Browse Source

Add verify_ca configuration parameter

Added configuration parameter, verify_ca, to magnum.conf with default
value of True. This parameter is passed to the heat templates to
indicate whether the cluster nodes validate the Certificate Authority
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
This configuration parameter can be set to False to disable CA
validation.

Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com>

Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413
Partial-Bug: #1663757
changes/87/447687/38
Kirsten G 4 years ago
parent
commit
b07b6f34d5
  1. 6
      doc/source/admin/troubleshooting-guide.rst
  2. 2
      magnum/conf/__init__.py
  3. 40
      magnum/conf/drivers.py
  4. 12
      magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
  5. 12
      magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
  6. 2
      magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh
  7. 1
      magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
  8. 1
      magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
  9. 8
      magnum/drivers/common/templates/swarm/fragments/cfn-signal.sh
  10. 21
      magnum/drivers/common/templates/swarm/fragments/make-cert.py
  11. 2
      magnum/drivers/common/templates/swarm/fragments/write-cluster-failure-service.yaml
  12. 1
      magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml
  13. 1
      magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml
  14. 8
      magnum/drivers/common/templates/swarm/fragments/write-swarm-agent-service.sh
  15. 8
      magnum/drivers/common/templates/swarm/fragments/write-swarm-master-service.sh
  16. 1
      magnum/drivers/heat/template_def.py
  17. 12
      magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
  18. 12
      magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
  19. 2
      magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml
  20. 1
      magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
  21. 1
      magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
  22. 6
      magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
  23. 5
      magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
  24. 5
      magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
  25. 6
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
  26. 5
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
  27. 5
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
  28. 6
      magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
  29. 5
      magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
  30. 5
      magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml
  31. 7
      magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml
  32. 5
      magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml
  33. 6
      magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml
  34. 7
      magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
  35. 6
      magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
  36. 1
      magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml
  37. 14
      magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh
  38. 12
      magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh
  39. 6
      magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml
  40. 5
      magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml
  41. 5
      magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml
  42. 8
      magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
  43. 10
      magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
  44. 13
      magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
  45. 12
      releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml

6
doc/source/admin/troubleshooting-guide.rst

@ -178,7 +178,11 @@ specified). If it fails, that means the credential you provided is invalid.
TLS
---
*To be filled in*
The cluster nodes will validate the Certificate Authority by default
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
If you need to disable CA validation, the configuration parameter
verify_ca can be set to False. More information on `CA Validation
<https://bugs.launchpad.net/magnum/+bug/1663757>`_.
Barbican service

2
magnum/conf/__init__.py

@ -26,6 +26,7 @@ from magnum.conf import conductor
from magnum.conf import database
from magnum.conf import docker
from magnum.conf import docker_registry
from magnum.conf import drivers
from magnum.conf import glance
from magnum.conf import heat
from magnum.conf import keystone
@ -54,6 +55,7 @@ conductor.register_opts(CONF)
database.register_opts(CONF)
docker.register_opts(CONF)
docker_registry.register_opts(CONF)
drivers.register_opts(CONF)
glance.register_opts(CONF)
heat.register_opts(CONF)
keystone.register_opts(CONF)

40
magnum/conf/drivers.py

@ -0,0 +1,40 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_config import cfg
drivers_group = cfg.OptGroup(name='drivers',
title='Options for the Drivers')
drivers_opts = [
cfg.BoolOpt('verify_ca',
default=True,
help='Indicates whether the cluster nodes validate the '
'Certificate Authority when making requests to the '
'OpenStack APIs (Keystone, Magnum, Heat). If you have '
'self-signed certificates for the OpenStack APIs or '
'you have your own Certificate Authority and you '
'have not installed the Certificate Authority to all '
'nodes, you may need to disable CA validation by '
'setting this flag to False.')
]
def register_opts(conf):
conf.register_group(drivers_group)
conf.register_opts(drivers_opts, group=drivers_group)
def list_opts():
return {
drivers_group: drivers_opts,
}

12
magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh

@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cert_dir=/etc/kubernetes/certs
mkdir -p "$cert_dir"
@ -55,11 +61,11 @@ EOF
content_type='Content-Type: application/json'
url="$AUTH_URL/auth/tokens"
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
| grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
# Get CA certificate for this cluster
curl -k -X GET \
curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT
@ -93,7 +99,7 @@ openssl req -new -days 1000 \
# Send csr to Magnum to have it signed
csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
curl -k -X POST \
curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \

12
magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh

@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
fi
@ -87,11 +93,11 @@ EOF
content_type='Content-Type: application/json'
url="$AUTH_URL/auth/tokens"
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
| grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
# Get CA certificate for this cluster
curl -k -X GET \
curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT}
@ -120,7 +126,7 @@ openssl req -new -days 1000 \
# Send csr to Magnum to have it signed
csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
curl -k -X POST \
curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \

2
magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh

@ -11,7 +11,7 @@ until curl -sf "http://127.0.0.1:8080/healthz"; do
echo "Waiting for Kubernetes API..."
sleep 5
done
$WAIT_CURL --data-binary '{"status": "SUCCESS"}'
$WAIT_CURL $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
EOF
cat > $WC_NOTIFY_SERVICE <<EOF

1
magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml

@ -30,6 +30,7 @@ write_files:
CLUSTER_SUBNET="$CLUSTER_SUBNET"
TLS_DISABLED="$TLS_DISABLED"
KUBE_DASHBOARD_ENABLED="$KUBE_DASHBOARD_ENABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
VOLUME_DRIVER="$VOLUME_DRIVER"

1
magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml

@ -24,6 +24,7 @@ write_files:
REGISTRY_INSECURE="$REGISTRY_INSECURE"
REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
AUTH_URL="$AUTH_URL"

8
magnum/drivers/common/templates/swarm/fragments/cfn-signal.sh

@ -4,6 +4,12 @@
echo "notifying heat"
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
STATUS="SUCCESS"
REASON="Setup complete"
DATA="OK"
@ -11,4 +17,4 @@ UUID=`uuidgen`
data=$(echo '{"status": "'${STATUS}'", "reason": "'$REASON'", "data": "'${DATA}'", "id": "'$UUID'"}')
sh -c "${WAIT_CURL} --data-binary '${data}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '${data}'"

21
magnum/drivers/common/templates/swarm/fragments/make-cert.py

@ -81,13 +81,14 @@ def _build_subject_alt_names(config):
return ','.join(subject_alt_names)
def write_ca_cert(config):
def write_ca_cert(config, verify_ca):
cluster_cert_url = '%s/certificates/%s' % (config['MAGNUM_URL'],
config['CLUSTER_UUID'])
headers = {'X-Auth-Token': config['USER_TOKEN'],
'OpenStack-API-Version': 'container-infra latest'}
ca_cert_resp = requests.get(cluster_cert_url,
headers=headers)
headers=headers,
verify=verify_ca)
with open(CA_CERT_PATH, 'w') as fp:
fp.write(ca_cert_resp.json()['pem'])
@ -121,7 +122,7 @@ def create_server_csr(config):
return {'cluster_uuid': config['CLUSTER_UUID'], 'csr': fp.read()}
def write_server_cert(config, csr_req):
def write_server_cert(config, csr_req, verify_ca):
cert_url = '%s/certificates' % config['MAGNUM_URL']
headers = {
'Content-Type': 'application/json',
@ -130,13 +131,14 @@ def write_server_cert(config, csr_req):
}
csr_resp = requests.post(cert_url,
data=json.dumps(csr_req),
headers=headers)
headers=headers,
verify=verify_ca)
with open(SERVER_CERT_PATH, 'w') as fp:
fp.write(csr_resp.json()['pem'])
def get_user_token(config):
def get_user_token(config, verify_ca):
creds_str = '''
{
"auth": {
@ -161,7 +163,7 @@ def get_user_token(config):
creds = creds_str % params
headers = {'Content-Type': 'application/json'}
url = config['AUTH_URL'] + '/auth/tokens'
r = requests.post(url, headers=headers, data=creds)
r = requests.post(url, headers=headers, data=creds, verify=verify_ca)
config['USER_TOKEN'] = r.headers['X-Subject-Token']
return config
@ -169,12 +171,13 @@ def get_user_token(config):
def main():
config = load_config()
if config['TLS_DISABLED'] == 'False':
verify_ca = True if config['VERIFY_CA'] == 'True' else False
create_dirs()
config = get_user_token(config)
write_ca_cert(config)
config = get_user_token(config, verify_ca)
write_ca_cert(config, verify_ca)
write_server_key()
csr_req = create_server_csr(config)
write_server_cert(config, csr_req)
write_server_cert(config, csr_req, verify_ca)
if __name__ == '__main__':

