Add verify_ca configuration parameter

Added configuration parameter, verify_ca, to magnum.conf with default value of True. This parameter is passed to the heat templates to indicate whether the cluster nodes validate the Certificate Authority when making requests to the OpenStack APIs (Keystone, Magnum, Heat). This configuration parameter can be set to False to disable CA validation. Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com> Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413 Partial-Bug: #1663757
6 years ago · b07b6f34d5
parent 8e8fbe9214
commit b07b6f34d5
45 changed files with 275 additions and 44 deletions
--- a/doc/source/admin/troubleshooting-guide.rst
+++ b/doc/source/admin/troubleshooting-guide.rst
@ -178,7 +178,11 @@ specified). If it fails, that means the credential you provided is invalid.

 TLS
 ---
-*To be filled in*
+The cluster nodes will validate the Certificate Authority by default
+when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
+If you need to disable CA validation, the configuration parameter
+verify_ca can be set to False.  More information on `CA Validation
+<https://bugs.launchpad.net/magnum/+bug/1663757>`_.


 Barbican service
--- a/magnum/conf/init.py
+++ b/magnum/conf/init.py
@ -26,6 +26,7 @@ from magnum.conf import conductor
 from magnum.conf import database
 from magnum.conf import docker
 from magnum.conf import docker_registry
+from magnum.conf import drivers
 from magnum.conf import glance
 from magnum.conf import heat
 from magnum.conf import keystone
@ -54,6 +55,7 @@ conductor.register_opts(CONF)
 database.register_opts(CONF)
 docker.register_opts(CONF)
 docker_registry.register_opts(CONF)
+drivers.register_opts(CONF)
 glance.register_opts(CONF)
 heat.register_opts(CONF)
 keystone.register_opts(CONF)
--- a/magnum/conf/drivers.py
+++ b/magnum/conf/drivers.py
@ -0,0 +1,40 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from oslo_config import cfg
+
+drivers_group = cfg.OptGroup(name='drivers',
+                             title='Options for the Drivers')
+
+drivers_opts = [
+    cfg.BoolOpt('verify_ca',
+                default=True,
+                help='Indicates whether the cluster nodes validate the '
+                     'Certificate Authority when making requests to the '
+                     'OpenStack APIs (Keystone, Magnum, Heat). If you have '
+                     'self-signed certificates for the OpenStack APIs or '
+                     'you have your own Certificate Authority and you '
+                     'have not installed the Certificate Authority to all '
+                     'nodes, you may need to disable CA validation by '
+                     'setting this flag to False.')
+]
+
+
+def register_opts(conf):
+    conf.register_group(drivers_group)
+    conf.register_opts(drivers_opts, group=drivers_group)
+
+
+def list_opts():
+    return {
+        drivers_group: drivers_opts,
+    }
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
    exit 0
 fi

+if [ "$VERIFY_CA" == "True" ]; then
+    VERIFY_CA=""
+else
+    VERIFY_CA="-k"
+fi
+
 cert_dir=/etc/kubernetes/certs

 mkdir -p "$cert_dir"
@ -55,11 +61,11 @@ EOF

 content_type='Content-Type: application/json'
 url="$AUTH_URL/auth/tokens"
-USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
+USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
    | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`

 # Get CA certificate for this cluster
-curl -k -X GET \
+curl $VERIFY_CA -X GET \
    -H "X-Auth-Token: $USER_TOKEN" \
    -H "OpenStack-API-Version: container-infra latest" \
    $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT
@ -93,7 +99,7 @@ openssl req -new -days 1000 \

 # Send csr to Magnum to have it signed
 csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
-curl -k -X POST \
+curl  $VERIFY_CA -X POST \
    -H "X-Auth-Token: $USER_TOKEN" \
    -H "OpenStack-API-Version: container-infra latest" \
    -H "Content-Type: application/json" \
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
    exit 0
 fi

+if [ "$VERIFY_CA" == "True" ]; then
+    VERIFY_CA=""
+else
+    VERIFY_CA="-k"
+fi
+
 if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
    KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
 fi
@ -87,11 +93,11 @@ EOF

 content_type='Content-Type: application/json'
 url="$AUTH_URL/auth/tokens"
-USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
+USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
    | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`

 # Get CA certificate for this cluster
-curl -k -X GET \
+curl $VERIFY_CA -X GET \
    -H "X-Auth-Token: $USER_TOKEN" \
    -H "OpenStack-API-Version: container-infra latest" \
    $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT}
@ -120,7 +126,7 @@ openssl req -new -days 1000 \

 # Send csr to Magnum to have it signed
 csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
-curl -k -X POST \
+curl $VERIFY_CA -X POST \
    -H "X-Auth-Token: $USER_TOKEN" \
    -H "OpenStack-API-Version: container-infra latest" \
    -H "Content-Type: application/json" \
--- a/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh
@ -11,7 +11,7 @@ until curl -sf "http://127.0.0.1:8080/healthz"; do
    echo "Waiting for Kubernetes API..."
    sleep 5
 done
-$WAIT_CURL --data-binary '{"status": "SUCCESS"}'
+$WAIT_CURL $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
 EOF

 cat > $WC_NOTIFY_SERVICE <<EOF
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
@ -30,6 +30,7 @@ write_files:
      CLUSTER_SUBNET="$CLUSTER_SUBNET"
      TLS_DISABLED="$TLS_DISABLED"
      KUBE_DASHBOARD_ENABLED="$KUBE_DASHBOARD_ENABLED"
+      VERIFY_CA="$VERIFY_CA"
      CLUSTER_UUID="$CLUSTER_UUID"
      MAGNUM_URL="$MAGNUM_URL"
      VOLUME_DRIVER="$VOLUME_DRIVER"
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
@ -24,6 +24,7 @@ write_files:
      REGISTRY_INSECURE="$REGISTRY_INSECURE"
      REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
      TLS_DISABLED="$TLS_DISABLED"
+      VERIFY_CA="$VERIFY_CA"
      CLUSTER_UUID="$CLUSTER_UUID"
      MAGNUM_URL="$MAGNUM_URL"
      AUTH_URL="$AUTH_URL"
--- a/magnum/drivers/common/templates/swarm/fragments/cfn-signal.sh
+++ b/magnum/drivers/common/templates/swarm/fragments/cfn-signal.sh
@ -4,6 +4,12 @@

 echo "notifying heat"

+if [ "$VERIFY_CA" == "True" ]; then
+    VERIFY_CA=""
+else
+    VERIFY_CA="-k"
+fi
+
 STATUS="SUCCESS"
 REASON="Setup complete"
 DATA="OK"
@ -11,4 +17,4 @@ UUID=`uuidgen`

 data=$(echo '{"status": "'${STATUS}'", "reason": "'$REASON'", "data": "'${DATA}'", "id": "'$UUID'"}')

-sh -c "${WAIT_CURL} --data-binary '${data}'"
+sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '${data}'"
--- a/magnum/drivers/common/templates/swarm/fragments/make-cert.py
+++ b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
@ -81,13 +81,14 @@ def _build_subject_alt_names(config):
    return ','.join(subject_alt_names)


-def write_ca_cert(config):
+def write_ca_cert(config, verify_ca):
    cluster_cert_url = '%s/certificates/%s' % (config['MAGNUM_URL'],
                                               config['CLUSTER_UUID'])
    headers = {'X-Auth-Token': config['USER_TOKEN'],
               'OpenStack-API-Version': 'container-infra latest'}
    ca_cert_resp = requests.get(cluster_cert_url,
-                                headers=headers)
+                                headers=headers,
+                                verify=verify_ca)

    with open(CA_CERT_PATH, 'w') as fp:
        fp.write(ca_cert_resp.json()['pem'])
@ -121,7 +122,7 @@ def create_server_csr(config):
        return {'cluster_uuid': config['CLUSTER_UUID'], 'csr': fp.read()}


-def write_server_cert(config, csr_req):
+def write_server_cert(config, csr_req, verify_ca):
    cert_url = '%s/certificates' % config['MAGNUM_URL']
    headers = {
        'Content-Type': 'application/json',
@ -130,13 +131,14 @@ def write_server_cert(config, csr_req):
    }
    csr_resp = requests.post(cert_url,
                             data=json.dumps(csr_req),
-                             headers=headers)
+                             headers=headers,
+                             verify=verify_ca)

    with open(SERVER_CERT_PATH, 'w') as fp:
        fp.write(csr_resp.json()['pem'])


-def get_user_token(config):
+def get_user_token(config, verify_ca):
    creds_str = '''
 {
    "auth": {
@ -161,7 +163,7 @@ def get_user_token(config):
    creds = creds_str % params
    headers = {'Content-Type': 'application/json'}
    url = config['AUTH_URL'] + '/auth/tokens'
-    r = requests.post(url, headers=headers, data=creds)
+    r = requests.post(url, headers=headers, data=creds, verify=verify_ca)
    config['USER_TOKEN'] = r.headers['X-Subject-Token']
    return config

@ -169,12 +171,13 @@ def get_user_token(config):
 def main():
    config = load_config()
    if config['TLS_DISABLED'] == 'False':
+        verify_ca = True if config['VERIFY_CA'] == 'True' else False
        create_dirs()
-        config = get_user_token(config)
-        write_ca_cert(config)
+        config = get_user_token(config, verify_ca)
+        write_ca_cert(config, verify_ca)
        write_server_key()
        csr_req = create_server_csr(config)
-        write_server_cert(config, csr_req)
+        write_server_cert(config, csr_req, verify_ca)


 if __name__ == '__main__':
--- a/magnum/drivers/common/templates/swarm/fragments/write-cluster-failure-service.yaml
+++ b/magnum/drivers/common/templates/swarm/fragments/write-cluster-failure-service.yaml
@ -11,5 +11,5 @@ write_files:
      [Service]
      Type=simple
      TimeoutStartSec=0
-      ExecStart=/usr/bin/$WAIT_CURL \
+      ExecStart=/usr/bin/$WAIT_CURL $VERIFY_CA \
        --data-binary '{"status": "FAILURE", "reason": "$SERVICE service failed to start.", "data": "Failure"}'
--- a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml
@ -18,6 +18,7 @@ write_files:
      CLUSTER_UUID="$CLUSTER_UUID"
      MAGNUM_URL="$MAGNUM_URL"
      TLS_DISABLED="$TLS_DISABLED"
+      VERIFY_CA="$VERIFY_CA"
      NETWORK_DRIVER="$NETWORK_DRIVER"
      FLANNEL_NETWORK_CIDR="$FLANNEL_NETWORK_CIDR"
      FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
--- a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml
+++ b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml
@ -17,6 +17,7 @@ write_files:
      CLUSTER_UUID="$CLUSTER_UUID"
      MAGNUM_URL="$MAGNUM_URL"
      TLS_DISABLED="$TLS_DISABLED"
+      VERIFY_CA="$VERIFY_CA"
      NETWORK_DRIVER="$NETWORK_DRIVER"
      ETCD_SERVER_IP="$ETCD_SERVER_IP"
      API_IP_ADDRESS="$API_IP_ADDRESS"
--- a/magnum/drivers/common/templates/swarm/fragments/write-swarm-agent-service.sh
+++ b/magnum/drivers/common/templates/swarm/fragments/write-swarm-agent-service.sh
@ -4,6 +4,12 @@

 myip="$SWARM_NODE_IP"

+if [ "$VERIFY_CA" == "True" ]; then
+    VERIFY_CA=""
+else
+    VERIFY_CA="-k"
+fi
+
 CONF_FILE=/etc/systemd/system/swarm-agent.service
 CERT_DIR=/etc/docker
 PROTOCOL=https
@ -76,7 +82,7 @@ do
    sleep 5
 done

-${WAIT_CURL} \
+${WAIT_CURL} {$VERIFY_CA} \
    --data-binary '{"status": "SUCCESS", "reason": "Swarm agent ready", "data": "OK", "id": "${UUID}"}'
 EOF

--- a/magnum/drivers/common/templates/swarm/fragments/write-swarm-master-service.sh
+++ b/magnum/drivers/common/templates/swarm/fragments/write-swarm-master-service.sh
@ -2,6 +2,12 @@

 CERT_DIR=/etc/docker

+if [ "$VERIFY_CA" == "True" ]; then
+    VERIFY_CA=""
+else
+    VERIFY_CA="-k"
+fi
+
 cat > /etc/systemd/system/swarm-manager.service << END_SERVICE_TOP
 [Unit]
 Description=Swarm Manager
@ -46,7 +52,7 @@ cat >> /etc/systemd/system/swarm-manager.service << END_SERVICE_BOTTOM
                                  etcd://$ETCD_SERVER_IP:2379/v2/keys/swarm/
 ExecStop=/usr/bin/docker stop swarm-manager
 Restart=always
-ExecStartPost=/usr/bin/$WAIT_CURL \\
+ExecStartPost=/usr/bin/$WAIT_CURL $VERIFY_CA \\
    --data-binary '{"status": "SUCCESS", "reason": "Setup complete", "data": "OK", "id": "$UUID"}'

 [Install]
--- a/magnum/drivers/heat/template_def.py
+++ b/magnum/drivers/heat/template_def.py
@ -244,6 +244,7 @@ class BaseTemplateDefinition(TemplateDefinition):
        extra_params['trustee_user_id'] = cluster.trustee_user_id
        extra_params['trustee_username'] = cluster.trustee_username
        extra_params['trustee_password'] = cluster.trustee_password
+        extra_params['verify_ca'] = CONF.drivers.verify_ca

        # Only pass trust ID into the template if allowed by the config file
        if CONF.trust.cluster_user_trust:
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
@ -40,6 +40,12 @@ write_files:
        exit 0
      fi

