Adds https support for metadata agent

Adds two configure options to support https client for metadata proxy
* auth_insecure: turn off verification of the certificate for ssl, or
* auth_ca_cert: CA cert to check against with for ssl.

Change-Id: I3ffb86ae9ce31931436a4e13957aae30eebf9d92
Closes-Bug: #1263872

diff --git a/etc/metadata_agent.ini b/etc/metadata_agent.ini
index 38909233e7b6d9210b097335c25ccbdc60e12af5..c2f59cd283f8eec6891c9ee122943f315b298ba4 100644 (file)
--- a/etc/metadata_agent.ini
+++ b/etc/metadata_agent.ini
@@ -5,6 +5,10 @@
 # The Neutron user information for accessing the Neutron API.
 auth_url = http://localhost:5000/v2.0
 auth_region = RegionOne
+# Turn off verification of the certificate for ssl
+# auth_insecure = False
+# Certificate Authority public key (CA cert) file for ssl
+# auth_ca_cert =
 admin_tenant_name = %SERVICE_TENANT_NAME%
 admin_user = %SERVICE_USER%
 admin_password = %SERVICE_PASSWORD%

diff --git a/neutron/agent/metadata/agent.py b/neutron/agent/metadata/agent.py
index 86a3d6075101bd9dc0cef667b9b6047af4606ae3..06e88be73a65a1d592c4454beb8573b8f865f70d 100644 (file)
--- a/neutron/agent/metadata/agent.py
+++ b/neutron/agent/metadata/agent.py
@@ -61,6 +61,14 @@ class MetadataProxyHandler(object):
                    help=_("The type of authentication to use")),
         cfg.StrOpt('auth_region',
                    help=_("Authentication region")),
+        cfg.BoolOpt('auth_insecure',
+                    default=False,
+                    help=_("Turn off verification of the certificate for"
+                           " ssl")),
+        cfg.StrOpt('auth_ca_cert',
+                   default=None,
+                   help=_("Certificate Authority public key (CA cert) "
+                          "file for ssl")),
         cfg.StrOpt('endpoint_type',
                    default='adminURL',
                    help=_("Network service endpoint type to pull from "
@@ -89,6 +97,8 @@ class MetadataProxyHandler(object):
             auth_strategy=self.conf.auth_strategy,
             region_name=self.conf.auth_region,
             token=self.auth_info.get('auth_token'),
+            insecure=self.conf.auth_insecure,
+            ca_cert=self.conf.auth_ca_cert,
             endpoint_url=self.auth_info.get('endpoint_url'),
             endpoint_type=self.conf.endpoint_type
         )

diff --git a/neutron/tests/unit/test_metadata_agent.py b/neutron/tests/unit/test_metadata_agent.py
index b1ef07f1b72f6aa18a1e49f214aa113b32b1ca35..8a56b62a933fbe8f525daad960a2d9c9bbf1eb94 100644 (file)
--- a/neutron/tests/unit/test_metadata_agent.py
+++ b/neutron/tests/unit/test_metadata_agent.py
@@ -34,6 +34,8 @@ class FakeConf(object):
     auth_url = 'http://127.0.0.1'
     auth_strategy = 'keystone'
     auth_region = 'region'
+    auth_insecure = False
+    auth_ca_cert = None
     endpoint_type = 'adminURL'
     nova_metadata_ip = '9.9.9.9'
     nova_metadata_port = 8775
@@ -100,6 +102,8 @@ class TestMetadataProxyHandler(base.BaseTestCase):
                 password=FakeConf.admin_password,
                 auth_strategy=FakeConf.auth_strategy,
                 token=None,
+                insecure=FakeConf.auth_insecure,
+                ca_cert=FakeConf.auth_ca_cert,
                 endpoint_url=None,
                 endpoint_type=FakeConf.endpoint_type)
         ]