x/fuel-ccp-entrypoint
Code Issues Proposed changes

Add base support for SSL for Openstack services

Browse Source 
- Update address function to use "tls" config option and set scheme to 'https'.
  Also we check, that service is in list of services, which support TLS.
- Updated function for generation Environment, which will be used by
  openstackclient. Now 'https' scheme will be used if 'tls' is enabled.
  Also was added new variable for storing path for file with CA
  certificate. It was done in such way, because openstackclient
  does not support setting --insecure via Environment.
- Implementation of httpGet was changed to support 'https' endpoints.
  Now requests.get method uses 'https' scheme with verify=False, if 'tls'
  is enabled.

Change-Id: I88bc21571589dcd4c31bb5ce5015a75676ed2d85
(cherry picked from commit 70ae2bc84a)
This commit is contained in:
Sergey Kraynev 2017-01-26 06:39:11 +00:00
parent c8010e972c
commit b7f01428f9
1 changed files with 25 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
fuel_ccp_entrypoint/start_script.py
View File

@ -5,6 +5,7 @@ import argparse
import functools import functools
import logging import logging
import os import os
import os.path
import pwd import pwd
import signal import signal
import socket import socket
@ -178,8 +179,17 @@ def openstackclient_preexec_fn():
os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password'] os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password']
os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name'] os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name']
os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name'] os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name']
os.environ["OS_AUTH_URL"] = 'http://%s/v3' % address( scheme = 'http'
'keystone', VARIABLES['keystone']['admin_port']) if VARIABLES['security']['tls']['enabled']:
scheme = 'https'
# Pass CA cert for using by client, because it's not possible to
# specify insecure via environment.
if not os.path.isfile(fname):
with open(CACERT, 'w') as tmp_cert:
tmp_cert.write(VARIABLES['security']['tls']['ca_cert'])
os.environ["OS_CACERT"] = CACERT
os.environ["OS_AUTH_URL"] = '%s://%s/v3' % (scheme, address(
'keystone', VARIABLES['keystone']['admin_port']))
return result return result
@ -216,6 +226,10 @@ def get_ingress_host(ingress_name):
def address(service, port=None, external=False, with_scheme=False): def address(service, port=None, external=False, with_scheme=False):
addr = None addr = None
scheme = 'http' scheme = 'http'
TLS_SERVICES = "keystone,glance,glance,horizon,nova,neutron,cinder,heat"
if ((VARIABLES['security']['tls']['enabled'] and
service.split('-')[0] in TLS_SERVICES.split(','))):
scheme = 'https'
if external: if external:
if not port: if not port:
raise RuntimeError('Port config is required for external address') raise RuntimeError('Port config is required for external address')
@ -504,11 +518,18 @@ def run_probe(probe):
if probe["type"] == "exec": if probe["type"] == "exec":
run_cmd(probe["command"]) run_cmd(probe["command"])
elif probe["type"] == "httpGet": elif probe["type"] == "httpGet":
url = "http://{}:{}{}".format( scheme = 'http'
verify = True
if VARIABLES['security']['tls']['enabled']:
scheme = 'https'
# disable SSL check for probe request
verify = False
url = "{}://{}:{}{}".format(
scheme,
VARIABLES["network_topology"]["private"]["address"], VARIABLES["network_topology"]["private"]["address"],
probe["port"], probe["port"],
probe.get("path", "/")) probe.get("path", "/"))
resp = requests.get(url) resp = requests.get(url, verify=verify)
resp.raise_for_status() resp.raise_for_status()