From 28be1058f6518450c1106a4ff0488b2159853680 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Wed, 16 May 2018 15:52:46 +0200 Subject: [PATCH] undercloud: set OS_CACERT when TLS is used This fixes TLS errors when anything using python-requests is run from a virtualenv. Change-Id: Icf659e54e8887dc9759cd4d8f732982ce3e0ae5f Closes-Bug: #1771565 --- extraconfig/post_deploy/undercloud_post.sh | 6 ++++++ extraconfig/post_deploy/undercloud_post.yaml | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/extraconfig/post_deploy/undercloud_post.sh b/extraconfig/post_deploy/undercloud_post.sh index 8f380eead4..bd5a6402a1 100755 --- a/extraconfig/post_deploy/undercloud_post.sh +++ b/extraconfig/post_deploy/undercloud_post.sh @@ -29,6 +29,12 @@ export OS_PROJECT_DOMAIN_NAME='Default' export OS_USER_DOMAIN_NAME='Default' EOF_CAT +if [ -n "$internal_tls_ca_file" ]; then + cat >> $HOMEDIR/stackrc <<-EOF_CAT +export OS_CACERT="$internal_tls_ca_file" +EOF_CAT +fi + cat >> $HOMEDIR/stackrc <<-"EOF_CAT" # Add OS_CLOUDNAME to PS1 if [ -z "${CLOUDPROMPT_ENABLED:-}" ]; then diff --git a/extraconfig/post_deploy/undercloud_post.yaml b/extraconfig/post_deploy/undercloud_post.yaml index 31305e8a50..2c55b6b562 100644 --- a/extraconfig/post_deploy/undercloud_post.yaml +++ b/extraconfig/post_deploy/undercloud_post.yaml @@ -28,6 +28,11 @@ parameters: description: > Whether the public SSL certificate was autogenerated or not. type: boolean + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. SnmpdReadonlyUserPassword: description: The user password for SNMPd with readonly rights running on all Overcloud nodes type: string @@ -90,6 +95,7 @@ resources: - name: auth_url - name: snmp_readonly_user_password - name: enable_validations + - name: internal_tls_ca_file config: {get_file: ./undercloud_post.sh} UndercloudPostDeployment: @@ -104,6 +110,11 @@ resources: admin_password: {get_param: AdminPassword} snmp_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} enable_validations: [get_params: EnableValidations] + internal_tls_ca_file: + if: + - tls_enabled + - {get_param: InternalTLSCAFile} + - '' # if SSL is enabled we use the public virtual ip as the stackrc endpoint auth_url: if: