From ceabe71b7fd1a3bcc6e416c57187bae0baa8505e Mon Sep 17 00:00:00 2001
From: yangshaoxue <yang.shaoxue@99cloud.net>
Date: Thu, 15 Dec 2022 17:14:47 +0800
Subject: [PATCH] feat: Add cafile conf

Add cafile conf and support keystone ssl verify

Change-Id: Id82f49009e2e6778568c629b9fe66e3e50cf73d7
---
 .../support-keystone-ssl-verify-e0dfc4c02ef25cb2.yaml  |  5 +++++
 skyline_apiserver/api/v1/login.py                      |  4 +++-
 skyline_apiserver/client/openstack/system.py           |  4 +++-
 skyline_apiserver/client/utils.py                      |  8 +++++---
 skyline_apiserver/cmd/generate_nginx.py                |  2 +-
 skyline_apiserver/config/default.py                    | 10 +++++++++-
 6 files changed, 26 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/support-keystone-ssl-verify-e0dfc4c02ef25cb2.yaml

diff --git a/releasenotes/notes/support-keystone-ssl-verify-e0dfc4c02ef25cb2.yaml b/releasenotes/notes/support-keystone-ssl-verify-e0dfc4c02ef25cb2.yaml
new file mode 100644
index 0000000..3c0f5d1
--- /dev/null
+++ b/releasenotes/notes/support-keystone-ssl-verify-e0dfc4c02ef25cb2.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Support keystone ssl verify.
+    Add configuration item cafile to skyline configuration file.
diff --git a/skyline_apiserver/api/v1/login.py b/skyline_apiserver/api/v1/login.py
index 3e8e7f5..a3a7cb8 100644
--- a/skyline_apiserver/api/v1/login.py
+++ b/skyline_apiserver/api/v1/login.py
@@ -76,7 +76,9 @@ async def _get_projects_and_unscope_token(
                 reauthenticate=False,
             )
 
-        session = Session(auth=unscope_auth, verify=False, timeout=constants.DEFAULT_TIMEOUT)
+        session = Session(
+            auth=unscope_auth, verify=CONF.default.cafile, timeout=constants.DEFAULT_TIMEOUT
+        )
         unscope_client = KeystoneClient(
             session=session,
             endpoint=auth_url,
diff --git a/skyline_apiserver/client/openstack/system.py b/skyline_apiserver/client/openstack/system.py
index be7d67b..cd7c903 100644
--- a/skyline_apiserver/client/openstack/system.py
+++ b/skyline_apiserver/client/openstack/system.py
@@ -41,7 +41,9 @@ async def get_project_scope_token(
     kwargs = {"project_id": project_id}
     scope_auth = Token(auth_url=auth_url, token=keystone_token, **kwargs)
 
-    session = Session(auth=scope_auth, verify=False, timeout=constants.DEFAULT_TIMEOUT)
+    session = Session(
+        auth=scope_auth, verify=CONF.default.cafile, timeout=constants.DEFAULT_TIMEOUT
+    )
     keystone_token = session.get_token()
 
     return keystone_token
diff --git a/skyline_apiserver/client/utils.py b/skyline_apiserver/client/utils.py
index 09cff7e..621da85 100644
--- a/skyline_apiserver/client/utils.py
+++ b/skyline_apiserver/client/utils.py
@@ -46,7 +46,7 @@ async def generate_session(profile: schemas.Profile) -> Any:
         "project_id": profile.project.id,
     }
     auth = Token(**kwargs)
-    session = Session(auth=auth, verify=False, timeout=constants.DEFAULT_TIMEOUT)
+    session = Session(auth=auth, verify=CONF.default.cafile, timeout=constants.DEFAULT_TIMEOUT)
     session.auth.auth_ref = await run_in_threadpool(session.auth.get_auth_ref, session)
     return session
 
@@ -65,14 +65,16 @@ def get_system_session() -> Session:
         project_domain_name=CONF.openstack.system_project_domain,
         reauthenticate=True,
     )
-    SESSION = Session(auth=auth, verify=False, timeout=constants.DEFAULT_TIMEOUT)
+    SESSION = Session(auth=auth, verify=CONF.default.cafile, timeout=constants.DEFAULT_TIMEOUT)
     return SESSION
 
 
 async def get_system_scope_access(keystone_token: str, region: str) -> AccessInfoV3:
     auth_url = await get_endpoint(region, "keystone", get_system_session())
     scope_auth = Token(auth_url, keystone_token, system_scope="all")
-    session = Session(auth=scope_auth, verify=False, timeout=constants.DEFAULT_TIMEOUT)
+    session = Session(
+        auth=scope_auth, verify=CONF.default.cafile, timeout=constants.DEFAULT_TIMEOUT
+    )
     return await run_in_threadpool(session.auth.get_auth_ref, session)
 
 
diff --git a/skyline_apiserver/cmd/generate_nginx.py b/skyline_apiserver/cmd/generate_nginx.py
index 42c46f4..2e3f06e 100644
--- a/skyline_apiserver/cmd/generate_nginx.py
+++ b/skyline_apiserver/cmd/generate_nginx.py
@@ -54,7 +54,7 @@ def get_system_session() -> Session:
         project_domain_name=CONF.openstack.system_project_domain,
         reauthenticate=True,
     )
-    return Session(auth=auth, verify=False, timeout=30)
+    return Session(auth=auth, verify=CONF.default.cafile, timeout=30)
 
 
 def get_proxy_endpoints() -> Dict[str, ProxyEndpoint]:
diff --git a/skyline_apiserver/config/default.py b/skyline_apiserver/config/default.py
index 460e334..a84abf2 100644
--- a/skyline_apiserver/config/default.py
+++ b/skyline_apiserver/config/default.py
@@ -113,11 +113,18 @@ prometheus_basic_auth_password = Opt(
 
 ssl_enabled = Opt(
     name="ssl_enabled",
-    description="enable ssl",
+    description="Enable ssl",
     schema=StrictBool,
     default=True,
 )
 
+cafile = Opt(
+    name="cafile",
+    description="A path to a CA file",
+    schema=StrictStr,
+    default="",
+)
+
 GROUP_NAME = __name__.split(".")[-1]
 ALL_OPTS = (
     debug,
@@ -129,6 +136,7 @@ ALL_OPTS = (
     cors_allow_origins,
     session_name,
     ssl_enabled,
+    cafile,
     database_url,
     prometheus_endpoint,
     prometheus_enable_basic_auth,