From 9cbd02d8c8a99612862ccd1c20e199797c6bcb47 Mon Sep 17 00:00:00 2001 From: Vladislav Kuzmin Date: Wed, 20 May 2020 12:14:04 +0400 Subject: [PATCH] Enable certificate check for glance_store+swift Disable insecure option for glance_store with swift backend when tls is enabled. Specify swift_store_cacert option. Change-Id: Ia1e8f596c95dd7b6e63cb21a94c8316dc71bf945 --- lib/glance | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/lib/glance b/lib/glance index 9398bd2daf..3f72c0b8bc 100644 --- a/lib/glance +++ b/lib/glance @@ -212,25 +212,19 @@ function configure_glance { if is_service_enabled s-proxy; then iniset $GLANCE_API_CONF glance_store default_store swift iniset $GLANCE_API_CONF glance_store swift_store_create_container_on_put True - if python3_enabled; then - iniset $GLANCE_API_CONF glance_store swift_store_auth_insecure True - fi iniset $GLANCE_API_CONF glance_store swift_store_config_file $GLANCE_SWIFT_STORE_CONF iniset $GLANCE_API_CONF glance_store default_swift_reference ref1 iniset $GLANCE_API_CONF glance_store stores "file, http, swift" + if is_service_enabled tls-proxy; then + iniset $GLANCE_API_CONF glance_store swift_store_cacert $SSL_BUNDLE_FILE + fi iniset $GLANCE_API_CONF DEFAULT graceful_shutdown_timeout "$SERVICE_GRACEFUL_SHUTDOWN_TIMEOUT" iniset $GLANCE_SWIFT_STORE_CONF ref1 user $SERVICE_PROJECT_NAME:glance-swift iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD - if python3_enabled; then - # NOTE(dims): Currently the glance_store+swift does not support either an insecure flag - # or ability to specify the CACERT. So fallback to http:// url - iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address ${KEYSTONE_SERVICE_URI/https/http}/v3 - else - iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3 - fi + iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3 iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3 fi