openstack/kolla-ansible
Code Issues Proposed changes
c4cee86581
kolla-ansible/tests/check-config.sh
James Kirsch b475643c11 Add support for encrypting backend Keystone HAProxy traffic 
This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.

Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
2020-04-09 09:22:55 +00:00

60 lines
2.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Check the generated configuration files.
set -o errexit
# Enable unbuffered output for Ansible in Jenkins.
export PYTHONUNBUFFERED=1
function check_config {
# Check every file in /etc/kolla/*.
failed=0
expected_user=${CONFIG_OWNER_USER:-root}
expected_group=${CONFIG_OWNER_GROUP:-root}
# Ignore files generated by Zuul.
for f in $(sudo find /etc/kolla \
-not -regex /etc/kolla/config.* \
-not -regex /etc/kolla/certificates.* \
-not -regex .*pem \
-not -regex .*key \
-not -regex ".*ca-certificates.*" \
-not -path /etc/kolla \
-not -name admin-openrc.sh \
-not -name globals.yml \
-not -name ceph-ansible.yml \
-not -name header \
-not -name inventory \
-not -name ceph-inventory \
-not -name kolla-build.conf \
-not -name passwords.yml \
-not -name passwords.yml.old \
-not -name sources.list \
-not -name template_overrides.j2)
do
mode=$(sudo stat -c %a $f)
owner=$(sudo stat -c %U:%G $f)
if [[ -d $f ]]; then
# Directories should be 770.
if [[ $mode != "770" ]]; then
failed=1
echo "ERROR: Unexpected permissions on directory $f. Got $mode, expected 770"
fi
else
# Files should be 600, 660 or 770.
if [[ ! $mode =~ ^(600|660|770)$ ]] ; then
failed=1
echo "ERROR: Unexpected permissions on file $f. Got $mode, expected 770 or 660"
fi
fi
# Owner user & group should be the config owner, default root.
if [[ $owner != "$expected_user:$expected_group" ]]; then
failed=1
echo "ERROR: Unexpected ownership on $f. Got $owner, expected $expected_user:$expected_group"
fi
done
return $failed
}
check_config
View Git Blame Copy Permalink