From 34db7b5192fea592705f56f99a100ed2730363a8 Mon Sep 17 00:00:00 2001
From: Seunghun Lee <seunghun@stackhpc.com>
Date: Wed, 25 Sep 2024 21:34:39 +0100
Subject: [PATCH 1/2] Fix octavia private cert verification failure

Fixed by passing certificate path as 'verify' keyword argument
when creating keystoneauth1 Session.
---
 octavia/common/clients.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/octavia/common/clients.py b/octavia/common/clients.py
index b839ea3803..00abbd8a43 100644
--- a/octavia/common/clients.py
+++ b/octavia/common/clients.py
@@ -111,6 +111,7 @@ def get_user_neutron_client(cls, context):
         client.
         """
         sess = keystone.KeystoneSession('neutron').get_session()
+        kwargs = {}
         neutron_endpoint = CONF.neutron.endpoint_override
         if neutron_endpoint is None:
             endpoint_data = sess.get_endpoint_data(
@@ -119,8 +120,13 @@ def get_user_neutron_client(cls, context):
                 region_name=CONF.neutron.region_name)
             neutron_endpoint = endpoint_data.catalog_url
 
+        neutron_cafile = getattr(CONF.neutron, "cafile", None)
+        insecure = getattr(CONF.neutron, "insecure", False)
+        kwargs['verify'] = not insecure
+        if neutron_cafile is not None:
+            kwargs['verify'] = neutron_cafile
         user_auth = token_endpoint.Token(neutron_endpoint, context.auth_token)
-        user_sess = session.Session(auth=user_auth)
+        user_sess = session.Session(auth=user_auth, **kwargs)
 
         conn = openstack.connection.Connection(
             session=user_sess, oslo_conf=CONF)

From efa764c7c64a8378f0cc11dfcf976e0151b2d0c4 Mon Sep 17 00:00:00 2001
From: Seunghun Lee <seunghun@stackhpc.com>
Date: Thu, 26 Sep 2024 09:40:16 +0100
Subject: [PATCH 2/2] Prevent insecure = True to be overwritten by cafile

---
 octavia/common/clients.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/octavia/common/clients.py b/octavia/common/clients.py
index 00abbd8a43..80dd75574e 100644
--- a/octavia/common/clients.py
+++ b/octavia/common/clients.py
@@ -123,7 +123,7 @@ def get_user_neutron_client(cls, context):
         neutron_cafile = getattr(CONF.neutron, "cafile", None)
         insecure = getattr(CONF.neutron, "insecure", False)
         kwargs['verify'] = not insecure
-        if neutron_cafile is not None:
+        if neutron_cafile is not None and not insecure:
             kwargs['verify'] = neutron_cafile
         user_auth = token_endpoint.Token(neutron_endpoint, context.auth_token)
         user_sess = session.Session(auth=user_auth, **kwargs)