From 9dce294d2555704074ef9ea2f0e7a4abd1ffdb93 Mon Sep 17 00:00:00 2001 From: Sergey Kraynev Date: Thu, 26 Jan 2017 06:39:11 +0000 Subject: [PATCH] Add base support for SSL for Openstack services - Signature of "address" fucntion was changed to use "tls" paramater, which forces to use 'https' scheme for returned url if 'tls' is enabled. - Updated function for generation Environment, which will be used by openstackclient. Now 'https' scheme will be used if 'tls' is enabled. Also was added new variable for storing path for file with CA certificate. This file will be generated in /tmp for each new container by using content defined in config file. It was done in such way, because opnectackclient does not setting --insecure via Environment. - Implementation of httpGet was changed to support 'https' endpoints. Now requests.get method uses 'https' scheme with verify=False, if 'tls' is enabled. Change-Id: I88bc21571589dcd4c31bb5ce5015a75676ed2d85 --- fuel_ccp_entrypoint/start_script.py | 30 ++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/fuel_ccp_entrypoint/start_script.py b/fuel_ccp_entrypoint/start_script.py index 92a74e0..563c442 100644 --- a/fuel_ccp_entrypoint/start_script.py +++ b/fuel_ccp_entrypoint/start_script.py @@ -177,8 +177,18 @@ def openstackclient_preexec_fn(): os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password'] os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name'] os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name'] - os.environ["OS_AUTH_URL"] = 'http://%s/v3' % address( - 'keystone', VARIABLES['keystone']['admin_port']) + scheme = 'http' + if VARIABLES['security']['tls']['enabled']: + scheme = 'https' + # Pass CA cert for using by client, because it's not possible to + # specify insecure via environment. + # (Alternative solution is to store all certs in the same place.) + path = '/tmp/ca.cert' + with open(path, 'w') as tmp_cert: + tmp_cert.write(VARIABLES['security']['tls']['ca_cert']) + os.environ["OS_CACERT"] = path + os.environ["OS_AUTH_URL"] = '%s://%s/v3' % (scheme, address( + 'keystone', VARIABLES['keystone']['admin_port'])) return result @@ -213,9 +223,12 @@ def get_ingress_host(ingress_name): ingress_name, VARIABLES['namespace'], VARIABLES['ingress']['domain'])) -def address(service, port=None, external=False, with_scheme=False): +def address(service, port=None, external=False, with_scheme=False, tls=False): addr = None scheme = 'http' + if tls: + if VARIABLES['security']['tls']['enabled']: + scheme = 'https' if external: if not port: raise RuntimeError('Port config is required for external address') @@ -489,11 +502,18 @@ def run_probe(probe): if probe["type"] == "exec": run_cmd(probe["command"]) elif probe["type"] == "httpGet": - url = "http://{}:{}{}".format( + scheme = 'http' + verify = True + if VARIABLES['security']['tls']['enabled']: + scheme = 'https' + # disable SSL check for probe request + verify = False + url = "{}://{}:{}{}".format( + scheme, VARIABLES["network_topology"]["private"]["address"], probe["port"], probe.get("path", "/")) - resp = requests.get(url) + resp = requests.get(url, verify=verify) resp.raise_for_status()