encrypt_secret: support self-signed certificates via --insecure argument

In case of a non production Zuul deployment this option is handy
as usually such deployment are made with a self-signed certificate.

Change-Id: I063357dba33161bdb721304d89e6051b768a60c8
This commit is contained in:
Fabien Boucher 2018-11-12 11:51:39 +01:00
parent 71f60674b9
commit 9c2be21c0c
1 changed files with 12 additions and 2 deletions

View File

@ -22,6 +22,7 @@ import subprocess
import sys
import tempfile
import textwrap
import ssl
# we to import Request and urlopen differently for python 2 and 3
try:
@ -67,6 +68,8 @@ def main():
help="A filename to which the encrypted value will be "
"written. If not supplied, the value will be written "
"to standard output.")
parser.add_argument('--insecure', action='store_true', default=False,
help="Do not verify remote certificate")
args = parser.parse_args()
# We should not use unencrypted connections for retrieving the public key.
@ -81,9 +84,16 @@ def main():
if url.scheme == 'file':
req = Request(args.url)
else:
if args.insecure:
ssl_ctx = ssl.create_default_context()
ssl_ctx.check_hostname = False
ssl_ctx.verify_mode = ssl.CERT_NONE
else:
ssl_ctx = None
# Check if tenant is white label
req = Request("%s/api/info" % (args.url.rstrip('/'),))
info = json.loads(urlopen(req).read().decode('utf8'))
info = json.loads(urlopen(req, context=ssl_ctx).read().decode('utf8'))
api_tenant = info.get('info', {}).get('tenant')
if not api_tenant and not args.tenant:
@ -96,7 +106,7 @@ def main():
else:
req = Request("%s/api/tenant/%s/key/%s.pub" % (
args.url.rstrip('/'), args.tenant, args.project))
pubkey = urlopen(req)
pubkey = urlopen(req, context=ssl_ctx)
if args.infile:
with open(args.infile) as f: