Add base support for SSL for Openstack services
- Update "address" function to use "tls" config option and set scheme to 'https'. Also we check, that service is in list of services, which support TLS. - Updated function for generation Environment, which will be used by openstackclient. Now 'https' scheme will be used if 'tls' is enabled. Also was added new variable for storing path for file with CA certificate. - Implementation of httpGet was changed to support 'https' endpoints. Now requests.get method uses 'https' scheme with verify=False, if 'tls' is enabled. Change-Id: I88bc21571589dcd4c31bb5ce5015a75676ed2d85
This commit is contained in:
parent
af796f851e
commit
44cc4454db
@ -180,8 +180,10 @@ def openstackclient_preexec_fn():
|
|||||||
os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password']
|
os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password']
|
||||||
os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name']
|
os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name']
|
||||||
os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name']
|
os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name']
|
||||||
os.environ["OS_AUTH_URL"] = 'http://%s/v3' % address(
|
if VARIABLES['security']['tls']['create_certificates']:
|
||||||
'keystone', VARIABLES['keystone']['admin_port'])
|
os.environ["OS_CACERT"] = CACERT
|
||||||
|
os.environ["OS_AUTH_URL"] = '%s/v3' % address(
|
||||||
|
'keystone', VARIABLES['keystone']['admin_port'], with_scheme=True)
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
|
||||||
@ -217,7 +219,12 @@ def get_ingress_host(ingress_name):
|
|||||||
|
|
||||||
def address(service, port=None, external=False, with_scheme=False):
|
def address(service, port=None, external=False, with_scheme=False):
|
||||||
addr = None
|
addr = None
|
||||||
scheme = 'http'
|
enable_tls = VARIABLES.get(service, {}).get('tls', {}).get('enabled')
|
||||||
|
|
||||||
|
if enable_tls:
|
||||||
|
scheme = 'https'
|
||||||
|
else:
|
||||||
|
scheme = 'http'
|
||||||
if external:
|
if external:
|
||||||
if not port:
|
if not port:
|
||||||
raise RuntimeError('Port config is required for external address')
|
raise RuntimeError('Port config is required for external address')
|
||||||
@ -551,11 +558,19 @@ def run_probe(probe):
|
|||||||
if probe["type"] == "exec":
|
if probe["type"] == "exec":
|
||||||
run_cmd(probe["command"])
|
run_cmd(probe["command"])
|
||||||
elif probe["type"] == "httpGet":
|
elif probe["type"] == "httpGet":
|
||||||
url = "http://{}:{}{}".format(
|
scheme = probe.get('scheme', 'http')
|
||||||
|
if scheme == 'https':
|
||||||
|
# disable SSL check for probe request
|
||||||
|
verify = False
|
||||||
|
else:
|
||||||
|
verify = True
|
||||||
|
|
||||||
|
url = "{}://{}:{}{}".format(
|
||||||
|
scheme,
|
||||||
VARIABLES["network_topology"]["private"]["address"],
|
VARIABLES["network_topology"]["private"]["address"],
|
||||||
probe["port"],
|
probe["port"],
|
||||||
probe.get("path", "/"))
|
probe.get("path", "/"))
|
||||||
resp = requests.get(url)
|
resp = requests.get(url, verify=verify)
|
||||||
resp.raise_for_status()
|
resp.raise_for_status()
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user