2
magnum/drivers/common/templates/swarm/fragments/write-cluster-failure-service.yaml

@ -11,5 +11,5 @@ write_files:
[Service]
Type=simple
TimeoutStartSec=0
ExecStart=/usr/bin/$WAIT_CURL \
ExecStart=/usr/bin/$WAIT_CURL $VERIFY_CA \
--data-binary '{"status": "FAILURE", "reason": "$SERVICE service failed to start.", "data": "Failure"}'

1
magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml

@ -18,6 +18,7 @@ write_files:
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
NETWORK_DRIVER="$NETWORK_DRIVER"
FLANNEL_NETWORK_CIDR="$FLANNEL_NETWORK_CIDR"
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"

1
magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml

@ -17,6 +17,7 @@ write_files:
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
NETWORK_DRIVER="$NETWORK_DRIVER"
ETCD_SERVER_IP="$ETCD_SERVER_IP"
API_IP_ADDRESS="$API_IP_ADDRESS"

8
magnum/drivers/common/templates/swarm/fragments/write-swarm-agent-service.sh

@ -4,6 +4,12 @@
myip="$SWARM_NODE_IP"
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
CONF_FILE=/etc/systemd/system/swarm-agent.service
CERT_DIR=/etc/docker
PROTOCOL=https
@ -76,7 +82,7 @@ do
sleep 5
done
${WAIT_CURL} \
${WAIT_CURL} {$VERIFY_CA} \
--data-binary '{"status": "SUCCESS", "reason": "Swarm agent ready", "data": "OK", "id": "${UUID}"}'
EOF

8
magnum/drivers/common/templates/swarm/fragments/write-swarm-master-service.sh

@ -2,6 +2,12 @@
CERT_DIR=/etc/docker
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cat > /etc/systemd/system/swarm-manager.service << END_SERVICE_TOP
[Unit]
Description=Swarm Manager
@ -46,7 +52,7 @@ cat >> /etc/systemd/system/swarm-manager.service << END_SERVICE_BOTTOM
etcd://$ETCD_SERVER_IP:2379/v2/keys/swarm/
ExecStop=/usr/bin/docker stop swarm-manager
Restart=always
ExecStartPost=/usr/bin/$WAIT_CURL \\
ExecStartPost=/usr/bin/$WAIT_CURL $VERIFY_CA \\
--data-binary '{"status": "SUCCESS", "reason": "Setup complete", "data": "OK", "id": "$UUID"}'
[Install]

1
magnum/drivers/heat/template_def.py

@ -244,6 +244,7 @@ class BaseTemplateDefinition(TemplateDefinition):
extra_params['trustee_user_id'] = cluster.trustee_user_id
extra_params['trustee_username'] = cluster.trustee_username
extra_params['trustee_password'] = cluster.trustee_password
extra_params['verify_ca'] = CONF.drivers.verify_ca
# Only pass trust ID into the template if allowed by the config file
if CONF.trust.cluster_user_trust:

12
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml

@ -40,6 +40,12 @@ write_files:
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cert_conf_dir=${KUBE_CERTS_PATH}/conf
mkdir -p ${cert_conf_dir}
@ -72,12 +78,12 @@ write_files:
}
EOF
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
rm -rf auth.json
ca_cert_json=$(curl -k -X GET \
ca_cert_json=$(curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID)
@ -114,7 +120,7 @@ write_files:
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
client_cert_json=$(curl -k -X POST \
client_cert_json=$(curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \

12
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml

@ -40,6 +40,12 @@ write_files:
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
fi
@ -103,13 +109,13 @@ write_files:
}
EOF
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
rm -rf auth.json
# Get CA certificate for this cluster
ca_cert_json=$(curl -k -X GET \
ca_cert_json=$(curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID)
@ -141,7 +147,7 @@ write_files:
csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
server_cert_json=$(curl -k -X POST \
server_cert_json=$(curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \

2
magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml

@ -20,5 +20,5 @@ write_files:
permissions: "0755"
content: |
#!/bin/bash -v
command="$WAIT_CURL --insecure --data-binary '{\"status\": \"SUCCESS\"}'"
command="$WAIT_CURL $VERIFY_CA --data-binary '{\"status\": \"SUCCESS\"}'"
eval $(echo "$command")

1
magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml

@ -25,6 +25,7 @@ write_files:
TENANT_NAME="$TENANT_NAME"
CLUSTER_SUBNET="$CLUSTER_SUBNET"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
HTTP_PROXY="$HTTP_PROXY"

