From ef3529161a48b5c34105cab007cefed136ecd1ec Mon Sep 17 00:00:00 2001
From: James Page <james.page@ubuntu.com>
Date: Thu, 10 Aug 2017 15:39:02 +0100
Subject: [PATCH] keystone: PKI token format removal

As of Pike, the OpenStack charms no longer generate the certificates
and CA used to sign token revocation lists as this is associated with
the PKI token format, which has been removed from OpenStack in
favor of UUID or Fernet formats.

Soft-fail on cert retrieval if an InternalServerError is thrown; this
is most likely due to the fact that the keystone WSGI server cannot
find the relevant files on the underlying filesystem.

Change-Id: Ib592e7e47e10bed2d59c9136a3267f9c7ce8da83
Closes-Bug: 1709189
---
 hooks/utils.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hooks/utils.py b/hooks/utils.py
index cd25d007..8c5f55d5 100644
--- a/hooks/utils.py
+++ b/hooks/utils.py
@@ -73,12 +73,14 @@ try:
         from keystoneclient.exceptions import (
             ConnectionRefused,
             Forbidden,
+            InternalServerError,
         )
     except ImportError:
         # Juno and older
         from keystoneclient.exceptions import (
             ConnectionError as ConnectionRefused,
             Forbidden,
+            InternalServerError,
         )
 except ImportError:
     keystoneclient = None
@@ -352,7 +354,8 @@ def get_ks_cert(ksclient, auth_endpoint, cert_type):
             # Juno and older
             cert = requests.request('GET', "{}/certificates/{}".
                                     format(auth_endpoint, cert_type)).text
-    except (ConnectionRefused, requests.exceptions.ConnectionError, Forbidden):
+    except (ConnectionRefused, requests.exceptions.ConnectionError,
+            Forbidden, InternalServerError):
         raise KSCertSetupException("Error connecting to keystone")
 
     return cert