Browse Source

Add openstack_ca_file configuration option

In the drivers section of magnum.conf add openstack_ca_file.
This file is expected to be a CA Certificate OR CA bundle
which will be passed on every node and it will be installed
on the host's CA bundle.

Update devstack plugin to use the ssl bundle if tls-proxy is
enabled.

Install the CA for drivers:
k8s_coreos_v1
k8s_fedora_atomic_v1
k8s_fedora_ironic_v1
mesos_ubuntu_v1
swarm_fedora_atomic_v1
swarm_fedora_atomic_v2

Add doc in troubleshooting-guide.

Add release notes.

Closes-Bug: #1580704
Partially-Implements: blueprint heat-agent
(cherry-picked from 65dfb2009f)
Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db
tags/5.0.2
Spyros Trigazis 1 year ago
parent
commit
7167aff3c1
31 changed files with 387 additions and 1 deletions
  1. 18
    0
      doc/source/admin/troubleshooting-guide.rst
  2. 10
    0
      magnum/common/utils.py
  3. 5
    1
      magnum/conf/drivers.py
  4. 12
    0
      magnum/drivers/common/templates/fragments/atomic-install-openstack-ca.sh
  5. 2
    0
      magnum/drivers/common/templates/kubernetes/fragments/write-kube-os-config.sh
  6. 2
    0
      magnum/drivers/heat/template_def.py
  7. 32
    0
      magnum/drivers/k8s_coreos_v1/templates/fragments/add-ext-ca-certs.yaml
  8. 7
    0
      magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
  9. 18
    0
      magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
  10. 18
    0
      magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
  11. 7
    0
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
  12. 15
    0
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
  13. 15
    0
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
  14. 7
    0
      magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
  15. 15
    0
      magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
  16. 15
    0
      magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml
  17. 27
    0
      magnum/drivers/mesos_ubuntu_v1/templates/fragments/add-ext-ca-certs.sh
  18. 15
    0
      magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml
  19. 7
    0
      magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml
  20. 22
    0
      magnum/drivers/mesos_ubuntu_v1/templates/mesosmaster.yaml
  21. 7
    0
      magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml
  22. 15
    0
      magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
  23. 15
    0
      magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
  24. 8
    0
      magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml
  25. 15
    0
      magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml
  26. 15
    0
      magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml
  27. 21
    0
      magnum/tests/unit/common/test_utils.py
  28. 6
    0
      magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
  29. 4
    0
      magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
  30. 5
    0
      magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
  31. 7
    0
      releasenotes/notes/bug-1580704-32a0e91e285792ea.yaml

+ 18
- 0
doc/source/admin/troubleshooting-guide.rst View File

@@ -177,6 +177,24 @@ specified). If it fails, that means the credential you provided is invalid.
177 177
 
178 178
 TLS
179 179
 ---
180
+In production deployments, operators run the OpenStack APIs using
181
+ssl certificates and in private clouds it is common to use self-signed
182
+or certificates signed from CAs that they are usually not included
183
+in the systems' default CA-bundles. Magnum clusters with TLS enabled
184
+have their own CA but they need to make requests to the OpenStack
185
+APIs for several reasons. Eg Get the cluster CA and sign node
186
+certificates (Keystone, Magnum), signal the Heat API for stack
187
+completion, create resources (volumes, load balancers) or get
188
+information for each node (Cinder, Neutron, Nova). In these cases,
189
+the cluster nodes need the CA used for to run the APIs.
190
+
191
+To pass the OpenStack CA bundle to the nodes you can set the CA
192
+using the `openstack_ca_file` option in the `drivers` section of
193
+Magnum's configuration file (usually `/etc/magnum/magnum.conf`).
194
+The default drivers in magnum install this CA in the system and
195
+set it in all the places it might be needed (eg when configuring
196
+the kubernetes cloud provider or for the heat-agents.)
197
+
180 198
 The cluster nodes will validate the Certificate Authority by default
181 199
 when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
182 200
 If you need to disable CA validation, the configuration parameter

+ 10
- 0
magnum/common/utils.py View File

@@ -278,3 +278,13 @@ def generate_password(length, symbolgroups=None):
278 278
     r.shuffle(password)
279 279
 
280 280
     return ''.join(password)
281
+
282
+
283
+def get_openstack_ca():
284
+    openstack_ca_file = CONF.drivers.openstack_ca_file
285
+
286
+    if openstack_ca_file:
287
+        with open(openstack_ca_file) as fd:
288
+            return fd.read()
289
+    else:
290
+        return ''

+ 5
- 1
magnum/conf/drivers.py View File

@@ -25,7 +25,11 @@ drivers_opts = [
25 25
                      'you have your own Certificate Authority and you '
26 26
                      'have not installed the Certificate Authority to all '
27 27
                      'nodes, you may need to disable CA validation by '
28
-                     'setting this flag to False.')
28
+                     'setting this flag to False.'),
29
+    cfg.StrOpt('openstack_ca_file',
30
+               default="",
31
+               help='Path to the OpenStack CA-bundle file to pass and '
32
+                    'install in all cluster nodes.')
29 33
 ]
30 34
 
31 35
 

+ 12
- 0
magnum/drivers/common/templates/fragments/atomic-install-openstack-ca.sh View File