1
magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml

@ -21,6 +21,7 @@ write_files:
REGISTRY_INSECURE="$REGISTRY_INSECURE"
REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
AUTH_URL="$AUTH_URL"

6
magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml

@ -155,6 +155,10 @@ parameters:
description: whether or not to disable kubernetes dashboard
default: True
verify_ca:
type: boolean
description: whether or not to validate certificate authority
loadbalancing_protocol:
type: string
description: >
@ -431,6 +435,7 @@ resources:
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_master_id: {get_resource: secgroup_master}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}
@ -489,6 +494,7 @@ resources:
network_driver: {get_param: network_driver}
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}

5
magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml

@ -115,6 +115,10 @@ parameters:
type: boolean
description: whether or not to disable kubernetes dashboard
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -280,6 +284,7 @@ resources:
"$NETWORK_DRIVER": {get_param: network_driver}
"$KUBE_API_PORT": {get_param: kubernetes_port}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$KUBE_VERSION": {get_param: kube_version}
"$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version}

5
magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml

@ -42,6 +42,10 @@ parameters:
type: boolean
description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -185,6 +189,7 @@ resources:
"$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]}
"$KUBE_API_PORT": {get_param: kubernetes_port}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$NETWORK_DRIVER": {get_param: network_driver}
"$ETCD_SERVER_IP": {get_param: etcd_server_ip}
"$KUBE_VERSION": {get_param: kube_version}

6
magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml

@ -252,6 +252,10 @@ parameters:
description: whether or not to enable kubernetes dashboard
default: True
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -512,6 +516,7 @@ resources:
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_master_id: {get_resource: secgroup_kube_master}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}
@ -580,6 +585,7 @@ resources:
password: {get_param: password}
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_minion_id: {get_resource: secgroup_kube_minion}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}

5
magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml

@ -114,6 +114,10 @@ parameters:
type: boolean
description: whether or not to disable kubernetes dashboard
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -324,6 +328,7 @@ resources:
"$CLUSTER_SUBNET": {get_param: fixed_subnet}
"$TLS_DISABLED": {get_param: tls_disabled}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$VERIFY_CA": {get_param: verify_ca}
"$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$VOLUME_DRIVER": {get_param: volume_driver}

5
magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml

@ -57,6 +57,10 @@ parameters:
type: boolean
description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -269,6 +273,7 @@ resources:
$REGISTRY_INSECURE: {get_param: registry_insecure}
$REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
$TLS_DISABLED: {get_param: tls_disabled}
$VERIFY_CA: {get_param: verify_ca}
$CLUSTER_UUID: {get_param: cluster_uuid}
$MAGNUM_URL: {get_param: magnum_url}
$USERNAME: {get_param: username}

6
magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml

@ -250,6 +250,10 @@ parameters:
description: whether or not to disable kubernetes dashboard
default: True
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -484,6 +488,7 @@ resources:
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
verify_ca: {get_param: verify_ca}
secgroup_base_id: {get_resource: secgroup_base}
secgroup_kube_master_id: {get_resource: secgroup_kube_master}
http_proxy: {get_param: http_proxy}
@ -574,6 +579,7 @@ resources:
password: {get_param: password}
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}
no_proxy: {get_param: no_proxy}

5
magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml

@ -99,6 +99,10 @@ parameters:
type: boolean
description: whether or not to disable kubernetes dashboard
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -289,6 +293,7 @@ resources:
"$CLUSTER_SUBNET": {get_param: fixed_subnet}
"$TLS_DISABLED": {get_param: tls_disabled}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$VERIFY_CA": {get_param: verify_ca}
"$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$HTTP_PROXY": {get_param: http_proxy}

5
magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml

@ -29,6 +29,10 @@ parameters:
type: boolean
description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -203,6 +207,7 @@ resources:
$REGISTRY_INSECURE: {get_param: registry_insecure}
$REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
$TLS_DISABLED: {get_param: tls_disabled}
$VERIFY_CA: {get_param: verify_ca}
$CLUSTER_UUID: {get_param: cluster_uuid}
$MAGNUM_URL: {get_param: magnum_url}
$USERNAME: {get_param: username}

