Plumb trusted_certs through the compute service

This makes the libvirt driver handle and pass trusted_certs through to
the image download code that is now available.

This also adds a new supports_trusted_certs compute driver capability
which only the libvirt driver supports at this time. Attempts to
create a server or rebuild a server on a host with a driver that does
not support trusted_certs will fail if the instance is requesting
image cert validation. We can also eventually expose this capability
as a trait for more efficient scheduling.

The nova-compute service RPC API version is incremented so that the
nova-api paths for create/rebuild can determine if the deployment
has been upgraded to the point of supporting trusted certs.

Co-Authored-By: Dan Smith <dansmith@redhat.com>
Co-Authored-By: Brianna Poulos <Brianna.Poulos@jhuapl.edu>
Change-Id: Ie3130e104d7ca80289f1bd9f0fee9a7a198c263c
Implements: blueprint nova-validate-certificates

9 files changed, 35 insertions, 14 deletions

diff --git a/nova/virt/driver.py b/nova/virt/driver.py
index 597807f6d5..c7aa367759 100644
--- a/nova/virt/driver.py
+++ b/nova/virt/driver.py
@@ -130,7 +130,8 @@ class ComputeDriver(object):
         "supports_tagged_attach_interface": False,
         "supports_tagged_attach_volume": False,
         "supports_extend_volume": False,
-        "supports_multiattach": False
+        "supports_multiattach": False,
+        "supports_trusted_certs": False,
     }
 
     requires_allocation_refresh = False
diff --git a/nova/virt/fake.py b/nova/virt/fake.py
index 33fa195c74..7f89411d46 100644
--- a/nova/virt/fake.py
+++ b/nova/virt/fake.py
@@ -129,7 +129,8 @@ class FakeDriver(driver.ComputeDriver):
         "supports_tagged_attach_interface": True,
         "supports_tagged_attach_volume": True,
         "supports_extend_volume": True,
-        "supports_multiattach": True
+        "supports_multiattach": True,
+        "supports_trusted_certs": True,
         }
 
     # Since we don't have a real hypervisor, pretend we have lots of
diff --git a/nova/virt/hyperv/driver.py b/nova/virt/hyperv/driver.py
index 8cb229b59e..a7984146b9 100644
--- a/nova/virt/hyperv/driver.py
+++ b/nova/virt/hyperv/driver.py
@@ -98,7 +98,8 @@ class HyperVDriver(driver.ComputeDriver):
         "supports_migrate_to_same_host": False,
         "supports_attach_interface": True,
         "supports_device_tagging": True,
-        "supports_multiattach": False
+        "supports_multiattach": False,
+        "supports_trusted_certs": False,
     }
 
     def __init__(self, virtapi):
diff --git a/nova/virt/ironic/driver.py b/nova/virt/ironic/driver.py
index 56371522a2..857ad149f3 100644
--- a/nova/virt/ironic/driver.py
+++ b/nova/virt/ironic/driver.py
@@ -134,7 +134,8 @@ class IronicDriver(virt_driver.ComputeDriver):
                     "supports_recreate": False,
                     "supports_migrate_to_same_host": False,
                     "supports_attach_interface": True,
-                    "supports_multiattach": False
+                    "supports_multiattach": False,
+                    "supports_trusted_certs": False,
                     }
 
     # Needed for exiting instances to have allocations for custom resource
diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
index 9d69503c0f..4a07baea3e 100644
--- a/nova/virt/libvirt/driver.py
+++ b/nova/virt/libvirt/driver.py
@@ -303,7 +303,8 @@ class LibvirtDriver(driver.ComputeDriver):
         "supports_extend_volume": True,
         # Multiattach support is conditional on qemu and libvirt versions
         # determined in init_host.
-        "supports_multiattach": False
+        "supports_multiattach": False,
+        "supports_trusted_certs": True,
     }
 
     def __init__(self, virtapi, read_only=False):
@@ -7407,7 +7408,8 @@ class LibvirtDriver(driver.ComputeDriver):
     def _try_fetch_image(self, context, path, image_id, instance,
                          fallback_from_host=None):
         try:
-            libvirt_utils.fetch_image(context, path, image_id)
+            libvirt_utils.fetch_image(context, path, image_id,
+                                      instance.trusted_certs)
         except exception.ImageNotFound:
             if not fallback_from_host:
                 raise
@@ -7639,7 +7641,8 @@ class LibvirtDriver(driver.ComputeDriver):
                         context=context,
                         filename=filename,
                         image_id=image_id,
-                        size=size)
+                        size=size,
+                        trusted_certs=instance.trusted_certs)
         except exception.ImageNotFound:
             if not fallback_from_host:
                 raise
diff --git a/nova/virt/libvirt/utils.py b/nova/virt/libvirt/utils.py
index 145301de32..d523f7f72a 100644
--- a/nova/virt/libvirt/utils.py
+++ b/nova/virt/libvirt/utils.py
@@ -376,18 +376,29 @@ def get_fs_info(path):
             'used': used}
 
 
-def fetch_image(context, target, image_id):
-    """Grab image."""
-    images.fetch_to_raw(context, image_id, target)
+def fetch_image(context, target, image_id, trusted_certs=None):
+    """Grab image.
+
+    :param context: nova.context.RequestContext auth request context
+    :param target: target path to put the image
+    :param image_id: id of the image to fetch
+    :param trusted_certs: optional objects.TrustedCerts for image validation
+    """
+    images.fetch_to_raw(context, image_id, target, trusted_certs)
 
 
-def fetch_raw_image(context, target, image_id):
+def fetch_raw_image(context, target, image_id, trusted_certs=None):
     """Grab initrd or kernel image.
 
     This function does not attempt raw conversion, as these images will
     already be in raw format.
+
+    :param context: nova.context.RequestContext auth request context
+    :param target: target path to put the image
+    :param image_id: id of the image to fetch
+    :param trusted_certs: optional objects.TrustedCerts for image validation
     """
-    images.fetch(context, image_id, target)
+    images.fetch(context, image_id, target, trusted_certs)
 
 
 def get_instance_path(instance, relative=False):
diff --git a/nova/virt/powervm/driver.py b/nova/virt/powervm/driver.py
index 221efcef9e..9191de1f0b 100644
--- a/nova/virt/powervm/driver.py
+++ b/nova/virt/powervm/driver.py
@@ -75,6 +75,7 @@ class PowerVMDriver(driver.ComputeDriver):
             'supports_tagged_attach_volume': False,
             'supports_extend_volume': True,
             'supports_multiattach': False,
+            'supports_trusted_certs': False,
         }
         super(PowerVMDriver, self).__init__(virtapi)
 
diff --git a/nova/virt/vmwareapi/driver.py b/nova/virt/vmwareapi/driver.py
index d8f3854c86..9dc569ed8d 100644
--- a/nova/virt/vmwareapi/driver.py
+++ b/nova/virt/vmwareapi/driver.py
@@ -66,7 +66,8 @@ class VMwareVCDriver(driver.ComputeDriver):
         "supports_recreate": False,
         "supports_migrate_to_same_host": True,
         "supports_attach_interface": True,
-        "supports_multiattach": False
+        "supports_multiattach": False,
+        "supports_trusted_certs": False,
     }
 
     # Legacy nodename is of the form: <mo id>(<cluster name>)
diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py
index aaf5a119fa..84b45764d4 100644
--- a/nova/virt/xenapi/driver.py
+++ b/nova/virt/xenapi/driver.py
@@ -73,7 +73,8 @@ class XenAPIDriver(driver.ComputeDriver):
         "supports_migrate_to_same_host": False,
         "supports_attach_interface": True,
         "supports_device_tagging": True,
-        "supports_multiattach": False
+        "supports_multiattach": False,
+        "supports_trusted_certs": False,
     }
 
     def __init__(self, virtapi, read_only=False):