@@ -0,0 +1,12 @@
1
+#!/bin/sh -ux
2
+
3
+CA_FILE=/etc/pki/ca-trust/source/anchors/openstack-ca.pem
4
+
5
+if [ -n "$OPENSTACK_CA" ] ; then
6
+    cat >> $CA_FILE <<EOF
7
+$OPENSTACK_CA
8
+EOF
9
+    chmod 444 $CA_FILE
10
+    chown root:root $CA_FILE
11
+    update-ca-trust extract
12
+fi

+ 2
- 0
magnum/drivers/common/templates/kubernetes/fragments/write-kube-os-config.sh View File

@@ -3,6 +3,7 @@
3 3
 . /etc/sysconfig/heat-params
4 4
 
5 5
 KUBE_OS_CLOUD_CONFIG=/etc/kubernetes/kube_openstack_config
6
+cp /etc/pki/tls/certs/ca-bundle.crt /etc/kubernetes/ca-bundle.crt
6 7
 
7 8
 # Generate a the configuration for Kubernetes services
8 9
 # to talk to OpenStack Neutron and Cinder
@@ -12,6 +13,7 @@ auth-url=$AUTH_URL
12 13
 user-id=$TRUSTEE_USER_ID
13 14
 password=$TRUSTEE_PASSWORD
14 15
 trust-id=$TRUST_ID
16
+ca-file=/etc/kubernetes/ca-bundle.crt
15 17
 [LoadBalancer]
16 18
 subnet-id=$CLUSTER_SUBNET
17 19
 create-monitor=yes

+ 2
- 0
magnum/drivers/heat/template_def.py View File

@@ -20,6 +20,7 @@ import six
20 20
 
21 21
 from magnum.common import clients
22 22
 from magnum.common import exception
23
+from magnum.common import utils
23 24
 import magnum.conf
24 25
 
25 26
 from requests import exceptions as req_exceptions
@@ -245,6 +246,7 @@ class BaseTemplateDefinition(TemplateDefinition):
245 246
         extra_params['trustee_username'] = cluster.trustee_username
246 247
         extra_params['trustee_password'] = cluster.trustee_password
247 248
         extra_params['verify_ca'] = CONF.drivers.verify_ca
249
+        extra_params['openstack_ca'] = utils.get_openstack_ca()
248 250
 
249 251
         # Only pass trust ID into the template if allowed by the config file
250 252
         if CONF.trust.cluster_user_trust:

+ 32
- 0
magnum/drivers/k8s_coreos_v1/templates/fragments/add-ext-ca-certs.yaml View File

@@ -0,0 +1,32 @@
1
+#cloud-config
2
+merge_how: dict(recurse_array)+list(append)
3
+write_files:
4
+  - path: /etc/systemd/system/add-ext-ca-certs.service
5
+    owner: "root:root"
6
+    permissions: "0644"
7
+    content: |
8
+      [Unit]
9
+      Description=Install custom CA certificates
10
+
11
+      [Service]
12
+      Type=oneshot
13
+      ExecStart=/etc/sysconfig/add-ext-ca-certs.sh
14
+
15
+      [Install]
16
+      WantedBy=multi-user.target
17
+
18
+  - path: /etc/sysconfig/add-ext-ca-certs.sh
19
+    owner: "root:root"
20
+    permissions: "0755"
21
+    content: |
22
+      #!/bin/sh
23
+
24
+      CERT_FILE=/etc/ssl/certs/openstack-ca.pem
25
+      if [ -n "$OPENSTACK_CA" ]
26
+      then
27
+          echo -ne "$OPENSTACK_CA" | tee -a ${CERT_FILE}
28
+
29
+          chmod 0644 ${CERT_FILE}
30
+          chown root:root ${CERT_FILE}
31
+          update-ca-certificates
32
+      fi

+ 7
- 0
magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml View File

@@ -289,6 +289,11 @@ parameters:
289 289
       domain name for cluster DNS
290 290
     default: "cluster.local"
291 291
 
292
+  openstack_ca:
293
+    type: string
294
+    hidden: true
295
+    description: The OpenStack CA certificate to install on the node.
296
+
292 297
 resources:
293 298
 
294 299
   ######################################################################
@@ -459,6 +464,7 @@ resources:
459 464
           etcd_lb_vip: {get_attr: [etcd_lb, address]}
460 465
           dns_service_ip: {get_param: dns_service_ip}
461 466
           dns_cluster_domain: {get_param: dns_cluster_domain}
467
+          openstack_ca: {get_param: openstack_ca}
462 468
 
463 469
   ######################################################################
464 470
   #
@@ -513,6 +519,7 @@ resources:
513 519
           prometheus_monitoring: {get_param: prometheus_monitoring}
514 520
           dns_service_ip: {get_param: dns_service_ip}
515 521
           dns_cluster_domain: {get_param: dns_cluster_domain}
522
+          openstack_ca: {get_param: openstack_ca}
516 523
 
517 524
 outputs:
518 525
 

+ 18
- 0
magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml View File

@@ -226,6 +226,10 @@ parameters:
226 226
     description: >
227 227
       domain name for cluster DNS
228 228
 
229
+  openstack_ca:
230
+    type: string
231
+    description: The OpenStack CA certificate to install on the node.
232
+
229 233
 resources:
230 234
 
231 235
   master_wait_handle:
@@ -311,6 +315,16 @@ resources:
311 315
             "$DNS_SERVICE_IP": {get_param: dns_service_ip}
312 316
             "$DNS_CLUSTER_DOMAIN": {get_param: dns_cluster_domain}
313 317
 
318
+  add_ext_ca_certs:
319
+    type: OS::Heat::SoftwareConfig
320
+    properties:
321
+      group: ungrouped
322
+      config:
323
+        str_replace:
324
+          params:
325
+            $OPENSTACK_CA: {get_param: openstack_ca}
326
+          template: {get_file: fragments/add-ext-ca-certs.yaml}
327
+
314 328
   configure_etcd:
315 329
     type: OS::Heat::SoftwareConfig
316 330
     properties:
@@ -408,6 +422,7 @@ resources:
408 422
       config:
409 423
         str_replace:
410 424
           template: |
425
+            $add_ext_ca_certs
411 426
             $write_heat_params
412 427
             $make_cert
413 428
             $configure_docker
@@ -426,6 +441,8 @@ resources:
426 441
             $wc_notify
427 442
             coreos:
428 443
               units:
444
+                - name: "add-ext-ca-certs.service"
445
+                  command: "start"
429 446
                 - name: "make-cert.service"
430 447
                   command: "start"
431 448
                 - name: "configure-docker.service"
@@ -457,6 +474,7 @@ resources:
457 474
                 - name: "wc-notify.service"
458 475
                   command: "start"
459 476
           params:
477
+            "$add_ext_ca_certs": {get_attr: [add_ext_ca_certs, config]}
460 478
             "$write_heat_params": {get_attr: [write_heat_params, config]}
461 479
             "$make_cert": {get_attr: [make_cert, config]}
462 480
             "$configure_docker": {get_attr: [configure_docker, config]}

+ 18
- 0
magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml View File

@@ -156,6 +156,10 @@ parameters:
156 156
     description: >
157 157
       domain name for cluster DNS
158 158
 
159
+  openstack_ca:
160
+    type: string
161
+    description: The OpenStack CA certificate to install on the node.
162
+
159 163
 resources:
160 164
 
161 165
   minion_wait_handle:
@@ -215,6 +219,16 @@ resources:
215 219
             "$DNS_SERVICE_IP": {get_param: dns_service_ip}
216 220
             "$DNS_CLUSTER_DOMAIN": {get_param: dns_cluster_domain}
217 221
 
222
+  add_ext_ca_certs:
223
+    type: OS::Heat::SoftwareConfig
224
+    properties:
225
+      group: ungrouped
226
+      config:
227
+        str_replace:
228
+          params:
229
+            $OPENSTACK_CA: {get_param: openstack_ca}
230
+          template: {get_file: fragments/add-ext-ca-certs.yaml}
231
+
218 232
   write_kubeconfig:
219 233
     type: OS::Heat::SoftwareConfig
220 234
     properties:
@@ -270,6 +284,7 @@ resources:
270 284
       config:
271 285
         str_replace:
272 286
           template: |
287
+            $add_ext_ca_certs
273 288
             $write_heat_params
274 289
             $write_kubeconfig
275 290
             $make_cert
@@ -281,6 +296,8 @@ resources:
281 296
             $wc_notify
282 297
             coreos:
283 298
               units:
299
+                - name: "add-ext-ca-certs.service"
300
+                  command: "start"
284 301
                 - name: "make-cert.service"
285 302
                   command: "start"
286 303
                 - name: "configure-docker.service"
@@ -296,6 +313,7 @@ resources:
296 313
                 - name: "wc-notify.service"
297 314
                   command: "start"
298 315
           params:
316
+            "$add_ext_ca_certs": {get_attr: [add_ext_ca_certs, config]}
299 317
             "$write_heat_params": {get_attr: [write_heat_params, config]}
300 318
             "$write_kubeconfig": {get_attr: [write_kubeconfig, config]}
301 319
             "$make_cert": {get_attr: [make_cert, config]}

+ 7
- 0
magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml View File

@@ -344,6 +344,11 @@ parameters:
344 344
       domain name for cluster DNS
345 345
     default: "cluster.local"
346 346
 
347
+  openstack_ca:
348
+    type: string
349
+    hidden: true
350
+    description: The OpenStack CA certificate to install on the node.
351
+
347 352
 resources:
348 353
 
349 354
   ######################################################################
@@ -523,6 +528,7 @@ resources:
523 528
           etcd_lb_vip: {get_attr: [etcd_lb, address]}
524 529
           dns_service_ip: {get_param: dns_service_ip}
525 530
           dns_cluster_domain: {get_param: dns_cluster_domain}
531
+          openstack_ca: {get_param: openstack_ca}
526 532
 
527 533
   ######################################################################
528 534
   #
@@ -590,6 +596,7 @@ resources:
590 596
           insecure_registry_url: {get_param: insecure_registry_url}
591 597
           dns_service_ip: {get_param: dns_service_ip}
592 598
           dns_cluster_domain: {get_param: dns_cluster_domain}
599
+          openstack_ca: {get_param: openstack_ca}
593 600
 
594 601
 outputs:
595 602
 

+ 15
- 0
magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml View File

@@ -255,6 +255,10 @@ parameters:
255 255
     description: >
256 256
       domain name for cluster DNS
257 257
 
258
+  openstack_ca:
259
+    type: string
260
+    description: The OpenStack CA certificate to install on the node.
261
+
258 262
 resources:
259 263
 
260 264
   master_wait_handle:
@@ -341,6 +345,16 @@ resources:
341 345
             "$DNS_SERVICE_IP": {get_param: dns_service_ip}
342 346
             "$DNS_CLUSTER_DOMAIN": {get_param: dns_cluster_domain}
343 347
 