7
magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml

@ -64,6 +64,10 @@ parameters:
enables any host to take control of a volume irrespective of whether
other hosts are using the volume
verify_ca:
type: boolean
description: whether or not to validate certificate authority
mesos_slave_isolation:
type: string
description: >
@ -154,9 +158,10 @@ resources:
str_replace:
template: |
#!/bin/bash -v
wc_notify --data-binary '{"status": "SUCCESS"}'
wc_notify $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
params:
wc_notify: {get_param: mesos_slave_wc_curl_cli}
"$VERIFY_CA": {get_param: verify_ca}
add_proxy:
type: OS::Heat::SoftwareConfig

5
magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml

@ -207,6 +207,10 @@ parameters:
be empty when doing a create.
default: []
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources:
######################################################################
@ -458,6 +462,7 @@ resources:
mesos_slave_image_providers: {get_param: mesos_slave_image_providers}
mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables}
mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]}
verify_ca: {get_param: verify_ca}
outputs:

6
magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml

@ -100,6 +100,10 @@ parameters:
description: whether or not to enable TLS
default: False
verify_ca:
type: boolean
description: whether or not to validate certificate authority
network_driver:
type: string
description: network driver to use for instantiating container networks
@ -374,6 +378,7 @@ resources:
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager}
network_driver: {get_param: network_driver}
flannel_network_cidr: {get_param: flannel_network_cidr}
@ -422,6 +427,7 @@ resources:
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_swarm_node_id: {get_resource: secgroup_swarm_node}
flannel_network_cidr: {get_param: flannel_network_cidr}
network_driver: {get_param: network_driver}

7
magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml

@ -90,6 +90,10 @@ parameters:
type: boolean
description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
network_driver:
type: string
description: network driver to use for instantiating container networks
@ -243,6 +247,7 @@ resources:
"$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$NETWORK_DRIVER": {get_param: network_driver}
"$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr}
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
@ -319,6 +324,7 @@ resources:
params:
"$SERVICE": swarm-manager
"$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
"$VERIFY_CA": {get_param: verify_ca}
write_docker_socket:
type: "OS::Heat::SoftwareConfig"
@ -341,6 +347,7 @@ resources:
"$HTTPS_PROXY": {get_param: https_proxy}
"$NO_PROXY": {get_attr: [no_proxy_extended, value]}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$SWARM_VERSION": {get_param: swarm_version}
"$SWARM_STRATEGY": {get_param: swarm_strategy}

6
magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml

@ -93,6 +93,10 @@ parameters:
type: boolean
description: whether or not to disable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
swarm_version:
type: string
description: version of swarm used for swarm cluster
@ -220,6 +224,7 @@ resources:
"$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$NETWORK_DRIVER": {get_param: network_driver}
"$ETCD_SERVER_IP": {get_param: etcd_server_ip}
"$API_IP_ADDRESS": {get_param: api_ip_address}
@ -295,6 +300,7 @@ resources:
params:
"$SERVICE": swarm-agent
"$WAIT_CURL": {get_attr: [node_wait_handle, curl_cli]}
"$VERIFY_CA": {get_param: verify_ca}
write_swarm_agent_service:
type: "OS::Heat::SoftwareConfig"

1
magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml

@ -26,3 +26,4 @@ write_files:
AUTH_URL="$AUTH_URL"
VOLUME_DRIVER="$VOLUME_DRIVER"
REXRAY_PREEMPT="$REXRAY_PREEMPT"
VERIFY_CA="$VERIFY_CA"

14
magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh

@ -4,6 +4,12 @@
set -x
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [ "${IS_PRIMARY_MASTER}" = "True" ]; then
cat > /usr/local/bin/magnum-start-swarm-manager << START_SWARM_BIN
#!/bin/bash -xe
@ -16,7 +22,7 @@ else
status="FAILURE"
msg="Failed to init swarm."
fi
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'"
START_SWARM_BIN
else
if [ "${TLS_DISABLED}" = 'False' ]; then
@ -37,7 +43,7 @@ do
done
if [[ -z \$token ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
fi
i=0
@ -48,9 +54,9 @@ do
sleep 5
done
if [[ \$i -ge 5 ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'"
else
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'"
fi
START_SWARM_BIN
fi

12
magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh

@ -4,6 +4,12 @@
set -x
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [ "${TLS_DISABLED}" = 'False' ]; then
tls="--tlsverify"
tls=$tls" --tlscacert=/etc/docker/ca.crt"
@ -22,7 +28,7 @@ do
done
if [[ -z \$token ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
fi
i=0
@ -33,9 +39,9 @@ do
sleep 5
done
if [[ \$i -ge 5 ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'"
else
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'"
fi
START_SWARM_BIN

