Add base support for SSL for Openstack services
- Update "address" function to use "tls" config option and set scheme to 'https'. Also we check, that service is in list of services, which support TLS. - Updated function for generation Environment, which will be used by openstackclient. Now 'https' scheme will be used if 'tls' is enabled. Also was added new variable for storing path for file with CA certificate. - Implementation of httpGet was changed to support 'https' endpoints. Now requests.get method uses 'https' scheme with verify=False, if 'tls' is enabled. Change-Id: I88bc21571589dcd4c31bb5ce5015a75676ed2d85
This commit is contained in:
parent
d82aebcd82
commit
3d7b7d9cf2
@ -178,8 +178,10 @@ def openstackclient_preexec_fn():
|
||||
os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password']
|
||||
os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name']
|
||||
os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name']
|
||||
os.environ["OS_AUTH_URL"] = 'http://%s/v3' % address(
|
||||
'keystone', VARIABLES['keystone']['admin_port'])
|
||||
if VARIABLES['security']['tls']['openstack']['enabled']:
|
||||
os.environ["OS_CACERT"] = CACERT
|
||||
os.environ["OS_AUTH_URL"] = '%s/v3' % address(
|
||||
'keystone', VARIABLES['keystone']['admin_port'], with_scheme=True)
|
||||
return result
|
||||
|
||||
|
||||
@ -215,7 +217,15 @@ def get_ingress_host(ingress_name):
|
||||
|
||||
def address(service, port=None, external=False, with_scheme=False):
|
||||
addr = None
|
||||
scheme = 'http'
|
||||
service_name = service.split('-')[0]
|
||||
TLS_SERVICES = ('keystone', 'glance', 'cinder', 'horizon', 'nova',
|
||||
'neutron', 'heat')
|
||||
|
||||
if ((VARIABLES['security']['tls']['openstack']['enabled'] and
|
||||
service_name in TLS_SERVICES)):
|
||||
scheme = 'https'
|
||||
else:
|
||||
scheme = 'http'
|
||||
if external:
|
||||
if not port:
|
||||
raise RuntimeError('Port config is required for external address')
|
||||
@ -516,11 +526,19 @@ def run_probe(probe):
|
||||
if probe["type"] == "exec":
|
||||
run_cmd(probe["command"])
|
||||
elif probe["type"] == "httpGet":
|
||||
url = "http://{}:{}{}".format(
|
||||
verify = True
|
||||
if VARIABLES['security']['tls']['openstack']['enabled']:
|
||||
scheme = 'https'
|
||||
# disable SSL check for probe request
|
||||
verify = False
|
||||
else:
|
||||
scheme = 'http'
|
||||
url = "{}://{}:{}{}".format(
|
||||
scheme,
|
||||
VARIABLES["network_topology"]["private"]["address"],
|
||||
probe["port"],
|
||||
probe.get("path", "/"))
|
||||
resp = requests.get(url)
|
||||
resp = requests.get(url, verify=verify)
|
||||
resp.raise_for_status()
|
||||
|
||||
|
||||
|
@ -175,7 +175,10 @@ class TestGetETCDClient(base.TestCase):
|
||||
},
|
||||
"security": {
|
||||
"tls": {
|
||||
"enabled": False
|
||||
"enabled": False,
|
||||
"openstack": {
|
||||
"enabled": False
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -205,7 +208,10 @@ class TestGetETCDClient(base.TestCase):
|
||||
},
|
||||
"security": {
|
||||
"tls": {
|
||||
"enabled": True
|
||||
"enabled": True,
|
||||
"openstack": {
|
||||
"enabled": True
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user