Designate DNS driver for neutron fails for SSL based endpoints.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Imran Hayder |
Bug Description
Summary:
I have mitaka based deployment of neutron and designate and while trying to test the native integration of neutron with designate using this guide http://
This is because the the endpoints in deployments are SSL based (https) and the neutron code of mitaka that gets the keystoneclient session before initiating designate client, has no option to allow us to set verify=True/False from neutron.conf or in code itself https:/
this makes it impossible to use neutron integration with designate over https based endpoints until the code is changed to:
"""
_SESSION = session.
"""
Description:
Neutron has option to use external DNS driver in mitaka, such as designate. For that , we need to set the designate options in [designate] section of neutron.conf . For example:
"""
[designate]
url = http://
admin_auth_url = http://
admin_username = neutron
admin_password = x5G90074
admin_tenant_name = service
allow_reverse_
ipv4_ptr_
ipv6_ptr_
"""
the above example works fine when your url and admin_auth_url are http based endpoints. The neutron code uses options of designate section to get a session from keystone and uses that session to initiate designate admin client session as seen in the neutron code here https:/
In the case, when a deployment has https(SSL terminated) based endpoints, meaning both url and admin_auth_url has https, the keystone session is made in neutron code using
_SESSION = session.Session()
the default behavior of keystoneclient is that if a url has https, then always set verify=True and use the ca file for verification.
but neither the option to provide a ca file or set verify=True/False is done neutron code for designate driver, this makes it impossible to use the integration over SSL based endpoints.
As an example of running the same code of mitaka from neutron ::
"""
>>> admin_auth = password.
>>> _SESSION = session.Session()
>>> admin_client = d_client.
>>> admin_client.
keystoneauth1.
"""
after altering the session initiation to set verify=False
"""
_SESSION = session.
>>> admin_client = d_client.
>>> admin_client.
[]
"""
Proposed fix:
have an oslo opt for [designate] to let users specify insecure operations or set a ca file and use that info from neutron.conf to initiate keystone session before getting a designateclient
tags: | added: mitaka-backport-potential |
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
tags: | added: neutron-proactive-backport-potential |
tags: | removed: neutron-proactive-backport-potential |
tags: | removed: mitaka-backport-potential |
Fix proposed to branch: stable/mitaka /review. openstack. org/324177
Review: https:/