+      if [ "$VERIFY_CA" == "True" ]; then
+          VERIFY_CA=""
+      else
+          VERIFY_CA="-k"
+      fi
+
      cert_conf_dir=${KUBE_CERTS_PATH}/conf

      mkdir -p ${cert_conf_dir}
@ -72,12 +78,12 @@ write_files:
      }
      EOF

-      USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
+      USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
                       $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`

      rm -rf auth.json

-      ca_cert_json=$(curl -k -X GET \
+      ca_cert_json=$(curl $VERIFY_CA -X GET \
        -H "X-Auth-Token: $USER_TOKEN" \
        -H "OpenStack-API-Version: container-infra latest" \
        $MAGNUM_URL/certificates/$CLUSTER_UUID)
@ -114,7 +120,7 @@ write_files:
      csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
      csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
      # Send csr to Magnum to have it signed
-      client_cert_json=$(curl -k -X POST \
+      client_cert_json=$(curl $VERIFY_CA -X POST \
          -H "X-Auth-Token: $USER_TOKEN" \
          -H "OpenStack-API-Version: container-infra latest" \
          -H "Content-Type: application/json" \
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
@ -40,6 +40,12 @@ write_files:
        exit 0
      fi

+      if [ "$VERIFY_CA" == "True" ]; then
+          VERIFY_CA=""
+      else
+          VERIFY_CA="-k"
+      fi
+
      if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
        KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
      fi
@ -103,13 +109,13 @@ write_files:
      }
      EOF

-      USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
+      USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
                       $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`

      rm -rf auth.json

      # Get CA certificate for this cluster
-      ca_cert_json=$(curl -k -X GET \
+      ca_cert_json=$(curl $VERIFY_CA -X GET \
        -H "X-Auth-Token: $USER_TOKEN" \
        -H "OpenStack-API-Version: container-infra latest" \
        $MAGNUM_URL/certificates/$CLUSTER_UUID)
@ -141,7 +147,7 @@ write_files:
      csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
      csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
      # Send csr to Magnum to have it signed
-      server_cert_json=$(curl -k -X POST \
+      server_cert_json=$(curl $VERIFY_CA -X POST \
          -H "X-Auth-Token: $USER_TOKEN" \
          -H "OpenStack-API-Version: container-infra latest" \
          -H "Content-Type: application/json" \
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml
@ -20,5 +20,5 @@ write_files:
    permissions: "0755"
    content: |
      #!/bin/bash -v
-      command="$WAIT_CURL --insecure --data-binary '{\"status\": \"SUCCESS\"}'"
+      command="$WAIT_CURL $VERIFY_CA --data-binary '{\"status\": \"SUCCESS\"}'"
      eval $(echo "$command")
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
@ -25,6 +25,7 @@ write_files:
      TENANT_NAME="$TENANT_NAME"
      CLUSTER_SUBNET="$CLUSTER_SUBNET"
      TLS_DISABLED="$TLS_DISABLED"
+      VERIFY_CA="$VERIFY_CA"
      CLUSTER_UUID="$CLUSTER_UUID"
      MAGNUM_URL="$MAGNUM_URL"
      HTTP_PROXY="$HTTP_PROXY"
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
@ -21,6 +21,7 @@ write_files:
      REGISTRY_INSECURE="$REGISTRY_INSECURE"
      REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
      TLS_DISABLED="$TLS_DISABLED"
+      VERIFY_CA="$VERIFY_CA"
      CLUSTER_UUID="$CLUSTER_UUID"
      MAGNUM_URL="$MAGNUM_URL"
      AUTH_URL="$AUTH_URL"
--- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
@ -155,6 +155,10 @@ parameters:
    description: whether or not to disable kubernetes dashboard
    default: True

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  loadbalancing_protocol:
    type: string
    description: >
@ -431,6 +435,7 @@ resources:
          kubernetes_port: {get_param: kubernetes_port}
          tls_disabled: {get_param: tls_disabled}
          kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
+          verify_ca: {get_param: verify_ca}
          secgroup_kube_master_id: {get_resource: secgroup_master}
          http_proxy: {get_param: http_proxy}
          https_proxy: {get_param: https_proxy}
@ -489,6 +494,7 @@ resources:
          network_driver: {get_param: network_driver}
          kubernetes_port: {get_param: kubernetes_port}
          tls_disabled: {get_param: tls_disabled}
+          verify_ca: {get_param: verify_ca}
          secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open}
          http_proxy: {get_param: http_proxy}
          https_proxy: {get_param: https_proxy}
--- a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
@ -115,6 +115,10 @@ parameters:
    type: boolean
    description: whether or not to disable kubernetes dashboard

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  kubernetes_port:
    type: number
    description: >
@ -280,6 +284,7 @@ resources:
            "$NETWORK_DRIVER": {get_param: network_driver}
            "$KUBE_API_PORT": {get_param: kubernetes_port}
            "$TLS_DISABLED": {get_param: tls_disabled}
+            "$VERIFY_CA": {get_param: verify_ca}
            "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
            "$KUBE_VERSION": {get_param: kube_version}
            "$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version}
--- a/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
@ -42,6 +42,10 @@ parameters:
    type: boolean
    description: whether or not to enable TLS

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  kubernetes_port:
    type: number
    description: >
@ -185,6 +189,7 @@ resources:
            "$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]}
            "$KUBE_API_PORT": {get_param: kubernetes_port}
            "$TLS_DISABLED": {get_param: tls_disabled}
+            "$VERIFY_CA": {get_param: verify_ca}
            "$NETWORK_DRIVER": {get_param: network_driver}
            "$ETCD_SERVER_IP": {get_param: etcd_server_ip}
            "$KUBE_VERSION": {get_param: kube_version}
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@ -252,6 +252,10 @@ parameters:
    description: whether or not to enable kubernetes dashboard
    default: True

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  kubernetes_port:
    type: number
    description: >
@ -512,6 +516,7 @@ resources:
          kubernetes_port: {get_param: kubernetes_port}
          tls_disabled: {get_param: tls_disabled}
          kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
+          verify_ca: {get_param: verify_ca}
          secgroup_kube_master_id: {get_resource: secgroup_kube_master}
          http_proxy: {get_param: http_proxy}
          https_proxy: {get_param: https_proxy}
@ -580,6 +585,7 @@ resources:
          password: {get_param: password}
          kubernetes_port: {get_param: kubernetes_port}
          tls_disabled: {get_param: tls_disabled}
+          verify_ca: {get_param: verify_ca}
          secgroup_kube_minion_id: {get_resource: secgroup_kube_minion}
          http_proxy: {get_param: http_proxy}
          https_proxy: {get_param: https_proxy}
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
@ -114,6 +114,10 @@ parameters:
    type: boolean
    description: whether or not to disable kubernetes dashboard

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  kubernetes_port:
    type: number
    description: >
@ -324,6 +328,7 @@ resources:
            "$CLUSTER_SUBNET": {get_param: fixed_subnet}
            "$TLS_DISABLED": {get_param: tls_disabled}
            "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
+            "$VERIFY_CA": {get_param: verify_ca}
            "$CLUSTER_UUID": {get_param: cluster_uuid}
            "$MAGNUM_URL": {get_param: magnum_url}
            "$VOLUME_DRIVER": {get_param: volume_driver}
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
@ -57,6 +57,10 @@ parameters:
    type: boolean
    description: whether or not to enable TLS

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  kubernetes_port:
    type: number
    description: >
@ -269,6 +273,7 @@ resources:
            $REGISTRY_INSECURE: {get_param: registry_insecure}
            $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
            $TLS_DISABLED: {get_param: tls_disabled}
+            $VERIFY_CA: {get_param: verify_ca}
            $CLUSTER_UUID: {get_param: cluster_uuid}
            $MAGNUM_URL: {get_param: magnum_url}
            $USERNAME: {get_param: username}
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
@ -250,6 +250,10 @@ parameters:
    description: whether or not to disable kubernetes dashboard
    default: True

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  kubernetes_port:
    type: number
    description: >
@ -484,6 +488,7 @@ resources:
          kubernetes_port: {get_param: kubernetes_port}
          tls_disabled: {get_param: tls_disabled}
          kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
+          verify_ca: {get_param: verify_ca}
          secgroup_base_id: {get_resource: secgroup_base}
          secgroup_kube_master_id: {get_resource: secgroup_kube_master}
          http_proxy: {get_param: http_proxy}
@ -574,6 +579,7 @@ resources:
      password: {get_param: password}
      kubernetes_port: {get_param: kubernetes_port}
      tls_disabled: {get_param: tls_disabled}
+      verify_ca: {get_param: verify_ca}
      http_proxy: {get_param: http_proxy}
      https_proxy: {get_param: https_proxy}
      no_proxy: {get_param: no_proxy}
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
@ -99,6 +99,10 @@ parameters:
    type: boolean
    description: whether or not to disable kubernetes dashboard

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  kubernetes_port:
    type: number
    description: >
@ -289,6 +293,7 @@ resources:
            "$CLUSTER_SUBNET": {get_param: fixed_subnet}
            "$TLS_DISABLED": {get_param: tls_disabled}
            "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
+            "$VERIFY_CA": {get_param: verify_ca}
            "$CLUSTER_UUID": {get_param: cluster_uuid}
            "$MAGNUM_URL": {get_param: magnum_url}
            "$HTTP_PROXY": {get_param: http_proxy}
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml
@ -29,6 +29,10 @@ parameters:
    type: boolean
    description: whether or not to enable TLS

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  kubernetes_port:
    type: number
    description: >
@ -203,6 +207,7 @@ resources:
            $REGISTRY_INSECURE: {get_param: registry_insecure}
            $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
            $TLS_DISABLED: {get_param: tls_disabled}
+            $VERIFY_CA: {get_param: verify_ca}
            $CLUSTER_UUID: {get_param: cluster_uuid}
            $MAGNUM_URL: {get_param: magnum_url}
            $USERNAME: {get_param: username}
--- a/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml
+++ b/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml
@ -64,6 +64,10 @@ parameters:
      enables any host to take control of a volume irrespective of whether
      other hosts are using the volume

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  mesos_slave_isolation:
    type: string
    description: >
@ -154,9 +158,10 @@ resources:
        str_replace:
          template: |
            #!/bin/bash -v
-            wc_notify --data-binary '{"status": "SUCCESS"}'
+            wc_notify $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
          params:
            wc_notify: {get_param: mesos_slave_wc_curl_cli}
+            "$VERIFY_CA": {get_param: verify_ca}

  add_proxy:
    type: OS::Heat::SoftwareConfig
--- a/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml
+++ b/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml
@ -207,6 +207,10 @@ parameters:
      be empty when doing a create.
    default: []

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
 resources:

  ######################################################################
@ -458,6 +462,7 @@ resources:
      mesos_slave_image_providers: {get_param: mesos_slave_image_providers}
      mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables}
      mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]}
+      verify_ca: {get_param: verify_ca}

 outputs:

--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml
@ -100,6 +100,10 @@ parameters:
    description: whether or not to enable TLS
    default: False

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  network_driver:
    type: string
    description: network driver to use for instantiating container networks
@ -374,6 +378,7 @@ resources:
          cluster_uuid: {get_param: cluster_uuid}
          magnum_url: {get_param: magnum_url}
          tls_disabled: {get_param: tls_disabled}
+          verify_ca: {get_param: verify_ca}
          secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager}
          network_driver: {get_param: network_driver}
          flannel_network_cidr: {get_param: flannel_network_cidr}
@ -422,6 +427,7 @@ resources:
          cluster_uuid: {get_param: cluster_uuid}
          magnum_url: {get_param: magnum_url}
          tls_disabled: {get_param: tls_disabled}
+          verify_ca: {get_param: verify_ca}
          secgroup_swarm_node_id: {get_resource: secgroup_swarm_node}
          flannel_network_cidr: {get_param: flannel_network_cidr}
          network_driver: {get_param: network_driver}
--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
@ -90,6 +90,10 @@ parameters:
    type: boolean
    description: whether or not to enable TLS

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  network_driver:
    type: string
    description: network driver to use for instantiating container networks
@ -243,6 +247,7 @@ resources:
            "$CLUSTER_UUID": {get_param: cluster_uuid}
            "$MAGNUM_URL": {get_param: magnum_url}
            "$TLS_DISABLED": {get_param: tls_disabled}
+            "$VERIFY_CA": {get_param: verify_ca}
            "$NETWORK_DRIVER": {get_param: network_driver}
            "$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr}
            "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
@ -319,6 +324,7 @@ resources:
          params:
            "$SERVICE": swarm-manager
            "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
+            "$VERIFY_CA": {get_param: verify_ca}

  write_docker_socket:
    type: "OS::Heat::SoftwareConfig"
@ -341,6 +347,7 @@ resources:
            "$HTTPS_PROXY": {get_param: https_proxy}
            "$NO_PROXY": {get_attr: [no_proxy_extended, value]}
            "$TLS_DISABLED": {get_param: tls_disabled}
+            "$VERIFY_CA": {get_param: verify_ca}
            "$SWARM_VERSION": {get_param: swarm_version}
            "$SWARM_STRATEGY": {get_param: swarm_strategy}

--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
@ -93,6 +93,10 @@ parameters:
    type: boolean
    description: whether or not to disable TLS

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
  swarm_version:
    type: string
    description: version of swarm used for swarm cluster
@ -220,6 +224,7 @@ resources:
            "$CLUSTER_UUID": {get_param: cluster_uuid}
            "$MAGNUM_URL": {get_param: magnum_url}
            "$TLS_DISABLED": {get_param: tls_disabled}
+            "$VERIFY_CA": {get_param: verify_ca}
            "$NETWORK_DRIVER": {get_param: network_driver}
            "$ETCD_SERVER_IP": {get_param: etcd_server_ip}
            "$API_IP_ADDRESS": {get_param: api_ip_address}
@ -295,6 +300,7 @@ resources:
          params:
            "$SERVICE": swarm-agent
            "$WAIT_CURL": {get_attr: [node_wait_handle, curl_cli]}
+            "$VERIFY_CA": {get_param: verify_ca}

  write_swarm_agent_service:
    type: "OS::Heat::SoftwareConfig"
--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml
@ -26,3 +26,4 @@ write_files:
      AUTH_URL="$AUTH_URL"
      VOLUME_DRIVER="$VOLUME_DRIVER"
      REXRAY_PREEMPT="$REXRAY_PREEMPT"
+      VERIFY_CA="$VERIFY_CA"
--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh
@ -4,6 +4,12 @@

 set -x

+if [ "$VERIFY_CA" == "True" ]; then
+    VERIFY_CA=""
+else
+    VERIFY_CA="-k"
+fi
+
 if [ "${IS_PRIMARY_MASTER}" = "True" ]; then
    cat > /usr/local/bin/magnum-start-swarm-manager << START_SWARM_BIN
 #!/bin/bash -xe
@ -16,7 +22,7 @@ else
    status="FAILURE"
    msg="Failed to init swarm."
 fi
-sh -c "${WAIT_CURL} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'"
+sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'"
 START_SWARM_BIN
 else
    if [ "${TLS_DISABLED}" = 'False'  ]; then
@ -37,7 +43,7 @@ do
 done

 if [[ -z \$token ]] ; then
-    sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
+    sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
 fi

 i=0
@ -48,9 +54,9 @@ do
    sleep 5
 done
 if [[ \$i -ge 5 ]] ; then
-    sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'"
+    sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'"
 else
-    sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'"
+    sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'"
 fi
 START_SWARM_BIN
 fi
--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh
@ -4,6 +4,12 @@

 set -x

+if [ "$VERIFY_CA" == "True" ]; then
+    VERIFY_CA=""
+else
+    VERIFY_CA="-k"
+fi
+
 if [ "${TLS_DISABLED}" = 'False'  ]; then
    tls="--tlsverify"
    tls=$tls" --tlscacert=/etc/docker/ca.crt"
@ -22,7 +28,7 @@ do
 done

 if [[ -z \$token ]] ; then
-    sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
+    sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
 fi

 i=0
@ -33,9 +39,9 @@ do
    sleep 5
 done
 if [[ \$i -ge 5 ]] ; then
-    sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'"
+    sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'"
 else
-    sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'"
+    sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'"
 fi
 START_SWARM_BIN

--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml
@ -179,6 +179,9 @@ parameters:
      other hosts are using the volume
    default: "false"

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority

 resources:

@ -301,6 +304,7 @@ resources:
          auth_url: {get_param: auth_url}
          volume_driver: {get_param: volume_driver}
          rexray_preempt: {get_param: rexray_preempt}
+          verify_ca: {get_param: verify_ca}

  swarm_secondary_masters:
    type: "OS::Heat::ResourceGroup"
@ -342,6 +346,7 @@ resources:
          auth_url: {get_param: auth_url}
          volume_driver: {get_param: volume_driver}
          rexray_preempt: {get_param: rexray_preempt}
+          verify_ca: {get_param: verify_ca}

  swarm_nodes:
    type: "OS::Heat::ResourceGroup"
@ -383,6 +388,7 @@ resources:
          auth_url: {get_param: auth_url}
          volume_driver: {get_param: volume_driver}
          rexray_preempt: {get_param: rexray_preempt}
+          verify_ca: {get_param: verify_ca}

 outputs:

--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml
@ -135,6 +135,10 @@ parameters:
    description: whether this master is primary or not
    default: False

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
 resources:

  master_wait_handle:
@ -195,6 +199,7 @@ resources:
            "$AUTH_URL": {get_param: auth_url}
            "$VOLUME_DRIVER": {get_param: volume_driver}
            "$REXRAY_PREEMPT": {get_param: rexray_preempt}
+            "$VERIFY_CA": {get_param: verify_ca}

  remove_docker_key:
    type: "OS::Heat::SoftwareConfig"
--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml
@ -127,6 +127,10 @@ parameters:
      other hosts are using the volume
    default: "false"

+  verify_ca:
+    type: boolean
+    description: whether or not to validate certificate authority
+
 resources:

  node_wait_handle:
@ -172,6 +176,7 @@ resources:
            "$AUTH_URL": {get_param: auth_url}
            "$VOLUME_DRIVER": {get_param: volume_driver}
            "$REXRAY_PREEMPT": {get_param: rexray_preempt}
+            "$VERIFY_CA": {get_param: verify_ca}

  remove_docker_key:
    type: "OS::Heat::SoftwareConfig"
--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
@ -225,6 +225,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'auth_url': 'http://192.168.10.10:5000/v3',
            'insecure_registry_url': '10.0.0.1:5000',
            'kube_version': 'fake-version',
+            'verify_ca': True,
        }
        if missing_attr is not None:
            expected.pop(mapping[missing_attr], None)
@ -319,6 +320,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'volume_driver': 'volume_driver',
            'insecure_registry_url': '10.0.0.1:5000',
            'kube_version': 'fake-version',
+            'verify_ca': True,
        }

        self.assertEqual(expected, definition)
@ -398,7 +400,8 @@ class TestClusterConductorWithK8s(base.TestCase):
            'trustee_password': 'fake_trustee_password',
            'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
            'trustee_username': 'fake_trustee',
-            'username': 'fake_user'
+            'username': 'fake_user',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
@ -475,6 +478,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'magnum_url': self.mock_osc.magnum_url.return_value,
            'insecure_registry_url': '10.0.0.1:5000',
            'kube_version': 'fake-version',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
@ -546,6 +550,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'magnum_url': self.mock_osc.magnum_url.return_value,
            'insecure_registry_url': '10.0.0.1:5000',
            'kube_version': 'fake-version',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
@ -731,6 +736,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'auth_url': 'http://192.168.10.10:5000/v3',
            'insecure_registry_url': '10.0.0.1:5000',
            'kube_version': 'fake-version',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
--- a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
@ -137,7 +137,8 @@ class TestClusterConductorWithMesos(base.TestCase):
            'mesos_slave_executor_env_variables': '{}',
            'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
            'mesos_slave_work_dir': '/tmp/mesos/slave',
-            'mesos_slave_image_providers': 'docker'
+            'mesos_slave_image_providers': 'docker',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
@ -192,6 +193,7 @@ class TestClusterConductorWithMesos(base.TestCase):
            'mesos_slave_work_dir': '/tmp/mesos/slave',
            'mesos_slave_image_providers': 'docker',
            'master_flavor': 'master_flavor_id',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
@ -248,7 +250,8 @@ class TestClusterConductorWithMesos(base.TestCase):
            'mesos_slave_executor_env_variables': '{}',
            'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
            'mesos_slave_work_dir': '/tmp/mesos/slave',
-            'mesos_slave_image_providers': 'docker'
+            'mesos_slave_image_providers': 'docker',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
@ -306,7 +309,8 @@ class TestClusterConductorWithMesos(base.TestCase):
            'mesos_slave_executor_env_variables': '{}',
            'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
            'mesos_slave_work_dir': '/tmp/mesos/slave',
-            'mesos_slave_image_providers': 'docker'
+            'mesos_slave_image_providers': 'docker',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
--- a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
@ -160,7 +160,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
            'swarm_strategy': u'spread',
            'volume_driver': 'rexray',
            'rexray_preempt': 'False',
-            'docker_volume_type': 'lvmdriver-1'
+            'docker_volume_type': 'lvmdriver-1',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
@ -236,7 +237,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
            'swarm_strategy': u'spread',
            'volume_driver': 'rexray',
            'rexray_preempt': 'False',
-            'docker_volume_type': 'lvmdriver-1'
+            'docker_volume_type': 'lvmdriver-1',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
@ -306,6 +308,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
            'docker_volume_type': 'lvmdriver-1',
            'docker_volume_size': 20,
            'master_flavor': 'master_flavor_id',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
@ -375,7 +378,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
            'swarm_strategy': u'spread',
            'volume_driver': 'rexray',
            'rexray_preempt': 'False',
-            'docker_volume_type': 'lvmdriver-1'
+            'docker_volume_type': 'lvmdriver-1',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
@ -446,7 +450,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
            'swarm_strategy': u'spread',
            'volume_driver': 'rexray',
            'rexray_preempt': 'False',
-            'docker_volume_type': 'lvmdriver-1'
+            'docker_volume_type': 'lvmdriver-1',
+            'verify_ca': True,
        }
        self.assertEqual(expected, definition)
        self.assertEqual(
--- a/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml
+++ b/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml
@ -0,0 +1,12 @@
+---
+fixes:
+  - |
+    [`bug 1663757 <https://bugs.launchpad.net/magnum/+bug/1663757>`_]
+    A configuration parameter, verify_ca, was added to magnum.conf
+    with a default value of True and passed to the heat templates to indicate
+    whether the cluster nodes validate the Certificate Authority when making
+    requests to the OpenStack APIs (Keystone, Magnum, Heat).  This parameter
+    can be set to False to disable CA validation if you have self-signed
+    certificates for the OpenStack APIs or you have your own Certificate
+    Authority and you have not installed the Certificate Authority to all
+    nodes.