version
+            if 'https://' in credentials.auth_url and not credentials.cacert:
+                tmp_auth['os-cacert'] = \
+                    CONF.tobiko.tripleo.undercloud_cacert_file
             self.client = client = openstack.connect(**tmp_auth)
         return client
 

tobiko/tripleo/config.py

@@ -41,6 +41,10 @@ OPTIONS = [
                default='undercloud',
                help='undercloud cloud name to be used for loading credentials '
                     'from the undercloud clouds files'),
+    cfg.StrOpt('undercloud_cacert_file',
+               default='/etc/pki/tls/certs/ca-bundle.trust.crt',
+               help='Path to cacert file that can be used to send https '
+                    'request from the undercloud'),
 
 
     # Overcloud options