From a5bbc9853b9b35f3183afb8d1089e8036235ed3d Mon Sep 17 00:00:00 2001 From: Sergey Kraynev Date: Thu, 26 Jan 2017 06:39:11 +0000 Subject: [PATCH] Add base support for SSL for Openstack services - Update "address" function to use "tls" config option and set scheme to 'https'. Also we check, that service is in list of services, which support TLS. - Updated function for generation Environment, which will be used by openstackclient. Now 'https' scheme will be used if 'tls' is enabled. Also was added new variable for storing path for file with CA certificate. - Implementation of httpGet was changed to support 'https' endpoints. Now requests.get method uses 'https' scheme with verify=False, if 'tls' is enabled. Change-Id: I88bc21571589dcd4c31bb5ce5015a75676ed2d85 --- fuel_ccp_entrypoint/start_script.py | 30 +++++++++++++++---- .../tests/test_fuel_ccp_entrypoint.py | 16 ++++++++-- 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/fuel_ccp_entrypoint/start_script.py b/fuel_ccp_entrypoint/start_script.py index 0f32aa1..d9917c1 100644 --- a/fuel_ccp_entrypoint/start_script.py +++ b/fuel_ccp_entrypoint/start_script.py @@ -178,8 +178,10 @@ def openstackclient_preexec_fn(): os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password'] os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name'] os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name'] - os.environ["OS_AUTH_URL"] = 'http://%s/v3' % address( - 'keystone', VARIABLES['keystone']['admin_port']) + if VARIABLES['security']['tls']['openstack']['enabled']: + os.environ["OS_CACERT"] = CACERT + os.environ["OS_AUTH_URL"] = '%s/v3' % address( + 'keystone', VARIABLES['keystone']['admin_port'], with_scheme=True) return result @@ -215,7 +217,17 @@ def get_ingress_host(ingress_name): def address(service, port=None, external=False, with_scheme=False): addr = None - scheme = 'http' + service_name = service.split('-')[0] + TLS_SERVICES = ('keystone', 'glance', 'cinder', 'horizon', 'nova', + 'neutron', 'heat') + openstack_tls = VARIABLES['security']['tls']['openstack']['enabled'] + etcd_tls = VARIABLES['etcd']['tls']['enabled'] + + if ((openstack_tls and service_name in TLS_SERVICES) or + (etcd_tls and service_name == 'etcd')): + scheme = 'https' + else: + scheme = 'http' if external: if not port: raise RuntimeError('Port config is required for external address') @@ -516,11 +528,19 @@ def run_probe(probe): if probe["type"] == "exec": run_cmd(probe["command"]) elif probe["type"] == "httpGet": - url = "http://{}:{}{}".format( + if VARIABLES['security']['tls']['openstack']['enabled']: + scheme = 'https' + # disable SSL check for probe request + verify = False + else: + scheme = 'http' + verify = True + url = "{}://{}:{}{}".format( + scheme, VARIABLES["network_topology"]["private"]["address"], probe["port"], probe.get("path", "/")) - resp = requests.get(url) + resp = requests.get(url, verify=verify) resp.raise_for_status() diff --git a/fuel_ccp_entrypoint/tests/test_fuel_ccp_entrypoint.py b/fuel_ccp_entrypoint/tests/test_fuel_ccp_entrypoint.py index e117579..03a5d70 100644 --- a/fuel_ccp_entrypoint/tests/test_fuel_ccp_entrypoint.py +++ b/fuel_ccp_entrypoint/tests/test_fuel_ccp_entrypoint.py @@ -172,10 +172,16 @@ class TestGetETCDClient(base.TestCase): }, "connection_attempts": 3, "connection_delay": 0, + "tls": { + "enabled": True, + } }, "security": { "tls": { - "enabled": False + "enabled": False, + "openstack": { + "enabled": False + } } } } @@ -202,10 +208,16 @@ class TestGetETCDClient(base.TestCase): }, "connection_attempts": 3, "connection_delay": 0, + "tls": { + "enabled": True, + } }, "security": { "tls": { - "enabled": True + "enabled": True, + "openstack": { + "enabled": True + } } } }