From b07b6f34d5b85b57ff0aafc57cb5a268d34aff13 Mon Sep 17 00:00:00 2001 From: Kirsten G Date: Wed, 25 Oct 2017 01:27:40 -0700 Subject: [PATCH] Add verify_ca configuration parameter Added configuration parameter, verify_ca, to magnum.conf with default value of True. This parameter is passed to the heat templates to indicate whether the cluster nodes validate the Certificate Authority when making requests to the OpenStack APIs (Keystone, Magnum, Heat). This configuration parameter can be set to False to disable CA validation. Co-Authored-By: Vijendar Komalla Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413 Partial-Bug: #1663757 --- doc/source/admin/troubleshooting-guide.rst | 6 ++- magnum/conf/__init__.py | 2 + magnum/conf/drivers.py | 40 +++++++++++++++++++ .../kubernetes/fragments/make-cert-client.sh | 12 ++++-- .../kubernetes/fragments/make-cert.sh | 12 ++++-- .../kubernetes/fragments/wc-notify-master.sh | 2 +- .../fragments/write-heat-params-master.yaml | 1 + .../fragments/write-heat-params.yaml | 1 + .../templates/swarm/fragments/cfn-signal.sh | 8 +++- .../templates/swarm/fragments/make-cert.py | 21 +++++----- .../write-cluster-failure-service.yaml | 2 +- .../fragments/write-heat-params-master.yaml | 1 + .../fragments/write-heat-params-node.yaml | 1 + .../fragments/write-swarm-agent-service.sh | 8 +++- .../fragments/write-swarm-master-service.sh | 8 +++- magnum/drivers/heat/template_def.py | 1 + .../templates/fragments/make-cert-client.yaml | 12 ++++-- .../templates/fragments/make-cert.yaml | 12 ++++-- .../templates/fragments/wc-notify.yaml | 2 +- .../fragments/write-heat-params-master.yaml | 1 + .../fragments/write-heat-params.yaml | 1 + .../k8s_coreos_v1/templates/kubecluster.yaml | 6 +++ .../k8s_coreos_v1/templates/kubemaster.yaml | 5 +++ .../k8s_coreos_v1/templates/kubeminion.yaml | 5 +++ .../templates/kubecluster.yaml | 6 +++ .../templates/kubemaster.yaml | 5 +++ .../templates/kubeminion.yaml | 5 +++ .../templates/kubecluster.yaml | 6 +++ .../templates/kubemaster.yaml | 5 +++ .../kubeminion_software_configs.yaml | 5 +++ .../mesos_slave_software_configs.yaml | 7 +++- .../templates/mesoscluster.yaml | 5 +++ .../templates/cluster.yaml | 6 +++ .../templates/swarmmaster.yaml | 7 ++++ .../templates/swarmnode.yaml | 6 +++ .../fragments/write-heat-params-master.yaml | 1 + .../fragments/write-swarm-master-service.sh | 14 +++++-- .../fragments/write-swarm-worker-service.sh | 12 ++++-- .../templates/swarmcluster.yaml | 6 +++ .../templates/swarmmaster.yaml | 5 +++ .../templates/swarmnode.yaml | 5 +++ .../handlers/test_k8s_cluster_conductor.py | 8 +++- .../handlers/test_mesos_cluster_conductor.py | 10 +++-- .../handlers/test_swarm_cluster_conductor.py | 13 ++++-- .../notes/bug-1663757-198e1aa8fa810984.yaml | 12 ++++++ 45 files changed, 275 insertions(+), 44 deletions(-) create mode 100644 magnum/conf/drivers.py create mode 100644 releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml diff --git a/doc/source/admin/troubleshooting-guide.rst b/doc/source/admin/troubleshooting-guide.rst index 229d70b376..546059203d 100644 --- a/doc/source/admin/troubleshooting-guide.rst +++ b/doc/source/admin/troubleshooting-guide.rst @@ -178,7 +178,11 @@ specified). If it fails, that means the credential you provided is invalid. TLS --- -*To be filled in* +The cluster nodes will validate the Certificate Authority by default +when making requests to the OpenStack APIs (Keystone, Magnum, Heat). +If you need to disable CA validation, the configuration parameter +verify_ca can be set to False. More information on `CA Validation +`_. Barbican service diff --git a/magnum/conf/__init__.py b/magnum/conf/__init__.py index 35b4cb07c3..6f9f4e23cc 100644 --- a/magnum/conf/__init__.py +++ b/magnum/conf/__init__.py @@ -26,6 +26,7 @@ from magnum.conf import conductor from magnum.conf import database from magnum.conf import docker from magnum.conf import docker_registry +from magnum.conf import drivers from magnum.conf import glance from magnum.conf import heat from magnum.conf import keystone @@ -54,6 +55,7 @@ conductor.register_opts(CONF) database.register_opts(CONF) docker.register_opts(CONF) docker_registry.register_opts(CONF) +drivers.register_opts(CONF) glance.register_opts(CONF) heat.register_opts(CONF) keystone.register_opts(CONF) diff --git a/magnum/conf/drivers.py b/magnum/conf/drivers.py new file mode 100644 index 0000000000..96eef3fc63 --- /dev/null +++ b/magnum/conf/drivers.py @@ -0,0 +1,40 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from oslo_config import cfg + +drivers_group = cfg.OptGroup(name='drivers', + title='Options for the Drivers') + +drivers_opts = [ + cfg.BoolOpt('verify_ca', + default=True, + help='Indicates whether the cluster nodes validate the ' + 'Certificate Authority when making requests to the ' + 'OpenStack APIs (Keystone, Magnum, Heat). If you have ' + 'self-signed certificates for the OpenStack APIs or ' + 'you have your own Certificate Authority and you ' + 'have not installed the Certificate Authority to all ' + 'nodes, you may need to disable CA validation by ' + 'setting this flag to False.') +] + + +def register_opts(conf): + conf.register_group(drivers_group) + conf.register_opts(drivers_opts, group=drivers_group) + + +def list_opts(): + return { + drivers_group: drivers_opts, + } diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh index 04218018e1..1dcfd38487 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh @@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then exit 0 fi +if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" +else + VERIFY_CA="-k" +fi + cert_dir=/etc/kubernetes/certs mkdir -p "$cert_dir" @@ -55,11 +61,11 @@ EOF content_type='Content-Type: application/json' url="$AUTH_URL/auth/tokens" -USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ +USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \ | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'` # Get CA certificate for this cluster -curl -k -X GET \ +curl $VERIFY_CA -X GET \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT @@ -93,7 +99,7 @@ openssl req -new -days 1000 \ # Send csr to Magnum to have it signed csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()") -curl -k -X POST \ +curl $VERIFY_CA -X POST \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ -H "Content-Type: application/json" \ diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh index bbb412a803..aee8c539f4 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh @@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then exit 0 fi +if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" +else + VERIFY_CA="-k" +fi + if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) fi @@ -87,11 +93,11 @@ EOF content_type='Content-Type: application/json' url="$AUTH_URL/auth/tokens" -USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ +USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \ | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'` # Get CA certificate for this cluster -curl -k -X GET \ +curl $VERIFY_CA -X GET \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT} @@ -120,7 +126,7 @@ openssl req -new -days 1000 \ # Send csr to Magnum to have it signed csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()") -curl -k -X POST \ +curl $VERIFY_CA -X POST \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ -H "Content-Type: application/json" \ diff --git a/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh index bc663c7eba..f8a86c1314 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh @@ -11,7 +11,7 @@ until curl -sf "http://127.0.0.1:8080/healthz"; do echo "Waiting for Kubernetes API..." sleep 5 done -$WAIT_CURL --data-binary '{"status": "SUCCESS"}' +$WAIT_CURL $VERIFY_CA --data-binary '{"status": "SUCCESS"}' EOF cat > $WC_NOTIFY_SERVICE < /etc/systemd/system/swarm-manager.service << END_SERVICE_TOP [Unit] Description=Swarm Manager @@ -46,7 +52,7 @@ cat >> /etc/systemd/system/swarm-manager.service << END_SERVICE_BOTTOM etcd://$ETCD_SERVER_IP:2379/v2/keys/swarm/ ExecStop=/usr/bin/docker stop swarm-manager Restart=always -ExecStartPost=/usr/bin/$WAIT_CURL \\ +ExecStartPost=/usr/bin/$WAIT_CURL $VERIFY_CA \\ --data-binary '{"status": "SUCCESS", "reason": "Setup complete", "data": "OK", "id": "$UUID"}' [Install] diff --git a/magnum/drivers/heat/template_def.py b/magnum/drivers/heat/template_def.py index 922662603b..26fe24a732 100755 --- a/magnum/drivers/heat/template_def.py +++ b/magnum/drivers/heat/template_def.py @@ -244,6 +244,7 @@ class BaseTemplateDefinition(TemplateDefinition): extra_params['trustee_user_id'] = cluster.trustee_user_id extra_params['trustee_username'] = cluster.trustee_username extra_params['trustee_password'] = cluster.trustee_password + extra_params['verify_ca'] = CONF.drivers.verify_ca # Only pass trust ID into the template if allowed by the config file if CONF.trust.cluster_user_trust: diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml index ac1029c6dc..dc910bfd44 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml @@ -40,6 +40,12 @@ write_files: exit 0 fi + if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" + else + VERIFY_CA="-k" + fi + cert_conf_dir=${KUBE_CERTS_PATH}/conf mkdir -p ${cert_conf_dir} @@ -72,12 +78,12 @@ write_files: } EOF - USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ + USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` rm -rf auth.json - ca_cert_json=$(curl -k -X GET \ + ca_cert_json=$(curl $VERIFY_CA -X GET \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ $MAGNUM_URL/certificates/$CLUSTER_UUID) @@ -114,7 +120,7 @@ write_files: csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g') csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}" # Send csr to Magnum to have it signed - client_cert_json=$(curl -k -X POST \ + client_cert_json=$(curl $VERIFY_CA -X POST \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ -H "Content-Type: application/json" \ diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml index 07daf2d991..8ef1128270 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml @@ -40,6 +40,12 @@ write_files: exit 0 fi + if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" + else + VERIFY_CA="-k" + fi + if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) fi @@ -103,13 +109,13 @@ write_files: } EOF - USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ + USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` rm -rf auth.json # Get CA certificate for this cluster - ca_cert_json=$(curl -k -X GET \ + ca_cert_json=$(curl $VERIFY_CA -X GET \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ $MAGNUM_URL/certificates/$CLUSTER_UUID) @@ -141,7 +147,7 @@ write_files: csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g') csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}" # Send csr to Magnum to have it signed - server_cert_json=$(curl -k -X POST \ + server_cert_json=$(curl $VERIFY_CA -X POST \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ -H "Content-Type: application/json" \ diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml index 6d8a295632..7857bd771d 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml @@ -20,5 +20,5 @@ write_files: permissions: "0755" content: | #!/bin/bash -v - command="$WAIT_CURL --insecure --data-binary '{\"status\": \"SUCCESS\"}'" + command="$WAIT_CURL $VERIFY_CA --data-binary '{\"status\": \"SUCCESS\"}'" eval $(echo "$command") diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml index d738795c0f..f89810a52b 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml @@ -25,6 +25,7 @@ write_files: TENANT_NAME="$TENANT_NAME" CLUSTER_SUBNET="$CLUSTER_SUBNET" TLS_DISABLED="$TLS_DISABLED" + VERIFY_CA="$VERIFY_CA" CLUSTER_UUID="$CLUSTER_UUID" MAGNUM_URL="$MAGNUM_URL" HTTP_PROXY="$HTTP_PROXY" diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml index 8eb8e02590..31c861c540 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml @@ -21,6 +21,7 @@ write_files: REGISTRY_INSECURE="$REGISTRY_INSECURE" REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE" TLS_DISABLED="$TLS_DISABLED" + VERIFY_CA="$VERIFY_CA" CLUSTER_UUID="$CLUSTER_UUID" MAGNUM_URL="$MAGNUM_URL" AUTH_URL="$AUTH_URL" diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml index 99efb03d4a..1fbae2d062 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml @@ -155,6 +155,10 @@ parameters: description: whether or not to disable kubernetes dashboard default: True + verify_ca: + type: boolean + description: whether or not to validate certificate authority + loadbalancing_protocol: type: string description: > @@ -431,6 +435,7 @@ resources: kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} kube_dashboard_enabled: {get_param: kube_dashboard_enabled} + verify_ca: {get_param: verify_ca} secgroup_kube_master_id: {get_resource: secgroup_master} http_proxy: {get_param: http_proxy} https_proxy: {get_param: https_proxy} @@ -489,6 +494,7 @@ resources: network_driver: {get_param: network_driver} kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open} http_proxy: {get_param: http_proxy} https_proxy: {get_param: https_proxy} diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml index 960a604fa2..875046adb9 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml @@ -115,6 +115,10 @@ parameters: type: boolean description: whether or not to disable kubernetes dashboard + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -280,6 +284,7 @@ resources: "$NETWORK_DRIVER": {get_param: network_driver} "$KUBE_API_PORT": {get_param: kubernetes_port} "$TLS_DISABLED": {get_param: tls_disabled} + "$VERIFY_CA": {get_param: verify_ca} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} "$KUBE_VERSION": {get_param: kube_version} "$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version} diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml index cb2f7b09a9..c138756136 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml @@ -42,6 +42,10 @@ parameters: type: boolean description: whether or not to enable TLS + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -185,6 +189,7 @@ resources: "$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]} "$KUBE_API_PORT": {get_param: kubernetes_port} "$TLS_DISABLED": {get_param: tls_disabled} + "$VERIFY_CA": {get_param: verify_ca} "$NETWORK_DRIVER": {get_param: network_driver} "$ETCD_SERVER_IP": {get_param: etcd_server_ip} "$KUBE_VERSION": {get_param: kube_version} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index 7235687fa0..8a05721aa1 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -252,6 +252,10 @@ parameters: description: whether or not to enable kubernetes dashboard default: True + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -512,6 +516,7 @@ resources: kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} kube_dashboard_enabled: {get_param: kube_dashboard_enabled} + verify_ca: {get_param: verify_ca} secgroup_kube_master_id: {get_resource: secgroup_kube_master} http_proxy: {get_param: http_proxy} https_proxy: {get_param: https_proxy} @@ -580,6 +585,7 @@ resources: password: {get_param: password} kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} secgroup_kube_minion_id: {get_resource: secgroup_kube_minion} http_proxy: {get_param: http_proxy} https_proxy: {get_param: https_proxy} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml index 9d266fcfd0..6bdc0acc50 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml @@ -114,6 +114,10 @@ parameters: type: boolean description: whether or not to disable kubernetes dashboard + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -324,6 +328,7 @@ resources: "$CLUSTER_SUBNET": {get_param: fixed_subnet} "$TLS_DISABLED": {get_param: tls_disabled} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} + "$VERIFY_CA": {get_param: verify_ca} "$CLUSTER_UUID": {get_param: cluster_uuid} "$MAGNUM_URL": {get_param: magnum_url} "$VOLUME_DRIVER": {get_param: volume_driver} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml index 207e467086..16ba69fe4d 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml @@ -57,6 +57,10 @@ parameters: type: boolean description: whether or not to enable TLS + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -269,6 +273,7 @@ resources: $REGISTRY_INSECURE: {get_param: registry_insecure} $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize} $TLS_DISABLED: {get_param: tls_disabled} + $VERIFY_CA: {get_param: verify_ca} $CLUSTER_UUID: {get_param: cluster_uuid} $MAGNUM_URL: {get_param: magnum_url} $USERNAME: {get_param: username} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml index 219eb8fbbe..0225633e0f 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml @@ -250,6 +250,10 @@ parameters: description: whether or not to disable kubernetes dashboard default: True + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -484,6 +488,7 @@ resources: kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} kube_dashboard_enabled: {get_param: kube_dashboard_enabled} + verify_ca: {get_param: verify_ca} secgroup_base_id: {get_resource: secgroup_base} secgroup_kube_master_id: {get_resource: secgroup_kube_master} http_proxy: {get_param: http_proxy} @@ -574,6 +579,7 @@ resources: password: {get_param: password} kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} http_proxy: {get_param: http_proxy} https_proxy: {get_param: https_proxy} no_proxy: {get_param: no_proxy} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml index e384df4d9c..43b987d75f 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml @@ -99,6 +99,10 @@ parameters: type: boolean description: whether or not to disable kubernetes dashboard + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -289,6 +293,7 @@ resources: "$CLUSTER_SUBNET": {get_param: fixed_subnet} "$TLS_DISABLED": {get_param: tls_disabled} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} + "$VERIFY_CA": {get_param: verify_ca} "$CLUSTER_UUID": {get_param: cluster_uuid} "$MAGNUM_URL": {get_param: magnum_url} "$HTTP_PROXY": {get_param: http_proxy} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml index 695d8d96f3..a5d3298c7f 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml @@ -29,6 +29,10 @@ parameters: type: boolean description: whether or not to enable TLS + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -203,6 +207,7 @@ resources: $REGISTRY_INSECURE: {get_param: registry_insecure} $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize} $TLS_DISABLED: {get_param: tls_disabled} + $VERIFY_CA: {get_param: verify_ca} $CLUSTER_UUID: {get_param: cluster_uuid} $MAGNUM_URL: {get_param: magnum_url} $USERNAME: {get_param: username} diff --git a/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml b/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml index 3737d508bf..e54037b36f 100644 --- a/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml +++ b/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml @@ -64,6 +64,10 @@ parameters: enables any host to take control of a volume irrespective of whether other hosts are using the volume + verify_ca: + type: boolean + description: whether or not to validate certificate authority + mesos_slave_isolation: type: string description: > @@ -154,9 +158,10 @@ resources: str_replace: template: | #!/bin/bash -v - wc_notify --data-binary '{"status": "SUCCESS"}' + wc_notify $VERIFY_CA --data-binary '{"status": "SUCCESS"}' params: wc_notify: {get_param: mesos_slave_wc_curl_cli} + "$VERIFY_CA": {get_param: verify_ca} add_proxy: type: OS::Heat::SoftwareConfig diff --git a/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml b/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml index 514a1a6eb7..3a9e65c6b2 100644 --- a/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml +++ b/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml @@ -207,6 +207,10 @@ parameters: be empty when doing a create. default: [] + verify_ca: + type: boolean + description: whether or not to validate certificate authority + resources: ###################################################################### @@ -458,6 +462,7 @@ resources: mesos_slave_image_providers: {get_param: mesos_slave_image_providers} mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables} mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]} + verify_ca: {get_param: verify_ca} outputs: diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml index 389a9855f5..aacafda325 100644 --- a/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml @@ -100,6 +100,10 @@ parameters: description: whether or not to enable TLS default: False + verify_ca: + type: boolean + description: whether or not to validate certificate authority + network_driver: type: string description: network driver to use for instantiating container networks @@ -374,6 +378,7 @@ resources: cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager} network_driver: {get_param: network_driver} flannel_network_cidr: {get_param: flannel_network_cidr} @@ -422,6 +427,7 @@ resources: cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} secgroup_swarm_node_id: {get_resource: secgroup_swarm_node} flannel_network_cidr: {get_param: flannel_network_cidr} network_driver: {get_param: network_driver} diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml index 541abe6cea..c535676e33 100644 --- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml @@ -90,6 +90,10 @@ parameters: type: boolean description: whether or not to enable TLS + verify_ca: + type: boolean + description: whether or not to validate certificate authority + network_driver: type: string description: network driver to use for instantiating container networks @@ -243,6 +247,7 @@ resources: "$CLUSTER_UUID": {get_param: cluster_uuid} "$MAGNUM_URL": {get_param: magnum_url} "$TLS_DISABLED": {get_param: tls_disabled} + "$VERIFY_CA": {get_param: verify_ca} "$NETWORK_DRIVER": {get_param: network_driver} "$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr} "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen} @@ -319,6 +324,7 @@ resources: params: "$SERVICE": swarm-manager "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]} + "$VERIFY_CA": {get_param: verify_ca} write_docker_socket: type: "OS::Heat::SoftwareConfig" @@ -341,6 +347,7 @@ resources: "$HTTPS_PROXY": {get_param: https_proxy} "$NO_PROXY": {get_attr: [no_proxy_extended, value]} "$TLS_DISABLED": {get_param: tls_disabled} + "$VERIFY_CA": {get_param: verify_ca} "$SWARM_VERSION": {get_param: swarm_version} "$SWARM_STRATEGY": {get_param: swarm_strategy} diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml index a93c0cd677..d4562e1746 100644 --- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml @@ -93,6 +93,10 @@ parameters: type: boolean description: whether or not to disable TLS + verify_ca: + type: boolean + description: whether or not to validate certificate authority + swarm_version: type: string description: version of swarm used for swarm cluster @@ -220,6 +224,7 @@ resources: "$CLUSTER_UUID": {get_param: cluster_uuid} "$MAGNUM_URL": {get_param: magnum_url} "$TLS_DISABLED": {get_param: tls_disabled} + "$VERIFY_CA": {get_param: verify_ca} "$NETWORK_DRIVER": {get_param: network_driver} "$ETCD_SERVER_IP": {get_param: etcd_server_ip} "$API_IP_ADDRESS": {get_param: api_ip_address} @@ -295,6 +300,7 @@ resources: params: "$SERVICE": swarm-agent "$WAIT_CURL": {get_attr: [node_wait_handle, curl_cli]} + "$VERIFY_CA": {get_param: verify_ca} write_swarm_agent_service: type: "OS::Heat::SoftwareConfig" diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml index f6f2d5f6d9..4f15412be1 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml @@ -26,3 +26,4 @@ write_files: AUTH_URL="$AUTH_URL" VOLUME_DRIVER="$VOLUME_DRIVER" REXRAY_PREEMPT="$REXRAY_PREEMPT" + VERIFY_CA="$VERIFY_CA" diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh index 2c978b41ee..a31bb3d489 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh @@ -4,6 +4,12 @@ set -x +if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" +else + VERIFY_CA="-k" +fi + if [ "${IS_PRIMARY_MASTER}" = "True" ]; then cat > /usr/local/bin/magnum-start-swarm-manager << START_SWARM_BIN #!/bin/bash -xe @@ -16,7 +22,7 @@ else status="FAILURE" msg="Failed to init swarm." fi -sh -c "${WAIT_CURL} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'" +sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'" START_SWARM_BIN else if [ "${TLS_DISABLED}" = 'False' ]; then @@ -37,7 +43,7 @@ do done if [[ -z \$token ]] ; then - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" fi i=0 @@ -48,9 +54,9 @@ do sleep 5 done if [[ \$i -ge 5 ]] ; then - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'" else - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'" fi START_SWARM_BIN fi diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh index 6bc8448c27..bc947a8a09 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh @@ -4,6 +4,12 @@ set -x +if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" +else + VERIFY_CA="-k" +fi + if [ "${TLS_DISABLED}" = 'False' ]; then tls="--tlsverify" tls=$tls" --tlscacert=/etc/docker/ca.crt" @@ -22,7 +28,7 @@ do done if [[ -z \$token ]] ; then - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" fi i=0 @@ -33,9 +39,9 @@ do sleep 5 done if [[ \$i -ge 5 ]] ; then - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'" else - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'" fi START_SWARM_BIN diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml index 6af9ebe008..9687836754 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml @@ -179,6 +179,9 @@ parameters: other hosts are using the volume default: "false" + verify_ca: + type: boolean + description: whether or not to validate certificate authority resources: @@ -301,6 +304,7 @@ resources: auth_url: {get_param: auth_url} volume_driver: {get_param: volume_driver} rexray_preempt: {get_param: rexray_preempt} + verify_ca: {get_param: verify_ca} swarm_secondary_masters: type: "OS::Heat::ResourceGroup" @@ -342,6 +346,7 @@ resources: auth_url: {get_param: auth_url} volume_driver: {get_param: volume_driver} rexray_preempt: {get_param: rexray_preempt} + verify_ca: {get_param: verify_ca} swarm_nodes: type: "OS::Heat::ResourceGroup" @@ -383,6 +388,7 @@ resources: auth_url: {get_param: auth_url} volume_driver: {get_param: volume_driver} rexray_preempt: {get_param: rexray_preempt} + verify_ca: {get_param: verify_ca} outputs: diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml index a9b0e542fb..8f8d6ffb4f 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml @@ -135,6 +135,10 @@ parameters: description: whether this master is primary or not default: False + verify_ca: + type: boolean + description: whether or not to validate certificate authority + resources: master_wait_handle: @@ -195,6 +199,7 @@ resources: "$AUTH_URL": {get_param: auth_url} "$VOLUME_DRIVER": {get_param: volume_driver} "$REXRAY_PREEMPT": {get_param: rexray_preempt} + "$VERIFY_CA": {get_param: verify_ca} remove_docker_key: type: "OS::Heat::SoftwareConfig" diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml index 913f1eec7c..c0c362a7f5 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml @@ -127,6 +127,10 @@ parameters: other hosts are using the volume default: "false" + verify_ca: + type: boolean + description: whether or not to validate certificate authority + resources: node_wait_handle: @@ -172,6 +176,7 @@ resources: "$AUTH_URL": {get_param: auth_url} "$VOLUME_DRIVER": {get_param: volume_driver} "$REXRAY_PREEMPT": {get_param: rexray_preempt} + "$VERIFY_CA": {get_param: verify_ca} remove_docker_key: type: "OS::Heat::SoftwareConfig" diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py index 2fc0725ecb..6cf4947c48 100644 --- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py @@ -225,6 +225,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'auth_url': 'http://192.168.10.10:5000/v3', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', + 'verify_ca': True, } if missing_attr is not None: expected.pop(mapping[missing_attr], None) @@ -319,6 +320,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'volume_driver': 'volume_driver', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', + 'verify_ca': True, } self.assertEqual(expected, definition) @@ -398,7 +400,8 @@ class TestClusterConductorWithK8s(base.TestCase): 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 'trustee_username': 'fake_trustee', - 'username': 'fake_user' + 'username': 'fake_user', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -475,6 +478,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'magnum_url': self.mock_osc.magnum_url.return_value, 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -546,6 +550,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'magnum_url': self.mock_osc.magnum_url.return_value, 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -731,6 +736,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'auth_url': 'http://192.168.10.10:5000/v3', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( diff --git a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py index 2ecb1b21d5..ed6edcbc2d 100644 --- a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py @@ -137,7 +137,8 @@ class TestClusterConductorWithMesos(base.TestCase): 'mesos_slave_executor_env_variables': '{}', 'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 'mesos_slave_work_dir': '/tmp/mesos/slave', - 'mesos_slave_image_providers': 'docker' + 'mesos_slave_image_providers': 'docker', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -192,6 +193,7 @@ class TestClusterConductorWithMesos(base.TestCase): 'mesos_slave_work_dir': '/tmp/mesos/slave', 'mesos_slave_image_providers': 'docker', 'master_flavor': 'master_flavor_id', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -248,7 +250,8 @@ class TestClusterConductorWithMesos(base.TestCase): 'mesos_slave_executor_env_variables': '{}', 'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 'mesos_slave_work_dir': '/tmp/mesos/slave', - 'mesos_slave_image_providers': 'docker' + 'mesos_slave_image_providers': 'docker', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -306,7 +309,8 @@ class TestClusterConductorWithMesos(base.TestCase): 'mesos_slave_executor_env_variables': '{}', 'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 'mesos_slave_work_dir': '/tmp/mesos/slave', - 'mesos_slave_image_providers': 'docker' + 'mesos_slave_image_providers': 'docker', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( diff --git a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py index 0b2bcbecfa..315c1bdabd 100644 --- a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py @@ -160,7 +160,8 @@ class TestClusterConductorWithSwarm(base.TestCase): 'swarm_strategy': u'spread', 'volume_driver': 'rexray', 'rexray_preempt': 'False', - 'docker_volume_type': 'lvmdriver-1' + 'docker_volume_type': 'lvmdriver-1', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -236,7 +237,8 @@ class TestClusterConductorWithSwarm(base.TestCase): 'swarm_strategy': u'spread', 'volume_driver': 'rexray', 'rexray_preempt': 'False', - 'docker_volume_type': 'lvmdriver-1' + 'docker_volume_type': 'lvmdriver-1', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -306,6 +308,7 @@ class TestClusterConductorWithSwarm(base.TestCase): 'docker_volume_type': 'lvmdriver-1', 'docker_volume_size': 20, 'master_flavor': 'master_flavor_id', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -375,7 +378,8 @@ class TestClusterConductorWithSwarm(base.TestCase): 'swarm_strategy': u'spread', 'volume_driver': 'rexray', 'rexray_preempt': 'False', - 'docker_volume_type': 'lvmdriver-1' + 'docker_volume_type': 'lvmdriver-1', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -446,7 +450,8 @@ class TestClusterConductorWithSwarm(base.TestCase): 'swarm_strategy': u'spread', 'volume_driver': 'rexray', 'rexray_preempt': 'False', - 'docker_volume_type': 'lvmdriver-1' + 'docker_volume_type': 'lvmdriver-1', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( diff --git a/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml b/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml new file mode 100644 index 0000000000..67106fb82f --- /dev/null +++ b/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml @@ -0,0 +1,12 @@ +--- +fixes: + - | + [`bug 1663757 `_] + A configuration parameter, verify_ca, was added to magnum.conf + with a default value of True and passed to the heat templates to indicate + whether the cluster nodes validate the Certificate Authority when making + requests to the OpenStack APIs (Keystone, Magnum, Heat). This parameter + can be set to False to disable CA validation if you have self-signed + certificates for the OpenStack APIs or you have your own Certificate + Authority and you have not installed the Certificate Authority to all + nodes.