Add verify_ca configuration parameter

Added configuration parameter, verify_ca, to magnum.conf with default
value of True. This parameter is passed to the heat templates to
indicate whether the cluster nodes validate the Certificate Authority
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
This configuration parameter can be set to False to disable CA
validation.

Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com>

Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413
Partial-Bug: #1663757
This commit is contained in:
Kirsten G 2017-10-25 01:27:40 -07:00
parent 8e8fbe9214
commit b07b6f34d5
45 changed files with 275 additions and 44 deletions

View File

@ -178,7 +178,11 @@ specified). If it fails, that means the credential you provided is invalid.
TLS TLS
--- ---
*To be filled in* The cluster nodes will validate the Certificate Authority by default
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
If you need to disable CA validation, the configuration parameter
verify_ca can be set to False. More information on `CA Validation
<https://bugs.launchpad.net/magnum/+bug/1663757>`_.
Barbican service Barbican service

View File

@ -26,6 +26,7 @@ from magnum.conf import conductor
from magnum.conf import database from magnum.conf import database
from magnum.conf import docker from magnum.conf import docker
from magnum.conf import docker_registry from magnum.conf import docker_registry
from magnum.conf import drivers
from magnum.conf import glance from magnum.conf import glance
from magnum.conf import heat from magnum.conf import heat
from magnum.conf import keystone from magnum.conf import keystone
@ -54,6 +55,7 @@ conductor.register_opts(CONF)
database.register_opts(CONF) database.register_opts(CONF)
docker.register_opts(CONF) docker.register_opts(CONF)
docker_registry.register_opts(CONF) docker_registry.register_opts(CONF)
drivers.register_opts(CONF)
glance.register_opts(CONF) glance.register_opts(CONF)
heat.register_opts(CONF) heat.register_opts(CONF)
keystone.register_opts(CONF) keystone.register_opts(CONF)

40
magnum/conf/drivers.py Normal file
View File

@ -0,0 +1,40 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_config import cfg
drivers_group = cfg.OptGroup(name='drivers',
title='Options for the Drivers')
drivers_opts = [
cfg.BoolOpt('verify_ca',
default=True,
help='Indicates whether the cluster nodes validate the '
'Certificate Authority when making requests to the '
'OpenStack APIs (Keystone, Magnum, Heat). If you have '
'self-signed certificates for the OpenStack APIs or '
'you have your own Certificate Authority and you '
'have not installed the Certificate Authority to all '
'nodes, you may need to disable CA validation by '
'setting this flag to False.')
]
def register_opts(conf):
conf.register_group(drivers_group)
conf.register_opts(drivers_opts, group=drivers_group)
def list_opts():
return {
drivers_group: drivers_opts,
}

View File

@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
exit 0 exit 0
fi fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cert_dir=/etc/kubernetes/certs cert_dir=/etc/kubernetes/certs
mkdir -p "$cert_dir" mkdir -p "$cert_dir"
@ -55,11 +61,11 @@ EOF
content_type='Content-Type: application/json' content_type='Content-Type: application/json'
url="$AUTH_URL/auth/tokens" url="$AUTH_URL/auth/tokens"
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
| grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'` | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
# Get CA certificate for this cluster # Get CA certificate for this cluster
curl -k -X GET \ curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \ -H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \ -H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT
@ -93,7 +99,7 @@ openssl req -new -days 1000 \
# Send csr to Magnum to have it signed # Send csr to Magnum to have it signed
csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()") csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
curl -k -X POST \ curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \ -H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \ -H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \

View File

@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
exit 0 exit 0
fi fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
fi fi
@ -87,11 +93,11 @@ EOF
content_type='Content-Type: application/json' content_type='Content-Type: application/json'
url="$AUTH_URL/auth/tokens" url="$AUTH_URL/auth/tokens"
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
| grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'` | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
# Get CA certificate for this cluster # Get CA certificate for this cluster
curl -k -X GET \ curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \ -H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \ -H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT} $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT}
@ -120,7 +126,7 @@ openssl req -new -days 1000 \
# Send csr to Magnum to have it signed # Send csr to Magnum to have it signed
csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()") csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
curl -k -X POST \ curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \ -H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \ -H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \

View File

@ -11,7 +11,7 @@ until curl -sf "http://127.0.0.1:8080/healthz"; do
echo "Waiting for Kubernetes API..." echo "Waiting for Kubernetes API..."
sleep 5 sleep 5
done done
$WAIT_CURL --data-binary '{"status": "SUCCESS"}' $WAIT_CURL $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
EOF EOF
cat > $WC_NOTIFY_SERVICE <<EOF cat > $WC_NOTIFY_SERVICE <<EOF

View File

@ -30,6 +30,7 @@ write_files:
CLUSTER_SUBNET="$CLUSTER_SUBNET" CLUSTER_SUBNET="$CLUSTER_SUBNET"
TLS_DISABLED="$TLS_DISABLED" TLS_DISABLED="$TLS_DISABLED"
KUBE_DASHBOARD_ENABLED="$KUBE_DASHBOARD_ENABLED" KUBE_DASHBOARD_ENABLED="$KUBE_DASHBOARD_ENABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID" CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL" MAGNUM_URL="$MAGNUM_URL"
VOLUME_DRIVER="$VOLUME_DRIVER" VOLUME_DRIVER="$VOLUME_DRIVER"

View File

@ -24,6 +24,7 @@ write_files:
REGISTRY_INSECURE="$REGISTRY_INSECURE" REGISTRY_INSECURE="$REGISTRY_INSECURE"
REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE" REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
TLS_DISABLED="$TLS_DISABLED" TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID" CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL" MAGNUM_URL="$MAGNUM_URL"
AUTH_URL="$AUTH_URL" AUTH_URL="$AUTH_URL"

View File

@ -4,6 +4,12 @@
echo "notifying heat" echo "notifying heat"
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
STATUS="SUCCESS" STATUS="SUCCESS"
REASON="Setup complete" REASON="Setup complete"
DATA="OK" DATA="OK"
@ -11,4 +17,4 @@ UUID=`uuidgen`
data=$(echo '{"status": "'${STATUS}'", "reason": "'$REASON'", "data": "'${DATA}'", "id": "'$UUID'"}') data=$(echo '{"status": "'${STATUS}'", "reason": "'$REASON'", "data": "'${DATA}'", "id": "'$UUID'"}')
sh -c "${WAIT_CURL} --data-binary '${data}'" sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '${data}'"

View File

@ -81,13 +81,14 @@ def _build_subject_alt_names(config):
return ','.join(subject_alt_names) return ','.join(subject_alt_names)
def write_ca_cert(config): def write_ca_cert(config, verify_ca):
cluster_cert_url = '%s/certificates/%s' % (config['MAGNUM_URL'], cluster_cert_url = '%s/certificates/%s' % (config['MAGNUM_URL'],
config['CLUSTER_UUID']) config['CLUSTER_UUID'])
headers = {'X-Auth-Token': config['USER_TOKEN'], headers = {'X-Auth-Token': config['USER_TOKEN'],
'OpenStack-API-Version': 'container-infra latest'} 'OpenStack-API-Version': 'container-infra latest'}
ca_cert_resp = requests.get(cluster_cert_url, ca_cert_resp = requests.get(cluster_cert_url,
headers=headers) headers=headers,
verify=verify_ca)
with open(CA_CERT_PATH, 'w') as fp: with open(CA_CERT_PATH, 'w') as fp:
fp.write(ca_cert_resp.json()['pem']) fp.write(ca_cert_resp.json()['pem'])
@ -121,7 +122,7 @@ def create_server_csr(config):
return {'cluster_uuid': config['CLUSTER_UUID'], 'csr': fp.read()} return {'cluster_uuid': config['CLUSTER_UUID'], 'csr': fp.read()}
def write_server_cert(config, csr_req): def write_server_cert(config, csr_req, verify_ca):
cert_url = '%s/certificates' % config['MAGNUM_URL'] cert_url = '%s/certificates' % config['MAGNUM_URL']
headers = { headers = {
'Content-Type': 'application/json', 'Content-Type': 'application/json',
@ -130,13 +131,14 @@ def write_server_cert(config, csr_req):
} }
csr_resp = requests.post(cert_url, csr_resp = requests.post(cert_url,
data=json.dumps(csr_req), data=json.dumps(csr_req),
headers=headers) headers=headers,
verify=verify_ca)
with open(SERVER_CERT_PATH, 'w') as fp: with open(SERVER_CERT_PATH, 'w') as fp:
fp.write(csr_resp.json()['pem']) fp.write(csr_resp.json()['pem'])
def get_user_token(config): def get_user_token(config, verify_ca):
creds_str = ''' creds_str = '''
{ {
"auth": { "auth": {
@ -161,7 +163,7 @@ def get_user_token(config):
creds = creds_str % params creds = creds_str % params
headers = {'Content-Type': 'application/json'} headers = {'Content-Type': 'application/json'}
url = config['AUTH_URL'] + '/auth/tokens' url = config['AUTH_URL'] + '/auth/tokens'
r = requests.post(url, headers=headers, data=creds) r = requests.post(url, headers=headers, data=creds, verify=verify_ca)
config['USER_TOKEN'] = r.headers['X-Subject-Token'] config['USER_TOKEN'] = r.headers['X-Subject-Token']
return config return config
@ -169,12 +171,13 @@ def get_user_token(config):
def main(): def main():
config = load_config() config = load_config()
if config['TLS_DISABLED'] == 'False': if config['TLS_DISABLED'] == 'False':
verify_ca = True if config['VERIFY_CA'] == 'True' else False
create_dirs() create_dirs()
config = get_user_token(config) config = get_user_token(config, verify_ca)
write_ca_cert(config) write_ca_cert(config, verify_ca)
write_server_key() write_server_key()
csr_req = create_server_csr(config) csr_req = create_server_csr(config)
write_server_cert(config, csr_req) write_server_cert(config, csr_req, verify_ca)
if __name__ == '__main__': if __name__ == '__main__':

View File

@ -11,5 +11,5 @@ write_files:
[Service] [Service]
Type=simple Type=simple
TimeoutStartSec=0 TimeoutStartSec=0
ExecStart=/usr/bin/$WAIT_CURL \ ExecStart=/usr/bin/$WAIT_CURL $VERIFY_CA \
--data-binary '{"status": "FAILURE", "reason": "$SERVICE service failed to start.", "data": "Failure"}' --data-binary '{"status": "FAILURE", "reason": "$SERVICE service failed to start.", "data": "Failure"}'

View File

@ -18,6 +18,7 @@ write_files:
CLUSTER_UUID="$CLUSTER_UUID" CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL" MAGNUM_URL="$MAGNUM_URL"
TLS_DISABLED="$TLS_DISABLED" TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
NETWORK_DRIVER="$NETWORK_DRIVER" NETWORK_DRIVER="$NETWORK_DRIVER"
FLANNEL_NETWORK_CIDR="$FLANNEL_NETWORK_CIDR" FLANNEL_NETWORK_CIDR="$FLANNEL_NETWORK_CIDR"
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN" FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"

View File

@ -17,6 +17,7 @@ write_files:
CLUSTER_UUID="$CLUSTER_UUID" CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL" MAGNUM_URL="$MAGNUM_URL"
TLS_DISABLED="$TLS_DISABLED" TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
NETWORK_DRIVER="$NETWORK_DRIVER" NETWORK_DRIVER="$NETWORK_DRIVER"
ETCD_SERVER_IP="$ETCD_SERVER_IP" ETCD_SERVER_IP="$ETCD_SERVER_IP"
API_IP_ADDRESS="$API_IP_ADDRESS" API_IP_ADDRESS="$API_IP_ADDRESS"

View File

@ -4,6 +4,12 @@
myip="$SWARM_NODE_IP" myip="$SWARM_NODE_IP"
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
CONF_FILE=/etc/systemd/system/swarm-agent.service CONF_FILE=/etc/systemd/system/swarm-agent.service
CERT_DIR=/etc/docker CERT_DIR=/etc/docker
PROTOCOL=https PROTOCOL=https
@ -76,7 +82,7 @@ do
sleep 5 sleep 5
done done
${WAIT_CURL} \ ${WAIT_CURL} {$VERIFY_CA} \
--data-binary '{"status": "SUCCESS", "reason": "Swarm agent ready", "data": "OK", "id": "${UUID}"}' --data-binary '{"status": "SUCCESS", "reason": "Swarm agent ready", "data": "OK", "id": "${UUID}"}'
EOF EOF

View File

@ -2,6 +2,12 @@
CERT_DIR=/etc/docker CERT_DIR=/etc/docker
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cat > /etc/systemd/system/swarm-manager.service << END_SERVICE_TOP cat > /etc/systemd/system/swarm-manager.service << END_SERVICE_TOP
[Unit] [Unit]
Description=Swarm Manager Description=Swarm Manager
@ -46,7 +52,7 @@ cat >> /etc/systemd/system/swarm-manager.service << END_SERVICE_BOTTOM
etcd://$ETCD_SERVER_IP:2379/v2/keys/swarm/ etcd://$ETCD_SERVER_IP:2379/v2/keys/swarm/
ExecStop=/usr/bin/docker stop swarm-manager ExecStop=/usr/bin/docker stop swarm-manager
Restart=always Restart=always
ExecStartPost=/usr/bin/$WAIT_CURL \\ ExecStartPost=/usr/bin/$WAIT_CURL $VERIFY_CA \\
--data-binary '{"status": "SUCCESS", "reason": "Setup complete", "data": "OK", "id": "$UUID"}' --data-binary '{"status": "SUCCESS", "reason": "Setup complete", "data": "OK", "id": "$UUID"}'
[Install] [Install]

View File

@ -244,6 +244,7 @@ class BaseTemplateDefinition(TemplateDefinition):
extra_params['trustee_user_id'] = cluster.trustee_user_id extra_params['trustee_user_id'] = cluster.trustee_user_id
extra_params['trustee_username'] = cluster.trustee_username extra_params['trustee_username'] = cluster.trustee_username
extra_params['trustee_password'] = cluster.trustee_password extra_params['trustee_password'] = cluster.trustee_password
extra_params['verify_ca'] = CONF.drivers.verify_ca
# Only pass trust ID into the template if allowed by the config file # Only pass trust ID into the template if allowed by the config file
if CONF.trust.cluster_user_trust: if CONF.trust.cluster_user_trust:

View File

@ -40,6 +40,12 @@ write_files:
exit 0 exit 0
fi fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cert_conf_dir=${KUBE_CERTS_PATH}/conf cert_conf_dir=${KUBE_CERTS_PATH}/conf
mkdir -p ${cert_conf_dir} mkdir -p ${cert_conf_dir}
@ -72,12 +78,12 @@ write_files:
} }
EOF EOF
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
rm -rf auth.json rm -rf auth.json
ca_cert_json=$(curl -k -X GET \ ca_cert_json=$(curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \ -H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \ -H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID) $MAGNUM_URL/certificates/$CLUSTER_UUID)
@ -114,7 +120,7 @@ write_files:
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g') csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}" csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed # Send csr to Magnum to have it signed
client_cert_json=$(curl -k -X POST \ client_cert_json=$(curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \ -H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \ -H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \

View File

@ -40,6 +40,12 @@ write_files:
exit 0 exit 0
fi fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
fi fi
@ -103,13 +109,13 @@ write_files:
} }
EOF EOF
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
rm -rf auth.json rm -rf auth.json
# Get CA certificate for this cluster # Get CA certificate for this cluster
ca_cert_json=$(curl -k -X GET \ ca_cert_json=$(curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \ -H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \ -H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID) $MAGNUM_URL/certificates/$CLUSTER_UUID)
@ -141,7 +147,7 @@ write_files:
csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g') csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}" csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed # Send csr to Magnum to have it signed
server_cert_json=$(curl -k -X POST \ server_cert_json=$(curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \ -H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \ -H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \

View File

@ -20,5 +20,5 @@ write_files:
permissions: "0755" permissions: "0755"
content: | content: |
#!/bin/bash -v #!/bin/bash -v
command="$WAIT_CURL --insecure --data-binary '{\"status\": \"SUCCESS\"}'" command="$WAIT_CURL $VERIFY_CA --data-binary '{\"status\": \"SUCCESS\"}'"
eval $(echo "$command") eval $(echo "$command")

View File

@ -25,6 +25,7 @@ write_files:
TENANT_NAME="$TENANT_NAME" TENANT_NAME="$TENANT_NAME"
CLUSTER_SUBNET="$CLUSTER_SUBNET" CLUSTER_SUBNET="$CLUSTER_SUBNET"
TLS_DISABLED="$TLS_DISABLED" TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID" CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL" MAGNUM_URL="$MAGNUM_URL"
HTTP_PROXY="$HTTP_PROXY" HTTP_PROXY="$HTTP_PROXY"

View File

@ -21,6 +21,7 @@ write_files:
REGISTRY_INSECURE="$REGISTRY_INSECURE" REGISTRY_INSECURE="$REGISTRY_INSECURE"
REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE" REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
TLS_DISABLED="$TLS_DISABLED" TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID" CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL" MAGNUM_URL="$MAGNUM_URL"
AUTH_URL="$AUTH_URL" AUTH_URL="$AUTH_URL"

View File

@ -155,6 +155,10 @@ parameters:
description: whether or not to disable kubernetes dashboard description: whether or not to disable kubernetes dashboard
default: True default: True
verify_ca:
type: boolean
description: whether or not to validate certificate authority
loadbalancing_protocol: loadbalancing_protocol:
type: string type: string
description: > description: >
@ -431,6 +435,7 @@ resources:
kubernetes_port: {get_param: kubernetes_port} kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled} tls_disabled: {get_param: tls_disabled}
kube_dashboard_enabled: {get_param: kube_dashboard_enabled} kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_master_id: {get_resource: secgroup_master} secgroup_kube_master_id: {get_resource: secgroup_master}
http_proxy: {get_param: http_proxy} http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy} https_proxy: {get_param: https_proxy}
@ -489,6 +494,7 @@ resources:
network_driver: {get_param: network_driver} network_driver: {get_param: network_driver}
kubernetes_port: {get_param: kubernetes_port} kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled} tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open} secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open}
http_proxy: {get_param: http_proxy} http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy} https_proxy: {get_param: https_proxy}

View File

@ -115,6 +115,10 @@ parameters:
type: boolean type: boolean
description: whether or not to disable kubernetes dashboard description: whether or not to disable kubernetes dashboard
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port: kubernetes_port:
type: number type: number
description: > description: >
@ -280,6 +284,7 @@ resources:
"$NETWORK_DRIVER": {get_param: network_driver} "$NETWORK_DRIVER": {get_param: network_driver}
"$KUBE_API_PORT": {get_param: kubernetes_port} "$KUBE_API_PORT": {get_param: kubernetes_port}
"$TLS_DISABLED": {get_param: tls_disabled} "$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$KUBE_VERSION": {get_param: kube_version} "$KUBE_VERSION": {get_param: kube_version}
"$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version} "$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version}

View File

@ -42,6 +42,10 @@ parameters:
type: boolean type: boolean
description: whether or not to enable TLS description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port: kubernetes_port:
type: number type: number
description: > description: >
@ -185,6 +189,7 @@ resources:
"$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]} "$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]}
"$KUBE_API_PORT": {get_param: kubernetes_port} "$KUBE_API_PORT": {get_param: kubernetes_port}
"$TLS_DISABLED": {get_param: tls_disabled} "$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$NETWORK_DRIVER": {get_param: network_driver} "$NETWORK_DRIVER": {get_param: network_driver}
"$ETCD_SERVER_IP": {get_param: etcd_server_ip} "$ETCD_SERVER_IP": {get_param: etcd_server_ip}
"$KUBE_VERSION": {get_param: kube_version} "$KUBE_VERSION": {get_param: kube_version}

View File

@ -252,6 +252,10 @@ parameters:
description: whether or not to enable kubernetes dashboard description: whether or not to enable kubernetes dashboard
default: True default: True
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port: kubernetes_port:
type: number type: number
description: > description: >
@ -512,6 +516,7 @@ resources:
kubernetes_port: {get_param: kubernetes_port} kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled} tls_disabled: {get_param: tls_disabled}
kube_dashboard_enabled: {get_param: kube_dashboard_enabled} kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_master_id: {get_resource: secgroup_kube_master} secgroup_kube_master_id: {get_resource: secgroup_kube_master}
http_proxy: {get_param: http_proxy} http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy} https_proxy: {get_param: https_proxy}
@ -580,6 +585,7 @@ resources:
password: {get_param: password} password: {get_param: password}
kubernetes_port: {get_param: kubernetes_port} kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled} tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_minion_id: {get_resource: secgroup_kube_minion} secgroup_kube_minion_id: {get_resource: secgroup_kube_minion}
http_proxy: {get_param: http_proxy} http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy} https_proxy: {get_param: https_proxy}

View File

@ -114,6 +114,10 @@ parameters:
type: boolean type: boolean
description: whether or not to disable kubernetes dashboard description: whether or not to disable kubernetes dashboard
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port: kubernetes_port:
type: number type: number
description: > description: >
@ -324,6 +328,7 @@ resources:
"$CLUSTER_SUBNET": {get_param: fixed_subnet} "$CLUSTER_SUBNET": {get_param: fixed_subnet}
"$TLS_DISABLED": {get_param: tls_disabled} "$TLS_DISABLED": {get_param: tls_disabled}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$VERIFY_CA": {get_param: verify_ca}
"$CLUSTER_UUID": {get_param: cluster_uuid} "$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url} "$MAGNUM_URL": {get_param: magnum_url}
"$VOLUME_DRIVER": {get_param: volume_driver} "$VOLUME_DRIVER": {get_param: volume_driver}

View File

@ -57,6 +57,10 @@ parameters:
type: boolean type: boolean
description: whether or not to enable TLS description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port: kubernetes_port:
type: number type: number
description: > description: >
@ -269,6 +273,7 @@ resources:
$REGISTRY_INSECURE: {get_param: registry_insecure} $REGISTRY_INSECURE: {get_param: registry_insecure}
$REGISTRY_CHUNKSIZE: {get_param: registry_chunksize} $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
$TLS_DISABLED: {get_param: tls_disabled} $TLS_DISABLED: {get_param: tls_disabled}
$VERIFY_CA: {get_param: verify_ca}
$CLUSTER_UUID: {get_param: cluster_uuid} $CLUSTER_UUID: {get_param: cluster_uuid}
$MAGNUM_URL: {get_param: magnum_url} $MAGNUM_URL: {get_param: magnum_url}
$USERNAME: {get_param: username} $USERNAME: {get_param: username}

View File

@ -250,6 +250,10 @@ parameters:
description: whether or not to disable kubernetes dashboard description: whether or not to disable kubernetes dashboard
default: True default: True
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port: kubernetes_port:
type: number type: number
description: > description: >
@ -484,6 +488,7 @@ resources:
kubernetes_port: {get_param: kubernetes_port} kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled} tls_disabled: {get_param: tls_disabled}
kube_dashboard_enabled: {get_param: kube_dashboard_enabled} kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
verify_ca: {get_param: verify_ca}
secgroup_base_id: {get_resource: secgroup_base} secgroup_base_id: {get_resource: secgroup_base}
secgroup_kube_master_id: {get_resource: secgroup_kube_master} secgroup_kube_master_id: {get_resource: secgroup_kube_master}
http_proxy: {get_param: http_proxy} http_proxy: {get_param: http_proxy}
@ -574,6 +579,7 @@ resources:
password: {get_param: password} password: {get_param: password}
kubernetes_port: {get_param: kubernetes_port} kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled} tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
http_proxy: {get_param: http_proxy} http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy} https_proxy: {get_param: https_proxy}
no_proxy: {get_param: no_proxy} no_proxy: {get_param: no_proxy}

View File

@ -99,6 +99,10 @@ parameters:
type: boolean type: boolean
description: whether or not to disable kubernetes dashboard description: whether or not to disable kubernetes dashboard
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port: kubernetes_port:
type: number type: number
description: > description: >
@ -289,6 +293,7 @@ resources:
"$CLUSTER_SUBNET": {get_param: fixed_subnet} "$CLUSTER_SUBNET": {get_param: fixed_subnet}
"$TLS_DISABLED": {get_param: tls_disabled} "$TLS_DISABLED": {get_param: tls_disabled}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$VERIFY_CA": {get_param: verify_ca}
"$CLUSTER_UUID": {get_param: cluster_uuid} "$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url} "$MAGNUM_URL": {get_param: magnum_url}
"$HTTP_PROXY": {get_param: http_proxy} "$HTTP_PROXY": {get_param: http_proxy}

View File

@ -29,6 +29,10 @@ parameters:
type: boolean type: boolean
description: whether or not to enable TLS description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port: kubernetes_port:
type: number type: number
description: > description: >
@ -203,6 +207,7 @@ resources:
$REGISTRY_INSECURE: {get_param: registry_insecure} $REGISTRY_INSECURE: {get_param: registry_insecure}
$REGISTRY_CHUNKSIZE: {get_param: registry_chunksize} $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
$TLS_DISABLED: {get_param: tls_disabled} $TLS_DISABLED: {get_param: tls_disabled}
$VERIFY_CA: {get_param: verify_ca}
$CLUSTER_UUID: {get_param: cluster_uuid} $CLUSTER_UUID: {get_param: cluster_uuid}
$MAGNUM_URL: {get_param: magnum_url} $MAGNUM_URL: {get_param: magnum_url}
$USERNAME: {get_param: username} $USERNAME: {get_param: username}

View File

@ -64,6 +64,10 @@ parameters:
enables any host to take control of a volume irrespective of whether enables any host to take control of a volume irrespective of whether
other hosts are using the volume other hosts are using the volume
verify_ca:
type: boolean
description: whether or not to validate certificate authority
mesos_slave_isolation: mesos_slave_isolation:
type: string type: string
description: > description: >
@ -154,9 +158,10 @@ resources:
str_replace: str_replace:
template: | template: |
#!/bin/bash -v #!/bin/bash -v
wc_notify --data-binary '{"status": "SUCCESS"}' wc_notify $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
params: params:
wc_notify: {get_param: mesos_slave_wc_curl_cli} wc_notify: {get_param: mesos_slave_wc_curl_cli}
"$VERIFY_CA": {get_param: verify_ca}
add_proxy: add_proxy:
type: OS::Heat::SoftwareConfig type: OS::Heat::SoftwareConfig

View File

@ -207,6 +207,10 @@ parameters:
be empty when doing a create. be empty when doing a create.
default: [] default: []
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources: resources:
###################################################################### ######################################################################
@ -458,6 +462,7 @@ resources:
mesos_slave_image_providers: {get_param: mesos_slave_image_providers} mesos_slave_image_providers: {get_param: mesos_slave_image_providers}
mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables} mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables}
mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]} mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]}
verify_ca: {get_param: verify_ca}
outputs: outputs:

View File

@ -100,6 +100,10 @@ parameters:
description: whether or not to enable TLS description: whether or not to enable TLS
default: False default: False
verify_ca:
type: boolean
description: whether or not to validate certificate authority
network_driver: network_driver:
type: string type: string
description: network driver to use for instantiating container networks description: network driver to use for instantiating container networks
@ -374,6 +378,7 @@ resources:
cluster_uuid: {get_param: cluster_uuid} cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url} magnum_url: {get_param: magnum_url}
tls_disabled: {get_param: tls_disabled} tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager} secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager}
network_driver: {get_param: network_driver} network_driver: {get_param: network_driver}
flannel_network_cidr: {get_param: flannel_network_cidr} flannel_network_cidr: {get_param: flannel_network_cidr}
@ -422,6 +427,7 @@ resources:
cluster_uuid: {get_param: cluster_uuid} cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url} magnum_url: {get_param: magnum_url}
tls_disabled: {get_param: tls_disabled} tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_swarm_node_id: {get_resource: secgroup_swarm_node} secgroup_swarm_node_id: {get_resource: secgroup_swarm_node}
flannel_network_cidr: {get_param: flannel_network_cidr} flannel_network_cidr: {get_param: flannel_network_cidr}
network_driver: {get_param: network_driver} network_driver: {get_param: network_driver}

View File

@ -90,6 +90,10 @@ parameters:
type: boolean type: boolean
description: whether or not to enable TLS description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
network_driver: network_driver:
type: string type: string
description: network driver to use for instantiating container networks description: network driver to use for instantiating container networks
@ -243,6 +247,7 @@ resources:
"$CLUSTER_UUID": {get_param: cluster_uuid} "$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url} "$MAGNUM_URL": {get_param: magnum_url}
"$TLS_DISABLED": {get_param: tls_disabled} "$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$NETWORK_DRIVER": {get_param: network_driver} "$NETWORK_DRIVER": {get_param: network_driver}
"$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr} "$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr}
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen} "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
@ -319,6 +324,7 @@ resources:
params: params:
"$SERVICE": swarm-manager "$SERVICE": swarm-manager
"$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]} "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
"$VERIFY_CA": {get_param: verify_ca}
write_docker_socket: write_docker_socket:
type: "OS::Heat::SoftwareConfig" type: "OS::Heat::SoftwareConfig"
@ -341,6 +347,7 @@ resources:
"$HTTPS_PROXY": {get_param: https_proxy} "$HTTPS_PROXY": {get_param: https_proxy}
"$NO_PROXY": {get_attr: [no_proxy_extended, value]} "$NO_PROXY": {get_attr: [no_proxy_extended, value]}
"$TLS_DISABLED": {get_param: tls_disabled} "$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$SWARM_VERSION": {get_param: swarm_version} "$SWARM_VERSION": {get_param: swarm_version}
"$SWARM_STRATEGY": {get_param: swarm_strategy} "$SWARM_STRATEGY": {get_param: swarm_strategy}

View File

@ -93,6 +93,10 @@ parameters:
type: boolean type: boolean
description: whether or not to disable TLS description: whether or not to disable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
swarm_version: swarm_version:
type: string type: string
description: version of swarm used for swarm cluster description: version of swarm used for swarm cluster
@ -220,6 +224,7 @@ resources:
"$CLUSTER_UUID": {get_param: cluster_uuid} "$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url} "$MAGNUM_URL": {get_param: magnum_url}
"$TLS_DISABLED": {get_param: tls_disabled} "$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$NETWORK_DRIVER": {get_param: network_driver} "$NETWORK_DRIVER": {get_param: network_driver}
"$ETCD_SERVER_IP": {get_param: etcd_server_ip} "$ETCD_SERVER_IP": {get_param: etcd_server_ip}
"$API_IP_ADDRESS": {get_param: api_ip_address} "$API_IP_ADDRESS": {get_param: api_ip_address}
@ -295,6 +300,7 @@ resources:
params: params:
"$SERVICE": swarm-agent "$SERVICE": swarm-agent
"$WAIT_CURL": {get_attr: [node_wait_handle, curl_cli]} "$WAIT_CURL": {get_attr: [node_wait_handle, curl_cli]}
"$VERIFY_CA": {get_param: verify_ca}
write_swarm_agent_service: write_swarm_agent_service:
type: "OS::Heat::SoftwareConfig" type: "OS::Heat::SoftwareConfig"

View File

@ -26,3 +26,4 @@ write_files:
AUTH_URL="$AUTH_URL" AUTH_URL="$AUTH_URL"
VOLUME_DRIVER="$VOLUME_DRIVER" VOLUME_DRIVER="$VOLUME_DRIVER"
REXRAY_PREEMPT="$REXRAY_PREEMPT" REXRAY_PREEMPT="$REXRAY_PREEMPT"
VERIFY_CA="$VERIFY_CA"

View File

@ -4,6 +4,12 @@
set -x set -x
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [ "${IS_PRIMARY_MASTER}" = "True" ]; then if [ "${IS_PRIMARY_MASTER}" = "True" ]; then
cat > /usr/local/bin/magnum-start-swarm-manager << START_SWARM_BIN cat > /usr/local/bin/magnum-start-swarm-manager << START_SWARM_BIN
#!/bin/bash -xe #!/bin/bash -xe
@ -16,7 +22,7 @@ else
status="FAILURE" status="FAILURE"
msg="Failed to init swarm." msg="Failed to init swarm."
fi fi
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'" sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'"
START_SWARM_BIN START_SWARM_BIN
else else
if [ "${TLS_DISABLED}" = 'False' ]; then if [ "${TLS_DISABLED}" = 'False' ]; then
@ -37,7 +43,7 @@ do
done done
if [[ -z \$token ]] ; then if [[ -z \$token ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
fi fi
i=0 i=0
@ -48,9 +54,9 @@ do
sleep 5 sleep 5
done done
if [[ \$i -ge 5 ]] ; then if [[ \$i -ge 5 ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'" sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'"
else else
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'" sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'"
fi fi
START_SWARM_BIN START_SWARM_BIN
fi fi

View File

@ -4,6 +4,12 @@
set -x set -x
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [ "${TLS_DISABLED}" = 'False' ]; then if [ "${TLS_DISABLED}" = 'False' ]; then
tls="--tlsverify" tls="--tlsverify"
tls=$tls" --tlscacert=/etc/docker/ca.crt" tls=$tls" --tlscacert=/etc/docker/ca.crt"
@ -22,7 +28,7 @@ do
done done
if [[ -z \$token ]] ; then if [[ -z \$token ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
fi fi
i=0 i=0
@ -33,9 +39,9 @@ do
sleep 5 sleep 5
done done
if [[ \$i -ge 5 ]] ; then if [[ \$i -ge 5 ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'" sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'"
else else
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'" sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'"
fi fi
START_SWARM_BIN START_SWARM_BIN

View File

@ -179,6 +179,9 @@ parameters:
other hosts are using the volume other hosts are using the volume
default: "false" default: "false"
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources: resources:
@ -301,6 +304,7 @@ resources:
auth_url: {get_param: auth_url} auth_url: {get_param: auth_url}
volume_driver: {get_param: volume_driver} volume_driver: {get_param: volume_driver}
rexray_preempt: {get_param: rexray_preempt} rexray_preempt: {get_param: rexray_preempt}
verify_ca: {get_param: verify_ca}
swarm_secondary_masters: swarm_secondary_masters:
type: "OS::Heat::ResourceGroup" type: "OS::Heat::ResourceGroup"
@ -342,6 +346,7 @@ resources:
auth_url: {get_param: auth_url} auth_url: {get_param: auth_url}
volume_driver: {get_param: volume_driver} volume_driver: {get_param: volume_driver}
rexray_preempt: {get_param: rexray_preempt} rexray_preempt: {get_param: rexray_preempt}
verify_ca: {get_param: verify_ca}
swarm_nodes: swarm_nodes:
type: "OS::Heat::ResourceGroup" type: "OS::Heat::ResourceGroup"
@ -383,6 +388,7 @@ resources:
auth_url: {get_param: auth_url} auth_url: {get_param: auth_url}
volume_driver: {get_param: volume_driver} volume_driver: {get_param: volume_driver}
rexray_preempt: {get_param: rexray_preempt} rexray_preempt: {get_param: rexray_preempt}
verify_ca: {get_param: verify_ca}
outputs: outputs:

View File

@ -135,6 +135,10 @@ parameters:
description: whether this master is primary or not description: whether this master is primary or not
default: False default: False
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources: resources:
master_wait_handle: master_wait_handle:
@ -195,6 +199,7 @@ resources:
"$AUTH_URL": {get_param: auth_url} "$AUTH_URL": {get_param: auth_url}
"$VOLUME_DRIVER": {get_param: volume_driver} "$VOLUME_DRIVER": {get_param: volume_driver}
"$REXRAY_PREEMPT": {get_param: rexray_preempt} "$REXRAY_PREEMPT": {get_param: rexray_preempt}
"$VERIFY_CA": {get_param: verify_ca}
remove_docker_key: remove_docker_key:
type: "OS::Heat::SoftwareConfig" type: "OS::Heat::SoftwareConfig"

View File

@ -127,6 +127,10 @@ parameters:
other hosts are using the volume other hosts are using the volume
default: "false" default: "false"
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources: resources:
node_wait_handle: node_wait_handle:
@ -172,6 +176,7 @@ resources:
"$AUTH_URL": {get_param: auth_url} "$AUTH_URL": {get_param: auth_url}
"$VOLUME_DRIVER": {get_param: volume_driver} "$VOLUME_DRIVER": {get_param: volume_driver}
"$REXRAY_PREEMPT": {get_param: rexray_preempt} "$REXRAY_PREEMPT": {get_param: rexray_preempt}
"$VERIFY_CA": {get_param: verify_ca}
remove_docker_key: remove_docker_key:
type: "OS::Heat::SoftwareConfig" type: "OS::Heat::SoftwareConfig"

View File

@ -225,6 +225,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'auth_url': 'http://192.168.10.10:5000/v3', 'auth_url': 'http://192.168.10.10:5000/v3',
'insecure_registry_url': '10.0.0.1:5000', 'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version', 'kube_version': 'fake-version',
'verify_ca': True,
} }
if missing_attr is not None: if missing_attr is not None:
expected.pop(mapping[missing_attr], None) expected.pop(mapping[missing_attr], None)
@ -319,6 +320,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'volume_driver': 'volume_driver', 'volume_driver': 'volume_driver',
'insecure_registry_url': '10.0.0.1:5000', 'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version', 'kube_version': 'fake-version',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
@ -398,7 +400,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'trustee_password': 'fake_trustee_password', 'trustee_password': 'fake_trustee_password',
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
'trustee_username': 'fake_trustee', 'trustee_username': 'fake_trustee',
'username': 'fake_user' 'username': 'fake_user',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(
@ -475,6 +478,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'magnum_url': self.mock_osc.magnum_url.return_value, 'magnum_url': self.mock_osc.magnum_url.return_value,
'insecure_registry_url': '10.0.0.1:5000', 'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version', 'kube_version': 'fake-version',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(
@ -546,6 +550,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'magnum_url': self.mock_osc.magnum_url.return_value, 'magnum_url': self.mock_osc.magnum_url.return_value,
'insecure_registry_url': '10.0.0.1:5000', 'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version', 'kube_version': 'fake-version',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(
@ -731,6 +736,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'auth_url': 'http://192.168.10.10:5000/v3', 'auth_url': 'http://192.168.10.10:5000/v3',
'insecure_registry_url': '10.0.0.1:5000', 'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version', 'kube_version': 'fake-version',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(

View File

@ -137,7 +137,8 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_executor_env_variables': '{}', 'mesos_slave_executor_env_variables': '{}',
'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
'mesos_slave_work_dir': '/tmp/mesos/slave', 'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker' 'mesos_slave_image_providers': 'docker',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(
@ -192,6 +193,7 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_work_dir': '/tmp/mesos/slave', 'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker', 'mesos_slave_image_providers': 'docker',
'master_flavor': 'master_flavor_id', 'master_flavor': 'master_flavor_id',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(
@ -248,7 +250,8 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_executor_env_variables': '{}', 'mesos_slave_executor_env_variables': '{}',
'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
'mesos_slave_work_dir': '/tmp/mesos/slave', 'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker' 'mesos_slave_image_providers': 'docker',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(
@ -306,7 +309,8 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_executor_env_variables': '{}', 'mesos_slave_executor_env_variables': '{}',
'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
'mesos_slave_work_dir': '/tmp/mesos/slave', 'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker' 'mesos_slave_image_providers': 'docker',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(

View File

@ -160,7 +160,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread', 'swarm_strategy': u'spread',
'volume_driver': 'rexray', 'volume_driver': 'rexray',
'rexray_preempt': 'False', 'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1' 'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(
@ -236,7 +237,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread', 'swarm_strategy': u'spread',
'volume_driver': 'rexray', 'volume_driver': 'rexray',
'rexray_preempt': 'False', 'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1' 'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(
@ -306,6 +308,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
'docker_volume_type': 'lvmdriver-1', 'docker_volume_type': 'lvmdriver-1',
'docker_volume_size': 20, 'docker_volume_size': 20,
'master_flavor': 'master_flavor_id', 'master_flavor': 'master_flavor_id',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(
@ -375,7 +378,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread', 'swarm_strategy': u'spread',
'volume_driver': 'rexray', 'volume_driver': 'rexray',
'rexray_preempt': 'False', 'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1' 'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(
@ -446,7 +450,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread', 'swarm_strategy': u'spread',
'volume_driver': 'rexray', 'volume_driver': 'rexray',
'rexray_preempt': 'False', 'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1' 'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
} }
self.assertEqual(expected, definition) self.assertEqual(expected, definition)
self.assertEqual( self.assertEqual(

View File

@ -0,0 +1,12 @@
---
fixes:
- |
[`bug 1663757 <https://bugs.launchpad.net/magnum/+bug/1663757>`_]
A configuration parameter, verify_ca, was added to magnum.conf
with a default value of True and passed to the heat templates to indicate
whether the cluster nodes validate the Certificate Authority when making
requests to the OpenStack APIs (Keystone, Magnum, Heat). This parameter
can be set to False to disable CA validation if you have self-signed
certificates for the OpenStack APIs or you have your own Certificate
Authority and you have not installed the Certificate Authority to all
nodes.