feat: Add cafile conf

Add cafile conf and support keystone ssl verify

Change-Id: Id82f49009e2e6778568c629b9fe66e3e50cf73d7

releasenotes/notes/support-keystone-ssl-verify-e0dfc4c02ef25cb2.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Support keystone ssl verify.
+    Add configuration item cafile to skyline configuration file.

skyline_apiserver/api/v1/login.py

@@ -76,7 +76,9 @@ async def _get_projects_and_unscope_token(
                 reauthenticate=False,
             )
 
-        session = Session(auth=unscope_auth, verify=False, timeout=constants.DEFAULT_TIMEOUT)
+        session = Session(
+            auth=unscope_auth, verify=CONF.default.cafile, timeout=constants.DEFAULT_TIMEOUT
+        )
         unscope_client = KeystoneClient(
             session=session,
             endpoint=auth_url,

skyline_apiserver/client/openstack/system.py

@@ -41,7 +41,9 @@ async def get_project_scope_token(
     kwargs = {"project_id": project_id}
     scope_auth = Token(auth_url=auth_url, token=keystone_token, **kwargs)
 
-    session = Session(auth=scope_auth, verify=False, timeout=constants.DEFAULT_TIMEOUT)
+    session = Session(
+        auth=scope_auth, verify=CONF.default.cafile, timeout=constants.DEFAULT_TIMEOUT
+    )
     keystone_token = session.get_token()
 
     return keystone_token

skyline_apiserver/client/utils.py

@@ -46,7 +46,7 @@ async def generate_session(profile: schemas.Profile) -> Any:
         "project_id": profile.project.id,
     }
     auth = Token(**kwargs)
-    session = Session(auth=auth, verify=False, timeout=constants.DEFAULT_TIMEOUT)
+    session = Session(auth=auth, verify=CONF.default.cafile, timeout=constants.DEFAULT_TIMEOUT)
     session.auth.auth_ref = await run_in_threadpool(session.auth.get_auth_ref, session)
     return session
 
@@ -65,14 +65,16 @@ def get_system_session() -> Session:
         project_domain_name=CONF.openstack.system_project_domain,
         reauthenticate=True,
     )
-    SESSION = Session(auth=auth, verify=False, timeout=constants.DEFAULT_TIMEOUT)
+    SESSION = Session(auth=auth, verify=CONF.default.cafile, timeout=constants.DEFAULT_TIMEOUT)
     return SESSION
 
 
 async def get_system_scope_access(keystone_token: str, region: str) -> AccessInfoV3:
     auth_url = await get_endpoint(region, "keystone", get_system_session())
     scope_auth = Token(auth_url, keystone_token, system_scope="all")
-    session = Session(auth=scope_auth, verify=False, timeout=constants.DEFAULT_TIMEOUT)
+    session = Session(
+        auth=scope_auth, verify=CONF.default.cafile, timeout=constants.DEFAULT_TIMEOUT
+    )
     return await run_in_threadpool(session.auth.get_auth_ref, session)
 
 

skyline_apiserver/cmd/generate_nginx.py

@@ -54,7 +54,7 @@ def get_system_session() -> Session:
         project_domain_name=CONF.openstack.system_project_domain,
         reauthenticate=True,
     )
-    return Session(auth=auth, verify=False, timeout=30)
+    return Session(auth=auth, verify=CONF.default.cafile, timeout=30)
 
 
 def get_proxy_endpoints() -> Dict[str, ProxyEndpoint]:

skyline_apiserver/config/default.py

@@ -113,11 +113,18 @@ prometheus_basic_auth_password = Opt(
 
 ssl_enabled = Opt(
     name="ssl_enabled",
-    description="enable ssl",
+    description="Enable ssl",
     schema=StrictBool,
     default=True,
 )
 
+cafile = Opt(
+    name="cafile",
+    description="A path to a CA file",
+    schema=StrictStr,
+    default="",
+)
+
 GROUP_NAME = __name__.split(".")[-1]
 ALL_OPTS = (
     debug,
@@ -129,6 +136,7 @@ ALL_OPTS = (
     cors_allow_origins,
     session_name,
     ssl_enabled,
+    cafile,
     database_url,
     prometheus_endpoint,
     prometheus_enable_basic_auth,