6
magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml

@ -179,6 +179,9 @@ parameters:
other hosts are using the volume
default: "false"
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources:
@ -301,6 +304,7 @@ resources:
auth_url: {get_param: auth_url}
volume_driver: {get_param: volume_driver}
rexray_preempt: {get_param: rexray_preempt}
verify_ca: {get_param: verify_ca}
swarm_secondary_masters:
type: "OS::Heat::ResourceGroup"
@ -342,6 +346,7 @@ resources:
auth_url: {get_param: auth_url}
volume_driver: {get_param: volume_driver}
rexray_preempt: {get_param: rexray_preempt}
verify_ca: {get_param: verify_ca}
swarm_nodes:
type: "OS::Heat::ResourceGroup"
@ -383,6 +388,7 @@ resources:
auth_url: {get_param: auth_url}
volume_driver: {get_param: volume_driver}
rexray_preempt: {get_param: rexray_preempt}
verify_ca: {get_param: verify_ca}
outputs:

5
magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml

@ -135,6 +135,10 @@ parameters:
description: whether this master is primary or not
default: False
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources:
master_wait_handle:
@ -195,6 +199,7 @@ resources:
"$AUTH_URL": {get_param: auth_url}
"$VOLUME_DRIVER": {get_param: volume_driver}
"$REXRAY_PREEMPT": {get_param: rexray_preempt}
"$VERIFY_CA": {get_param: verify_ca}
remove_docker_key:
type: "OS::Heat::SoftwareConfig"

5
magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml

@ -127,6 +127,10 @@ parameters:
other hosts are using the volume
default: "false"
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources:
node_wait_handle:
@ -172,6 +176,7 @@ resources:
"$AUTH_URL": {get_param: auth_url}
"$VOLUME_DRIVER": {get_param: volume_driver}
"$REXRAY_PREEMPT": {get_param: rexray_preempt}
"$VERIFY_CA": {get_param: verify_ca}
remove_docker_key:
type: "OS::Heat::SoftwareConfig"

8
magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py

@ -225,6 +225,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'auth_url': 'http://192.168.10.10:5000/v3',
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'verify_ca': True,
}
if missing_attr is not None:
expected.pop(mapping[missing_attr], None)
@ -319,6 +320,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'volume_driver': 'volume_driver',
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'verify_ca': True,
}
self.assertEqual(expected, definition)
@ -398,7 +400,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'trustee_password': 'fake_trustee_password',
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
'trustee_username': 'fake_trustee',
'username': 'fake_user'
'username': 'fake_user',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -475,6 +478,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'magnum_url': self.mock_osc.magnum_url.return_value,
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -546,6 +550,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'magnum_url': self.mock_osc.magnum_url.return_value,
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -731,6 +736,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'auth_url': 'http://192.168.10.10:5000/v3',
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(

10
magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py

@ -137,7 +137,8 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_executor_env_variables': '{}',
'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker'
'mesos_slave_image_providers': 'docker',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -192,6 +193,7 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker',
'master_flavor': 'master_flavor_id',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -248,7 +250,8 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_executor_env_variables': '{}',
'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker'
'mesos_slave_image_providers': 'docker',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -306,7 +309,8 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_executor_env_variables': '{}',
'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker'
'mesos_slave_image_providers': 'docker',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(

13
magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py

@ -160,7 +160,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread',
'volume_driver': 'rexray',
'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1'
'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -236,7 +237,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread',
'volume_driver': 'rexray',
'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1'
'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -306,6 +308,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
'docker_volume_type': 'lvmdriver-1',
'docker_volume_size': 20,
'master_flavor': 'master_flavor_id',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -375,7 +378,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread',
'volume_driver': 'rexray',
'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1'
'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -446,7 +450,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread',
'volume_driver': 'rexray',
'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1'
'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(

12
releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml

@ -0,0 +1,12 @@
---
fixes:
- |
[`bug 1663757 <https://bugs.launchpad.net/magnum/+bug/1663757>`_]
A configuration parameter, verify_ca, was added to magnum.conf
with a default value of True and passed to the heat templates to indicate
whether the cluster nodes validate the Certificate Authority when making
requests to the OpenStack APIs (Keystone, Magnum, Heat). This parameter
can be set to False to disable CA validation if you have self-signed
certificates for the OpenStack APIs or you have your own Certificate
Authority and you have not installed the Certificate Authority to all
nodes.
Loading…
Cancel
Save