Designate

REQUESTS_CA_BUNDLE environment variable not being set

Bug #1971856 reported by Juan Pablo Suazo on 2022-05-05

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Designate	Fix Released	High	Juan Pablo Suazo

Bug Description

While using Designate in our OpenStack Victoria Distribution, we realised that Designate is not setting the "REQUESTS_CA_BUNDLE" variable on its container. This is problematic when using Designate along with a DNS that has been configured for TLS traffic.

Even though our distribution is configured to copy ca certificates into every container, so that are able to verify SSL traffic, as the "REQUESTS_CA_BUNDLE" env variable in the Designate container is blank, it can't access these certificates.

This means that trying to create a zone with the "openstack zone create (···)" command will fail, as the connection to the DNS Api Endpoint will return an SSL Verification Error.

Revision history for this message

Michael Johnson (johnsom) wrote on 2022-05-05:

I'm not sure I understand this bug. When you say "container" are you talking about a deployment tool container? If so, which deployment tool are you using?

The designate project doesn't provide containers and this bug probably needs to be opened against the deployment tool that is improperly building the container.

Revision history for this message

Juan Pablo Suazo (jsuazo) wrote on 2022-05-06:

Sorry for the confusion, let me clarify. We are working wit Victoria and deploying with kolla-ansible in docker containers.

Looking closer, we identified the bug to be in the `designate/designate/backend/impl_pdns4.py` file when trying to make requests to powerdns.

Here the requests are done in the following way:

86 try:
87 requests.post(
88 self._build_url(),
89 json=data,
90 headers=self.headers
91 ).raise_for_status()

Without using the `verify` parameter to provide certificates. This makes `requests` default to using environment variables, but, as variables as `REQUESTS_CA_BUNDLE` are not set within the containers, this requests return a ssl verification error.

Something like what is done on designate/designate/backend/impl_infoblox/connector.py could be done:

176 r = self.session.post(url,
177 data=jsonutils.dump_as_bytes(payload),
178 verify=self.sslverify,
179 headers=headers)

Revision history for this message

Juan Pablo Suazo (jsuazo) wrote on 2022-05-06 (last edit on 2022-05-06):

A solution could be adding a new option in "pools.yaml" for powerdns to specify he location of the ca cert needed to verify the connection to the API endpoint, something like:

options:
        host: <IP>
        port: <PORT>
        api_endpoint: https://<FQDN>
        api_token: <API Key>
        api_ca_cert: <ca-cert-location>

Then, on designate/designate/backend/impl_pdns4.py:

def __init__(self, target):
super(PDNS4Backend, self).__init__(target)

        self.api_endpoint = self.options.get('api_endpoint')
        self.api_token = self.options.get('api_token')
        self.tsigkey_name = self.options.get('tsigkey_name', None)

+ self.api_ca_cert = self.options.get('api_ca_cert')

        self.headers = {
            "X-API-Key": self.api_token
        }

(···)

        try:
            requests.post(
                self._build_url(),
                json=data,
                headers=self.headers,
                verify=self.api_ca_cert
            ).raise_for_status()

Maybe differentiating the cases when the certificate is defined and when it isnt

Juan Pablo Suazo (jsuazo) on 2022-05-09

Changed in designate:
assignee:	nobody → Juan Pablo Suazo (jsuazo)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-09: Fix proposed to designate (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/designate/+/841168

Changed in designate:
status:	New → In Progress

Michael Johnson (johnsom) on 2022-05-10

Changed in designate:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-18: Fix merged to designate (master)

Reviewed: https://review.opendev.org/c/openstack/designate/+/841168
Committed: https://opendev.org/openstack/designate/commit/c230ddb8c5f71b51f2fa492d6ac076abbecc3841
Submitter: "Zuul (22348)"
Branch: master

commit c230ddb8c5f71b51f2fa492d6ac076abbecc3841
Author: Juan Pablo Suazo <email address hidden>
Date: Mon May 9 16:52:38 2022 -0400

Adds api_ca_cert configuration variable to pools.yaml

    Adds a configuration variable that allows a user to
    declare the CA certificate to be used to verify
    traffic with a PowerDNS API endpoint.

    Closes-Bug: #1971856
    Signed-off-by: Juan Pablo Suazo <email address hidden>
    Change-Id: I57f3d5a1d1f79186cc5b38e76d30f62e01b60482

Changed in designate:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-16: Fix included in openstack/designate 15.0.0.0rc1

This issue was fixed in the openstack/designate 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.