348
+  install_openstack_ca:
349
+    type: OS::Heat::SoftwareConfig
350
+    properties:
351
+      group: ungrouped
352
+      config:
353
+        str_replace:
354
+          params:
355
+            $OPENSTACK_CA: {get_param: openstack_ca}
356
+          template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
357
+
344 358
   make_cert:
345 359
     type: OS::Heat::SoftwareConfig
346 360
     properties:
@@ -445,6 +459,7 @@ resources:
445 459
     type: OS::Heat::MultipartMime
446 460
     properties:
447 461
       parts:
462
+        - config: {get_resource: install_openstack_ca}
448 463
         - config: {get_resource: disable_selinux}
449 464
         - config: {get_resource: write_heat_params}
450 465
         - config: {get_resource: configure_etcd}

+ 15
- 0
magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml View File

@@ -223,6 +223,10 @@ parameters:
223 223
     description: >
224 224
       domain name for cluster DNS
225 225
 
226
+  openstack_ca:
227
+    type: string
228
+    description: The OpenStack CA certificate to install on the node.
229
+
226 230
 resources:
227 231
 
228 232
   minion_wait_handle:
@@ -294,6 +298,16 @@ resources:
294 298
       group: ungrouped
295 299
       config: {get_file: ../../common/templates/kubernetes/fragments/write-kubeconfig.yaml}
296 300
 
301
+  install_openstack_ca:
302
+    type: OS::Heat::SoftwareConfig
303
+    properties:
304
+      group: ungrouped
305
+      config:
306
+        str_replace:
307
+          params:
308
+            $OPENSTACK_CA: {get_param: openstack_ca}
309
+          template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
310
+
297 311
   write_kube_os_config:
298 312
     type: OS::Heat::SoftwareConfig
299 313
     properties:
@@ -386,6 +400,7 @@ resources:
386 400
     type: OS::Heat::MultipartMime
387 401
     properties:
388 402
       parts:
403
+        - config: {get_resource: install_openstack_ca}
389 404
         - config: {get_resource: disable_selinux}
390 405
         - config: {get_resource: write_heat_params}
391 406
         - config: {get_resource: write_kubeconfig}

+ 7
- 0
magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml View File

@@ -335,6 +335,11 @@ parameters:
335 335
     description: insecure registry url
336 336
     default: ""
337 337
 
338
+  openstack_ca:
339
+    type: string
340
+    hidden: true
341
+    description: The OpenStack CA certificate to install on the node.
342
+
338 343
 resources:
339 344
 
340 345
   api_lb:
@@ -495,6 +500,7 @@ resources:
495 500
           insecure_registry_url: {get_param: insecure_registry_url}
496 501
           wc_curl_cli: {get_attr: [master_wait_handle, curl_cli]}
497 502
           etcd_lb_vip: {get_attr: [etcd_lb, address]}
503
+          openstack_ca: {get_param: openstack_ca}
498 504
 
499 505
   ######################################################################
500 506
   #
@@ -582,6 +588,7 @@ resources:
582 588
       trust_id: {get_param: trust_id}
583 589
       insecure_registry_url: {get_param: insecure_registry_url}
584 590
       wc_curl_cli: {get_attr: [minion_wait_handle, curl_cli]}
591
+      openstack_ca: {get_param: openstack_ca}
585 592
 
586 593
   ######################################################################
587 594
   #

+ 15
- 0
magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml View File

@@ -234,6 +234,10 @@ parameters:
234 234
       etcd lb vip private used to generate certs on master.
235 235
     default: ""
236 236
 
237
+  openstack_ca:
238
+    type: string
239
+    description: The OpenStack CA certificate to install on the node.
240
+
237 241
 resources:
238 242
 
239 243
   ######################################################################
@@ -304,6 +308,16 @@ resources:
304 308
             "$ENABLE_CINDER": "False"
305 309
             "$ETCD_LB_VIP": {get_param: etcd_lb_vip}
306 310
 
311
+  install_openstack_ca:
312
+    type: OS::Heat::SoftwareConfig
313
+    properties:
314
+      group: ungrouped
315
+      config:
316
+        str_replace:
317
+          params:
318
+            $OPENSTACK_CA: {get_param: openstack_ca}
319
+          template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
320
+
307 321
   make_cert:
308 322
     type: OS::Heat::SoftwareConfig
309 323
     properties:
@@ -414,6 +428,7 @@ resources:
414 428
     type: OS::Heat::MultipartMime
415 429
     properties:
416 430
       parts:
431
+        - config: {get_resource: install_openstack_ca}
417 432
         - config: {get_resource: disable_selinux}
418 433
         - config: {get_resource: write_heat_params}
419 434
         - config: {get_resource: configure_etcd}

+ 15
- 0
magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml View File

@@ -169,6 +169,10 @@ parameters:
169 169
     description : >
170 170
       Wait condition notify command for Minion.
171 171
 
172
+  openstack_ca:
173
+    type: string
174
+    description: The OpenStack CA certificate to install on the node.
175
+
172 176
 resources:
173 177
 
174 178
   ######################################################################
@@ -229,6 +233,16 @@ resources:
229 233
       group: ungrouped
230 234
       config: {get_file: ../../common/templates/kubernetes/fragments/write-kubeconfig.yaml}
231 235
 
236
+  install_openstack_ca:
237
+    type: OS::Heat::SoftwareConfig
238
+    properties:
239
+      group: ungrouped
240
+      config:
241
+        str_replace:
242
+          params:
243
+            $OPENSTACK_CA: {get_param: openstack_ca}
244
+          template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
245
+
232 246
   make_cert:
233 247
     type: OS::Heat::SoftwareConfig
234 248
     properties:
@@ -321,6 +335,7 @@ resources:
321 335
     type: OS::Heat::MultipartMime
322 336
     properties:
323 337
       parts:
338
+        - config: {get_resource: install_openstack_ca}
324 339
         - config: {get_resource: disable_selinux}
325 340
         - config: {get_resource: write_heat_params}
326 341
         - config: {get_resource: write_kubeconfig}

+ 27
- 0
magnum/drivers/mesos_ubuntu_v1/templates/fragments/add-ext-ca-certs.sh View File

@@ -0,0 +1,27 @@
1
+#!/bin/sh
2
+
3
+CACERTS=$(cat <<-EOF
4
+@@CACERTS_CONTENT@@
5
+EOF
6
+)
7
+
8
+CA_FILE=/usr/local/share/ca-certificates/magnum-external.crt
9
+
10
+if [ -n "$CACERTS" ]; then
11
+    touch $CA_FILE
12
+    echo "$CACERTS" | tee -a $CA_FILE
13
+    chmod 0644 $CA_FILE
14
+    chown root:root $CA_FILE
15
+    update-ca-certificates
16
+    # Legacy versions of requests shipped with os-collect-config can have own CA cert database
17
+    for REQUESTS_LOCATION in \
18
+        /opt/stack/venvs/os-collect-config/lib/python2.7/site-packages/requests \
19
+        /usr/local/lib/python2.7/dist-packages/requests; do
20
+        if [ -f "${REQUESTS_LOCATION}/cacert.pem" ]; then
21
+            echo "$CACERTS" | tee -a "${REQUESTS_LOCATION}/cacert.pem"
22
+        fi
23
+    done
24
+    if [ -f /etc/init/os-collect-config.conf ]; then
25
+        service os-collect-config restart
26
+    fi
27
+fi

+ 15
- 0
magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml View File

@@ -104,6 +104,10 @@ parameters:
104 104
     type: string
105 105
     description: Wait condition notify command for slave.
106 106
 
107
+  openstack_ca:
108
+    type: string
109
+    description: The OpenStack CA certificate to install on the node.
110
+
107 111
 resources:
108 112
 
109 113
   ######################################################################
@@ -138,6 +142,16 @@ resources:
138 142
             "$IMAGE_PROVIDERS": {get_param: mesos_slave_image_providers}
139 143
             "$EXECUTOR_ENVIRONMENT_VARIABLES": {get_param: mesos_slave_executor_env_variables}
140 144
 
145
+  add_ext_ca_certs:
146
+    type: OS::Heat::SoftwareConfig
147
+    properties:
148
+      group: ungrouped
149
+      config:
150
+        str_replace:
151
+          template: {get_file: fragments/add-ext-ca-certs.sh}
152
+          params:
153
+            "@@CACERTS_CONTENT@@": {get_param: openstack_ca}
154
+
141 155
   configure_mesos_slave:
142 156
     type: OS::Heat::SoftwareConfig
143 157
     properties:
@@ -179,6 +193,7 @@ resources:
179 193
     type: OS::Heat::MultipartMime
180 194
     properties:
181 195
       parts:
196
+        - config: {get_resource: add_ext_ca_certs}
182 197
         - config: {get_resource: write_heat_params}
183 198
         - config: {get_resource: configure_mesos_slave}
184 199
         - config: {get_resource: add_proxy}

+ 7
- 0
magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml View File

@@ -211,6 +211,11 @@ parameters:
211 211
     type: boolean
212 212
     description: whether or not to validate certificate authority
213 213
 
214
+  openstack_ca:
215
+    type: string
216
+    hidden: true
217
+    description: The OpenStack CA certificate to install on the node.
218
+
214 219
 resources:
215 220
 
216 221
   ######################################################################
@@ -391,6 +396,7 @@ resources:
391 396
           fixed_subnet: {get_attr: [network, fixed_subnet]}
392 397
           secgroup_mesos_id: {get_resource: secgroup_master}
393 398
           api_pool_id: {get_attr: [api_lb, pool_id]}
399
+          openstack_ca: {get_param: openstack_ca}
394 400
 
395 401
   ######################################################################
396 402
   #
@@ -463,6 +469,7 @@ resources:
463 469
       mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables}
464 470
       mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]}
465 471
       verify_ca: {get_param: verify_ca}
472
+      openstack_ca: {get_param: openstack_ca}
466 473
 
467 474
 outputs:
468 475
 

+ 22
- 0
magnum/drivers/mesos_ubuntu_v1/templates/mesosmaster.yaml View File

@@ -43,8 +43,29 @@ parameters:
43 43
     type: string
44 44
     description: ID of the load balancer pool of Marathon.
45 45
 
46
+  openstack_ca:
47
+    type: string
48
+    hidden: true
49
+    description: The OpenStack CA certificate to install on the node.
50
+
46 51
 resources:
47 52
 
53
+  add_ext_ca_certs:
54
+    type: OS::Heat::SoftwareConfig
55
+    properties:
56
+      group: script
57
+      config:
58
+        str_replace:
59
+          template: {get_file: fragments/add-ext-ca-certs.sh}
60
+          params:
61
+            "@@CACERTS_CONTENT@@": {get_param: openstack_ca}
62
+
63
+  mesos_master_init:
64
+    type: OS::Heat::MultipartMime
65
+    properties:
66
+      parts:
67
+        - config: {get_resource: add_ext_ca_certs}
68
+
48 69
   ######################################################################
49 70
   #
50 71
   # Mesos master server.
@@ -61,6 +82,7 @@ resources:
61 82
       flavor: {get_param: master_flavor}
62 83
       key_name: {get_param: ssh_key_name}
63 84
       user_data_format: SOFTWARE_CONFIG
85
+      user_data: {get_resource: mesos_master_init}
64 86
       networks:
65 87
         - port: {get_resource: mesos_master_eth0}
66 88
 

