From ede3cc0a70d39ec85e511095b82bc2ab54b27bd8 Mon Sep 17 00:00:00 2001
From: Julien Danjou <julien@danjou.info>
Date: Wed, 24 Jul 2013 12:26:15 +0200
Subject: [PATCH] Add support for CA authentication in Keystone

Change-Id: Ida2240b5217509cbd4116b4d468848760354be18
Fixes: bug #1194046
---
 ceilometer/alarm/service.py              | 1 +
 ceilometer/alarm/threshold_evaluation.py | 1 +
 ceilometer/central/manager.py            | 1 +
 ceilometer/nova_client.py                | 1 +
 ceilometer/service.py                    | 3 +++
 etc/ceilometer/ceilometer.conf.sample    | 3 +++
 6 files changed, 10 insertions(+)

diff --git a/ceilometer/alarm/service.py b/ceilometer/alarm/service.py
index 7411da5cb..af8fbb5b9 100644
--- a/ceilometer/alarm/service.py
+++ b/ceilometer/alarm/service.py
@@ -83,6 +83,7 @@ class SingletonAlarmService(os_service.Service):
             os_tenant_name=auth_config.os_tenant_name,
             os_password=auth_config.os_password,
             os_username=auth_config.os_username,
+            cacert=auth_config.os_cacert,
             endpoint_type=auth_config.os_endpoint_type,
         )
         return ceiloclient.get_client(2, **creds)
diff --git a/ceilometer/alarm/threshold_evaluation.py b/ceilometer/alarm/threshold_evaluation.py
index ab75815d3..3bff077d7 100644
--- a/ceilometer/alarm/threshold_evaluation.py
+++ b/ceilometer/alarm/threshold_evaluation.py
@@ -72,6 +72,7 @@ class Evaluator(object):
                 os_tenant_name=auth_config.os_tenant_name,
                 os_password=auth_config.os_password,
                 os_username=auth_config.os_username,
+                cacert=auth_config.os_cacert,
                 endpoint_type=auth_config.os_endpoint_type,
             )
             self.api_client = ceiloclient.get_client(2, **creds)
diff --git a/ceilometer/central/manager.py b/ceilometer/central/manager.py
index 094fc11e5..8c18ec76b 100644
--- a/ceilometer/central/manager.py
+++ b/ceilometer/central/manager.py
@@ -71,6 +71,7 @@ class AgentManager(agent.AgentManager):
             password=cfg.CONF.service_credentials.os_password,
             tenant_id=cfg.CONF.service_credentials.os_tenant_id,
             tenant_name=cfg.CONF.service_credentials.os_tenant_name,
+            cacert=cfg.CONF.service_credentials.os_cacert,
             auth_url=cfg.CONF.service_credentials.os_auth_url)
 
         super(AgentManager, self).interval_task(task)
diff --git a/ceilometer/nova_client.py b/ceilometer/nova_client.py
index a6bd82126..8dda2d9db 100644
--- a/ceilometer/nova_client.py
+++ b/ceilometer/nova_client.py
@@ -52,6 +52,7 @@ class Client(object):
             project_id=tenant,
             auth_url=cfg.CONF.service_credentials.os_auth_url,
             endpoint_type=cfg.CONF.service_credentials.os_endpoint_type,
+            cacert=cfg.CONF.service_credentials.os_cacert,
             no_cache=True)
 
     def _with_flavor_and_image(self, instances):
diff --git a/ceilometer/service.py b/ceilometer/service.py
index a72715ce4..f7538468e 100644
--- a/ceilometer/service.py
+++ b/ceilometer/service.py
@@ -57,6 +57,9 @@ CLI_OPTIONS = [
                deprecated_group="DEFAULT",
                default=os.environ.get('OS_TENANT_NAME', 'admin'),
                help='Tenant name to use for openstack service access'),
+    cfg.StrOpt('os-cacert',
+               default=os.environ.get('OS_CACERT', None),
+               help='Certificate chain for SSL validation'),
     cfg.StrOpt('os-auth-url',
                deprecated_group="DEFAULT",
                default=os.environ.get('OS_AUTH_URL',
diff --git a/etc/ceilometer/ceilometer.conf.sample b/etc/ceilometer/ceilometer.conf.sample
index 8254b432f..3159870f6 100644
--- a/etc/ceilometer/ceilometer.conf.sample
+++ b/etc/ceilometer/ceilometer.conf.sample
@@ -639,6 +639,9 @@
 # value)
 #os_tenant_name=admin
 
+# Certificate chain for SSL validation (string value)
+#os_cacert=<None>
+
 # Auth URL to use for openstack service access (string value)
 #os_auth_url=http://localhost:5000/v2.0