In pike ssl deployment horizon cnt retrieve volumes/snapshots and service data via cinderclient

I am not sure what is happening here that is causing the certificate information to not be passed down. It seems like cinderclient is using requests directly (in Pike). And whatever else is calling keystoneauth is not passing the cert value to keystoneauth. If the cert values are not passed to keystone auth it is not possible for KSA to understand where to get the cert information from.

I am not sure what we need to do to solve this directly or if it is still an issue. Can you post your tracebackes/errors?

Marking incomplete until we have more information.

Related fix proposed to branch: master
Review: https://review.opendev.org/675891

Fix proposed to branch: master
Review: https://review.opendev.org/675894

Reviewed: https://review.opendev.org/675891
Committed: https://git.openstack.org/cgit/openstack/python-cinderclient/commit/?id=4a3a2c3c9a89ccff4e64d3da96de5b0af4303840
Submitter: Zuul
Branch: master

commit 4a3a2c3c9a89ccff4e64d3da96de5b0af4303840
Author: Ivan Kolodyazhny <email address hidden>
Date: Mon Aug 12 15:44:31 2019 +0300

    Add custom CA support for get_server_version

    get_server_version fails when self-signed CA cert is used. This patch
    adds:
    * insecure option to ignore SSL certificate validation
    * cacert to add ability to provide a custom SSL certificate

    Change-Id: Ib1d34a5a6b595c53473ddd3acb182ab5a39cbba5
    Related-Bug: 1744670

Reviewed: https://review.opendev.org/675894
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=285c51f7e1b27a786fa9684abdc489998285b4e2
Submitter: Zuul
Branch: master

commit 285c51f7e1b27a786fa9684abdc489998285b4e2
Author: Ivan Kolodyazhny <email address hidden>
Date: Mon Aug 12 16:19:44 2019 +0300

    Add custom SSL CA Cert support for api.cinder.get_microversion

    api.cinder.get_microversion function now supports OPENSTACK_SSL_NO_VERIFY
    and OPENSTACK_SSL_CACERT config options.

    This depends on commit 4a3a2c3c9a89ccff4e64d3da96de5b0af4303840 in
    python-cinderclient, so the minimum version of python-cinderclient
    is bumped to 5.0.0.

    NOTE(amotoki): The stretegy of backporting to stable branches needs
    a discussion with the requirements team as we cannot bump the
    minimum version (at least the major version bump is surprising).

    Change-Id: I22c6c60e10d8e9328f7f1e0c24d6c74496ec1a71
    Closes-Bug: 1744670

This issue was fixed in the openstack/horizon 17.1.0 release.

Fix proposed to branch: stable/train
Review: https://review.opendev.org/710174

Reviewed: https://review.opendev.org/710174
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=68d4c5e78db61ea401ee89c84a69676e26a636a1
Submitter: Zuul
Branch: stable/train

commit 68d4c5e78db61ea401ee89c84a69676e26a636a1
Author: Akihiro Motoki <email address hidden>
Date: Thu Feb 27 11:29:23 2020 +0900

    Add custom SSL CA Cert support for api.cinder.get_microversion

    This is a stable branch version of
    commit 285c51f7e1b27a786fa9684abdc489998285b4e2 in the master branch.
    custom SSL CA Cert support in python-cinderclient was introduced
    in 5.0.0, but horizon train supports python-cinderclient >=4.0.1,
    so we cannot backport it as-is.

    This commit borrowed the logic of get_server_version() from
    python-cinderclient 5.0.0 so that this can be backported to
    older releases than train.

    From the above reason, this is directly proposed to stable/train.

    Change-Id: I776d2c8c6864067e7b44ce4b2f107c80b8b6d7fb
    Closes-Bug: #1744670

This issue was fixed in the openstack/horizon 16.2.1 release.