+ 7
- 0
magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml View File

@@ -252,6 +252,11 @@ parameters:
252 252
       other hosts are using the volume
253 253
     default: "false"
254 254
 
255
+  openstack_ca:
256
+    type: string
257
+    hidden: true
258
+    description: The OpenStack CA certificate to install on the node.
259
+
255 260
 
256 261
 resources:
257 262
 
@@ -397,6 +402,7 @@ resources:
397 402
           auth_url: {get_param: auth_url}
398 403
           volume_driver: {get_param: volume_driver}
399 404
           rexray_preempt: {get_param: rexray_preempt}
405
+          openstack_ca: {get_param: openstack_ca}
400 406
 
401 407
   swarm_nodes:
402 408
     type: "OS::Heat::ResourceGroup"
@@ -448,6 +454,7 @@ resources:
448 454
           registry_chunksize: {get_param: registry_chunksize}
449 455
           volume_driver: {get_param: volume_driver}
450 456
           rexray_preempt: {get_param: rexray_preempt}
457
+          openstack_ca: {get_param: openstack_ca}
451 458
 
452 459
 outputs:
453 460
 

+ 15
- 0
magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml View File

@@ -176,6 +176,10 @@ parameters:
176 176
       other hosts are using the volume
177 177
     default: "false"
178 178
 
179
+  openstack_ca:
180
+    type: string
181
+    description: The OpenStack CA certificate to install on the node.
182
+
179 183
 resources:
180 184
 
181 185
   master_wait_handle:
@@ -262,6 +266,16 @@ resources:
262 266
             "$VOLUME_DRIVER": {get_param: volume_driver}
263 267
             "$REXRAY_PREEMPT": {get_param: rexray_preempt}
264 268
 
269
+  install_openstack_ca:
270
+    type: OS::Heat::SoftwareConfig
271
+    properties:
272
+      group: ungrouped
273
+      config:
274
+        str_replace:
275
+          params:
276
+            $OPENSTACK_CA: {get_param: openstack_ca}
277
+          template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
278
+
265 279
   write_network_config:
266 280
     type: "OS::Heat::SoftwareConfig"
267 281
     properties:
@@ -389,6 +403,7 @@ resources:
389 403
     type: "OS::Heat::MultipartMime"
390 404
     properties:
391 405
       parts:
406
+        - config: {get_resource: install_openstack_ca}
392 407
         - config: {get_resource: configure_selinux}
393 408
         - config: {get_resource: remove_docker_key}
394 409
         - config: {get_resource: write_heat_params}

+ 15
- 0
magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml View File

@@ -175,6 +175,10 @@ parameters:
175 175
       other hosts are using the volume
176 176
     default: "false"
177 177
 
178
+  openstack_ca:
179
+    type: string
180
+    description: The OpenStack CA certificate to install on the node.
181
+
178 182
 resources:
179 183
 
180 184
   node_wait_handle:
@@ -244,6 +248,16 @@ resources:
244 248
             "$VOLUME_DRIVER": {get_param: volume_driver}
245 249
             "$REXRAY_PREEMPT": {get_param: rexray_preempt}
246 250
 
251
+  install_openstack_ca:
252
+    type: OS::Heat::SoftwareConfig
253
+    properties:
254
+      group: ungrouped
255
+      config:
256
+        str_replace:
257
+          params:
258
+            $OPENSTACK_CA: {get_param: openstack_ca}
259
+          template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
260
+
247 261
   remove_docker_key:
248 262
     type: "OS::Heat::SoftwareConfig"
249 263
     properties:
@@ -352,6 +366,7 @@ resources:
352 366
     type: "OS::Heat::MultipartMime"
353 367
     properties:
354 368
       parts:
369
+        - config: {get_resource: install_openstack_ca}
355 370
         - config: {get_resource: configure_selinux}
356 371
         - config: {get_resource: remove_docker_key}
357 372
         - config: {get_resource: write_heat_params}

+ 8
- 0
magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml View File

@@ -183,6 +183,11 @@ parameters:
183 183
     type: boolean
184 184
     description: whether or not to validate certificate authority
185 185
 
186
+  openstack_ca:
187
+    type: string
188
+    hidden: true
189
+    description: The OpenStack CA certificate to install on the node.
190
+
186 191
 resources:
187 192
 
188 193
   ######################################################################
@@ -305,6 +310,7 @@ resources:
305 310
           volume_driver: {get_param: volume_driver}
306 311
           rexray_preempt: {get_param: rexray_preempt}
307 312
           verify_ca: {get_param: verify_ca}
313
+          openstack_ca: {get_param: openstack_ca}
308 314
 
309 315
   swarm_secondary_masters:
310 316
     type: "OS::Heat::ResourceGroup"
@@ -347,6 +353,7 @@ resources:
347 353
           volume_driver: {get_param: volume_driver}
348 354
           rexray_preempt: {get_param: rexray_preempt}
349 355
           verify_ca: {get_param: verify_ca}
356
+          openstack_ca: {get_param: openstack_ca}
350 357
 
351 358
   swarm_nodes:
352 359
     type: "OS::Heat::ResourceGroup"
@@ -389,6 +396,7 @@ resources:
389 396
           volume_driver: {get_param: volume_driver}
390 397
           rexray_preempt: {get_param: rexray_preempt}
391 398
           verify_ca: {get_param: verify_ca}
399
+          openstack_ca: {get_param: openstack_ca}
392 400
 
393 401
 outputs:
394 402
 

+ 15
- 0
magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml View File

@@ -139,6 +139,10 @@ parameters:
139 139
     type: boolean
140 140
     description: whether or not to validate certificate authority
141 141
 
142
+  openstack_ca:
143
+    type: string
144
+    description: The OpenStack CA certificate to install on the node.
145
+
142 146
 resources:
143 147
 
144 148
   master_wait_handle:
@@ -201,6 +205,16 @@ resources:
201 205
             "$REXRAY_PREEMPT": {get_param: rexray_preempt}
202 206
             "$VERIFY_CA": {get_param: verify_ca}
203 207
 
208
+  install_openstack_ca:
209
+    type: OS::Heat::SoftwareConfig
210
+    properties:
211
+      group: ungrouped
212
+      config:
213
+        str_replace:
214
+          params:
215
+            $OPENSTACK_CA: {get_param: openstack_ca}
216
+          template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
217
+
204 218
   remove_docker_key:
205 219
     type: "OS::Heat::SoftwareConfig"
206 220
     properties:
@@ -273,6 +287,7 @@ resources:
273 287
     type: "OS::Heat::MultipartMime"
274 288
     properties:
275 289
       parts:
290
+        - config: {get_resource: install_openstack_ca}
276 291
         - config: {get_resource: configure_selinux}
277 292
         - config: {get_resource: remove_docker_key}
278 293
         - config: {get_resource: write_heat_params}

+ 15
- 0
magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml View File

@@ -131,6 +131,10 @@ parameters:
131 131
     type: boolean
132 132
     description: whether or not to validate certificate authority
133 133
 
134
+  openstack_ca:
135
+    type: string
136
+    description: The OpenStack CA certificate to install on the node.
137
+
134 138
 resources:
135 139
 
136 140
   node_wait_handle:
@@ -178,6 +182,16 @@ resources:
178 182
             "$REXRAY_PREEMPT": {get_param: rexray_preempt}
179 183
             "$VERIFY_CA": {get_param: verify_ca}
180 184
 
185
+  install_openstack_ca:
186
+    type: OS::Heat::SoftwareConfig
187
+    properties:
188
+      group: ungrouped
189
+      config:
190
+        str_replace:
191
+          params:
192
+            $OPENSTACK_CA: {get_param: openstack_ca}
193
+          template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
194
+
181 195
   remove_docker_key:
182 196
     type: "OS::Heat::SoftwareConfig"
183 197
     properties:
@@ -250,6 +264,7 @@ resources:
250 264
     type: "OS::Heat::MultipartMime"
251 265
     properties:
252 266
       parts:
267
+        - config: {get_resource: install_openstack_ca}
253 268
         - config: {get_resource: configure_selinux}
254 269
         - config: {get_resource: remove_docker_key}
255 270
         - config: {get_resource: write_heat_params}

+ 21
- 0
magnum/tests/unit/common/test_utils.py View File

@@ -25,8 +25,11 @@ from oslo_utils import netutils
25 25
 
26 26
 from magnum.common import exception
27 27
 from magnum.common import utils
28
+import magnum.conf
28 29
 from magnum.tests import base
29 30
 
31
+CONF = magnum.conf.CONF
32
+
30 33
 
31 34
 class UtilsTestCase(base.TestCase):
32 35
 
@@ -52,6 +55,24 @@ class UtilsTestCase(base.TestCase):
52 55
         self.assertRaises(exception.UnsupportedDockerQuantityFormat,
53 56
                           utils.get_docker_quantity, '512B')
54 57
 
58
+    def test_get_openstasck_ca(self):
59
+        # openstack_ca_file is empty
60
+        self.assertEqual('', utils.get_openstack_ca())
61
+
62
+        # openstack_ca_file is set but the file doesn't exist
63
+        CONF.set_override('openstack_ca_file',
64
+                          '/tmp/invalid-ca.pem',
65
+                          group='drivers')
66
+        self.assertRaises(IOError, utils.get_openstack_ca)
67
+
68
+        # openstack_ca_file is set and the file exists
69
+        CONF.set_override('openstack_ca_file',
70
+                          '/tmp/invalid-ca.pem',
71
+                          group='drivers')
72
+        with mock.patch('magnum.common.utils.open',
73
+                        mock.mock_open(read_data="CERT"), create=True):
74
+            self.assertEqual('CERT', utils.get_openstack_ca())
75
+
55 76
 
56 77
 class ExecuteTestCase(base.TestCase):
57 78
 

+ 6
- 0
magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py View File

@@ -214,6 +214,7 @@ class TestClusterConductorWithK8s(base.TestCase):
214 214
             'insecure_registry_url': '10.0.0.1:5000',
215 215
             'kube_version': 'fake-version',
216 216
             'verify_ca': True,
217
+            'openstack_ca': '',
217 218
         }
218 219
         if missing_attr is not None:
219 220
             expected.pop(mapping[missing_attr], None)
@@ -309,6 +310,7 @@ class TestClusterConductorWithK8s(base.TestCase):
309 310
             'insecure_registry_url': '10.0.0.1:5000',
310 311
             'kube_version': 'fake-version',
311 312
             'verify_ca': True,
313
+            'openstack_ca': '',
312 314
         }
313 315
 
314 316
         self.assertEqual(expected, definition)
@@ -389,6 +391,7 @@ class TestClusterConductorWithK8s(base.TestCase):
389 391
             'trustee_username': 'fake_trustee',
390 392
             'username': 'fake_user',
391 393
             'verify_ca': True,
394
+            'openstack_ca': '',
392 395
         }
393 396
         self.assertEqual(expected, definition)
394 397
         self.assertEqual(
@@ -466,6 +469,7 @@ class TestClusterConductorWithK8s(base.TestCase):
466 469
             'insecure_registry_url': '10.0.0.1:5000',
467 470
             'kube_version': 'fake-version',
468 471
             'verify_ca': True,
472
+            'openstack_ca': '',
469 473
         }
470 474
         self.assertEqual(expected, definition)
471 475
         self.assertEqual(
@@ -538,6 +542,7 @@ class TestClusterConductorWithK8s(base.TestCase):
538 542
             'insecure_registry_url': '10.0.0.1:5000',
539 543
             'kube_version': 'fake-version',
540 544
             'verify_ca': True,
545
+            'openstack_ca': '',
541 546
         }
542 547
         self.assertEqual(expected, definition)
543 548
         self.assertEqual(
@@ -739,6 +744,7 @@ class TestClusterConductorWithK8s(base.TestCase):
739 744
             'insecure_registry_url': '10.0.0.1:5000',
740 745
             'kube_version': 'fake-version',
741 746
             'verify_ca': True,
747
+            'openstack_ca': '',
742 748
         }
743 749
         self.assertEqual(expected, definition)
744 750
         self.assertEqual(

+ 4
- 0
magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py View File

@@ -131,6 +131,7 @@ class TestClusterConductorWithMesos(base.TestCase):
131 131
             'mesos_slave_work_dir': '/tmp/mesos/slave',
132 132
             'mesos_slave_image_providers': 'docker',
133 133
             'verify_ca': True,
134
+            'openstack_ca': '',
134 135
         }
135 136
         self.assertEqual(expected, definition)
136 137
         self.assertEqual(
@@ -185,6 +186,7 @@ class TestClusterConductorWithMesos(base.TestCase):
185 186
             'mesos_slave_work_dir': '/tmp/mesos/slave',
186 187
             'mesos_slave_image_providers': 'docker',
187 188
             'verify_ca': True,
189
+            'openstack_ca': '',
188 190
         }
189 191
         self.assertEqual(expected, definition)
190 192
         self.assertEqual(
@@ -243,6 +245,7 @@ class TestClusterConductorWithMesos(base.TestCase):
243 245
             'mesos_slave_work_dir': '/tmp/mesos/slave',
244 246
             'mesos_slave_image_providers': 'docker',
245 247
             'verify_ca': True,
248
+            'openstack_ca': '',
246 249
         }
247 250
         self.assertEqual(expected, definition)
248 251
         self.assertEqual(
@@ -302,6 +305,7 @@ class TestClusterConductorWithMesos(base.TestCase):
302 305
             'mesos_slave_work_dir': '/tmp/mesos/slave',
303 306
             'mesos_slave_image_providers': 'docker',
304 307
             'verify_ca': True,
308
+            'openstack_ca': '',
305 309
         }
306 310
         self.assertEqual(expected, definition)
307 311
         self.assertEqual(

+ 5
- 0
magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py View File

@@ -155,6 +155,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
155 155
             'rexray_preempt': 'False',
156 156
             'docker_volume_type': 'lvmdriver-1',
157 157
             'verify_ca': True,
158
+            'openstack_ca': '',
158 159
         }
159 160
         self.assertEqual(expected, definition)
160 161
         self.assertEqual(
@@ -232,6 +233,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
232 233
             'rexray_preempt': 'False',
233 234
             'docker_volume_type': 'lvmdriver-1',
234 235
             'verify_ca': True,
236
+            'openstack_ca': '',
235 237
         }
236 238
         self.assertEqual(expected, definition)
237 239
         self.assertEqual(
@@ -301,6 +303,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
301 303
             'docker_volume_type': 'lvmdriver-1',
302 304
             'docker_volume_size': 20,
303 305
             'verify_ca': True,
306
+            'openstack_ca': '',
304 307
         }
305 308
         self.assertEqual(expected, definition)
306 309
         self.assertEqual(
@@ -372,6 +375,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
372 375
             'rexray_preempt': 'False',
373 376
             'docker_volume_type': 'lvmdriver-1',
374 377
             'verify_ca': True,
378
+            'openstack_ca': '',
375 379
         }
376 380
         self.assertEqual(expected, definition)
377 381
         self.assertEqual(
@@ -444,6 +448,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
444 448
             'rexray_preempt': 'False',
445 449
             'docker_volume_type': 'lvmdriver-1',
446 450
             'verify_ca': True,
451
+            'openstack_ca': '',
447 452
         }
448 453
         self.assertEqual(expected, definition)
449 454
         self.assertEqual(

+ 7
- 0
releasenotes/notes/bug-1580704-32a0e91e285792ea.yaml View File

@@ -0,0 +1,7 @@
1
+---
2
+security:
3
+  - |
4
+    Add new configuration option `openstack_ca_file` in the `drivers` section
5
+    to pass the CA bundle used for the OpenStack API. Setting this file and
6
+    setting `verify_ca` to `true` will result to all requests from the cluster
7
+    nodes to the OpenStack APIs to be verified.

Loading…
Cancel
Save