Honor insecure and cafile options in a trustee session

Pass the verify parameter to keystone when creating a
session with the trustee account.

Change-Id: Ic26d656fc434d097c2015db47b1539f83aaf3cd0
Closes-Bug: 1581057

magnum/common/keystone.py

@@ -15,7 +15,6 @@ from keystoneauth1 import exceptions as ka_exception
 from keystoneauth1.identity import access as ka_access_plugin
 from keystoneauth1.identity import v3 as ka_v3
 from keystoneauth1 import loading as ka_loading
-from keystoneauth1 import session as ka_session
 import keystoneclient.exceptions as kc_exception
 from keystoneclient.v3 import client as kc_v3
 from oslo_config import cfg
@@ -160,7 +159,12 @@ class KeystoneClientV3(object):
                 user_id=CONF.trust.trustee_domain_admin_id,
                 domain_id=CONF.trust.trustee_domain_id,
                 password=CONF.trust.trustee_domain_admin_password)
-            session = ka_session.Session(auth=auth)
+            session = ka_loading.session.Session().load_from_options(
+                auth=auth,
+                insecure=CONF[CFG_LEGACY_GROUP].insecure,
+                cacert=CONF[CFG_LEGACY_GROUP].cafile,
+                key=CONF[CFG_LEGACY_GROUP].keyfile,
+                cert=CONF[CFG_LEGACY_GROUP].certfile)
             self._domain_admin_client = kc_v3.Client(session=session)
         return self._domain_admin_client
 
@@ -202,7 +206,13 @@ class KeystoneClientV3(object):
                                   user_id=bay.trustee_user_id,
                                   password=bay.trustee_password,
                                   trust_id=bay.trust_id)
-            sess = ka_session.Session(auth=auth)
+
+            sess = ka_loading.session.Session().load_from_options(
+                auth=auth,
+                insecure=CONF[CFG_LEGACY_GROUP].insecure,
+                cacert=CONF[CFG_LEGACY_GROUP].cafile,
+                key=CONF[CFG_LEGACY_GROUP].keyfile,
+                cert=CONF[CFG_LEGACY_GROUP].certfile)
             client = kc_v3.Client(session=sess)
         try:
             client.trusts.delete(bay.trust_id)

magnum/tests/unit/common/test_keystone.py

@@ -125,7 +125,7 @@ class KeystoneClientTest(base.TestCase):
         bay.trust_id = 'atrust123'
         self.assertIsNone(ks_client.delete_trust(self.ctx, bay))
 
-    @mock.patch('magnum.common.keystone.ka_session.Session')
+    @mock.patch('keystoneauth1.session.Session')
     def test_create_trust_with_all_roles(self, mock_session, mock_ks):
         mock_session.return_value.get_user_id.return_value = '123456'
         mock_session.return_value.get_project_id.return_value = '654321'
@@ -140,7 +140,7 @@ class KeystoneClientTest(base.TestCase):
             trustee_user='888888', role_names=['role1', 'role2'],
             impersonation=True)
 
-    @mock.patch('magnum.common.keystone.ka_session.Session')
+    @mock.patch('keystoneauth1.session.Session')
     def test_create_trust_with_limit_roles(self, mock_session, mock_ks):
         mock_session.return_value.get_user_id.return_value = '123456'
         mock_session.return_value.get_project_id.return_value = '654321'