Summary:
I have mitaka based deployment of neutron and designate and while trying to test the native integration of neutron with designate using this guide http://docs.openstack.org/mitaka/networking-guide/adv-config-dns.html I found out my DNS records are not getting created like on port-update or any floating ip operations as expected.
This is because the the endpoints in deployments are SSL based (https) and the neutron code of mitaka that gets the keystoneclient session before initiating designate client, has no option to allow us to set verify=True/False from neutron.conf or in code itself https://github.com/openstack/neutron/blob/stable/mitaka/neutron/services/externaldns/drivers/designate/driver.py#L85
this makes it impossible to use neutron integration with designate over https based endpoints until the code is changed to:
"""
_SESSION = session.Session(verify=False)
"""
Description:
Neutron has option to use external DNS driver in mitaka, such as designate. For that , we need to set the designate options in [designate] section of neutron.conf . For example:
"""
[designate]
url = http://55.114.111.93:9001/v2
admin_auth_url = http://55.114.111.93:35357/v2.0
admin_username = neutron
admin_password = x5G90074
admin_tenant_name = service
allow_reverse_dns_lookup = True
ipv4_ptr_zone_prefix_size = 24
ipv6_ptr_zone_prefix_size = 116
"""
the above example works fine when your url and admin_auth_url are http based endpoints. The neutron code uses options of designate section to get a session from keystone and uses that session to initiate designate admin client session as seen in the neutron code here https://github.com/openstack/neutron/blob/stable/mitaka/neutron/services/externaldns/drivers/designate/driver.py#L89
In the case, when a deployment has https(SSL terminated) based endpoints, meaning both url and admin_auth_url has https, the keystone session is made in neutron code using
_SESSION = session.Session()
the default behavior of keystoneclient is that if a url has https, then always set verify=True and use the ca file for verification.
but neither the option to provide a ca file or set verify=True/False is done neutron code for designate driver, this makes it impossible to use the integration over SSL based endpoints.
As an example of running the same code of mitaka from neutron ::
"""
>>> admin_auth = password.Password(auth_url="https://10.240.128.120:6100/v2.0",username="admin",password="admin",tenant_name="service")
>>> _SESSION = session.Session()
>>> admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
>>> admin_client.zones.list()
keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https://10.240.128.120:6100/v2.0/tokens: [Errno 1] _ssl.c:523: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
"""
after altering the session initiation to set verify=False
"""
_SESSION = session.Session(verify=False)
>>> admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
>>> admin_client.zones.list()
[]
"""
Proposed fix:
have an oslo opt for [designate] to let users specify insecure operations or set a ca file and use that info from neutron.conf to initiate keystone session before getting a designateclient
Fix proposed to branch: stable/mitaka
Review: https:/