From 1ece576981a4751132c9b0ac9192eb70359290dd Mon Sep 17 00:00:00 2001
From: Frode Nordahl <frode.nordahl@canonical.com>
Date: Mon, 23 Mar 2020 10:28:28 +0100
Subject: [PATCH] radosgw: Pass local CA cert to client when relevant

---
 zaza/openstack/charm_tests/ceph/tests.py  | 15 ++++++++++-----
 zaza/openstack/charm_tests/swift/tests.py |  1 +
 zaza/openstack/charm_tests/test_utils.py  |  1 +
 zaza/openstack/utilities/openstack.py     | 18 ++++++++++++++++--
 4 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/zaza/openstack/charm_tests/ceph/tests.py b/zaza/openstack/charm_tests/ceph/tests.py
index f48668a..a607a5f 100644
--- a/zaza/openstack/charm_tests/ceph/tests.py
+++ b/zaza/openstack/charm_tests/ceph/tests.py
@@ -605,7 +605,8 @@ class CephRGWTest(test_utils.OpenStackBaseTest):
         region_name = 'RegionOne'
         swift_client = zaza_openstack.get_swift_session_client(
             keystone_session,
-            region_name
+            region_name,
+            cacert=self.cacert,
         )
         _container = 'demo-container'
         _test_data = 'Test data from Zaza'
@@ -629,7 +630,8 @@ class CephRGWTest(test_utils.OpenStackBaseTest):
         keystone_session = zaza_openstack.get_overcloud_keystone_session()
         source_client = zaza_openstack.get_swift_session_client(
             keystone_session,
-            region_name='east-1'
+            region_name='east-1',
+            cacert=self.cacert,
         )
         _container = 'demo-container'
         _test_data = 'Test data from Zaza'
@@ -643,7 +645,8 @@ class CephRGWTest(test_utils.OpenStackBaseTest):
 
         target_client = zaza_openstack.get_swift_session_client(
             keystone_session,
-            region_name='east-1'
+            region_name='east-1',
+            cacert=self.cacert,
         )
 
         @tenacity.retry(wait=tenacity.wait_exponential(multiplier=1, max=60),
@@ -675,11 +678,13 @@ class CephRGWTest(test_utils.OpenStackBaseTest):
         keystone_session = zaza_openstack.get_overcloud_keystone_session()
         source_client = zaza_openstack.get_swift_session_client(
             keystone_session,
-            region_name='east-1'
+            region_name='east-1',
+            cacert=self.cacert,
         )
         target_client = zaza_openstack.get_swift_session_client(
             keystone_session,
-            region_name='west-1'
+            region_name='west-1',
+            cacert=self.cacert,
         )
         zaza_model.run_action_on_leader(
             'slave-ceph-radosgw',
diff --git a/zaza/openstack/charm_tests/swift/tests.py b/zaza/openstack/charm_tests/swift/tests.py
index b322241..32441df 100644
--- a/zaza/openstack/charm_tests/swift/tests.py
+++ b/zaza/openstack/charm_tests/swift/tests.py
@@ -266,6 +266,7 @@ class S3APITest(test_utils.OpenStackBaseTest):
             'aws_access_key_id': self.ec2_creds.access,
             'aws_secret_access_key': self.ec2_creds.secret,
             'endpoint_url': self.s3_endpoint,
+            'verify': self.cacert,
         }
         s3_client = boto3.client('s3', **kwargs)
         s3 = boto3.resource('s3', **kwargs)
diff --git a/zaza/openstack/charm_tests/test_utils.py b/zaza/openstack/charm_tests/test_utils.py
index e33bd69..f2eebb3 100644
--- a/zaza/openstack/charm_tests/test_utils.py
+++ b/zaza/openstack/charm_tests/test_utils.py
@@ -131,6 +131,7 @@ class OpenStackBaseTest(unittest.TestCase):
             cls.application_name,
             model_name=cls.model_name)
         logging.debug('Leader unit is {}'.format(cls.lead_unit))
+        cls.cacert = openstack_utils.get_cacert()
 
     def config_current(self, application_name=None, keys=None):
         """Get Current Config of an application normalized into key-values.
diff --git a/zaza/openstack/utilities/openstack.py b/zaza/openstack/utilities/openstack.py
index 661d107..df10e6e 100644
--- a/zaza/openstack/utilities/openstack.py
+++ b/zaza/openstack/utilities/openstack.py
@@ -158,6 +158,16 @@ KEYSTONE_REMOTE_CACERT = (
 KEYSTONE_LOCAL_CACERT = ("/tmp/{}".format(KEYSTONE_CACERT))
 
 
+def get_cacert():
+    """Return path to CA Certificate bundle for verification during test.
+
+    :returns: Path to CA Certificate bundle or None.
+    :rtype: Optional[str]
+    """
+    if os.path.exists(KEYSTONE_LOCAL_CACERT):
+        return KEYSTONE_LOCAL_CACERT
+
+
 # Openstack Client helpers
 def get_ks_creds(cloud_creds, scope='PROJECT'):
     """Return the credentials for authenticating against keystone.
@@ -244,18 +254,22 @@ def get_neutron_session_client(session):
 
 
 def get_swift_session_client(session,
-                             region_name='RegionOne'):
+                             region_name='RegionOne',
+                             cacert=None):
     """Return swiftclient authenticated by keystone session.
 
     :param session: Keystone session object
     :type session: keystoneauth1.session.Session object
     :param region_name: Optional region name to use
     :type region_name: str
+    :param cacert: Path to CA Certificate
+    :type cacert: Optional[str]
     :returns: Authenticated swiftclient
     :rtype: swiftclient.Client object
     """
     return swiftclient.Connection(session=session,
-                                  os_options={'region_name': region_name})
+                                  os_options={'region_name': region_name},
+                                  cacert=cacert)
 
 
 def get_octavia_session_client(session, service_type='load-balancer',