summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKirsten G <kikis.github@gmail.com>2017-10-25 01:27:40 -0700
committerKirsten G <kikis.github@gmail.com>2017-11-21 10:25:32 -0800
commitb07b6f34d5b85b57ff0aafc57cb5a268d34aff13 (patch)
tree20cb0c8b5074c55b481204dc190997877b2fc926
parent8e8fbe92145b7ccdfe32e9310cc40dcc1d148131 (diff)
Add verify_ca configuration parameter
Added configuration parameter, verify_ca, to magnum.conf with default value of True. This parameter is passed to the heat templates to indicate whether the cluster nodes validate the Certificate Authority when making requests to the OpenStack APIs (Keystone, Magnum, Heat). This configuration parameter can be set to False to disable CA validation. Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com> Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413 Partial-Bug: #1663757
Notes
Notes (review): Code-Review+2: Spyros Trigazis (strigazi) <strigazi@gmail.com> Code-Review+2: yatin <ykarel@redhat.com> Workflow+1: yatin <ykarel@redhat.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 22 Nov 2017 19:15:49 +0000 Reviewed-on: https://review.openstack.org/447687 Project: openstack/magnum Branch: refs/heads/master
-rw-r--r--doc/source/admin/troubleshooting-guide.rst6
-rw-r--r--magnum/conf/__init__.py2
-rw-r--r--magnum/conf/drivers.py40
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh12
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh12
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh2
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml1
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml1
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/cfn-signal.sh8
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/make-cert.py21
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/write-cluster-failure-service.yaml2
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml1
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml1
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/write-swarm-agent-service.sh8
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/write-swarm-master-service.sh8
-rwxr-xr-xmagnum/drivers/heat/template_def.py1
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml12
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml12
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml2
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml1
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml1
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml6
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml5
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml5
-rw-r--r--magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml6
-rw-r--r--magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml5
-rw-r--r--magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml5
-rw-r--r--magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml6
-rw-r--r--magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml5
-rw-r--r--magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml5
-rw-r--r--magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml7
-rw-r--r--magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml5
-rw-r--r--magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml6
-rw-r--r--magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml7
-rw-r--r--magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml6
-rw-r--r--magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml1
-rw-r--r--magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh14
-rw-r--r--magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh12
-rw-r--r--magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml6
-rw-r--r--magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml5
-rw-r--r--magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml5
-rw-r--r--magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py8
-rw-r--r--magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py10
-rw-r--r--magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py13
-rw-r--r--releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml12
45 files changed, 275 insertions, 44 deletions
diff --git a/doc/source/admin/troubleshooting-guide.rst b/doc/source/admin/troubleshooting-guide.rst
index 229d70b..5460592 100644
--- a/doc/source/admin/troubleshooting-guide.rst
+++ b/doc/source/admin/troubleshooting-guide.rst
@@ -178,7 +178,11 @@ specified). If it fails, that means the credential you provided is invalid.
178 178
179TLS 179TLS
180--- 180---
181*To be filled in* 181The cluster nodes will validate the Certificate Authority by default
182when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
183If you need to disable CA validation, the configuration parameter
184verify_ca can be set to False. More information on `CA Validation
185<https://bugs.launchpad.net/magnum/+bug/1663757>`_.
182 186
183 187
184Barbican service 188Barbican service
diff --git a/magnum/conf/__init__.py b/magnum/conf/__init__.py
index 35b4cb0..6f9f4e2 100644
--- a/magnum/conf/__init__.py
+++ b/magnum/conf/__init__.py
@@ -26,6 +26,7 @@ from magnum.conf import conductor
26from magnum.conf import database 26from magnum.conf import database
27from magnum.conf import docker 27from magnum.conf import docker
28from magnum.conf import docker_registry 28from magnum.conf import docker_registry
29from magnum.conf import drivers
29from magnum.conf import glance 30from magnum.conf import glance
30from magnum.conf import heat 31from magnum.conf import heat
31from magnum.conf import keystone 32from magnum.conf import keystone
@@ -54,6 +55,7 @@ conductor.register_opts(CONF)
54database.register_opts(CONF) 55database.register_opts(CONF)
55docker.register_opts(CONF) 56docker.register_opts(CONF)
56docker_registry.register_opts(CONF) 57docker_registry.register_opts(CONF)
58drivers.register_opts(CONF)
57glance.register_opts(CONF) 59glance.register_opts(CONF)
58heat.register_opts(CONF) 60heat.register_opts(CONF)
59keystone.register_opts(CONF) 61keystone.register_opts(CONF)
diff --git a/magnum/conf/drivers.py b/magnum/conf/drivers.py
new file mode 100644
index 0000000..96eef3f
--- /dev/null
+++ b/magnum/conf/drivers.py
@@ -0,0 +1,40 @@
1# Licensed under the Apache License, Version 2.0 (the "License"); you may not
2# use this file except in compliance with the License. You may obtain a copy
3# of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13from oslo_config import cfg
14
15drivers_group = cfg.OptGroup(name='drivers',
16 title='Options for the Drivers')
17
18drivers_opts = [
19 cfg.BoolOpt('verify_ca',
20 default=True,
21 help='Indicates whether the cluster nodes validate the '
22 'Certificate Authority when making requests to the '
23 'OpenStack APIs (Keystone, Magnum, Heat). If you have '
24 'self-signed certificates for the OpenStack APIs or '
25 'you have your own Certificate Authority and you '
26 'have not installed the Certificate Authority to all '
27 'nodes, you may need to disable CA validation by '
28 'setting this flag to False.')
29]
30
31
32def register_opts(conf):
33 conf.register_group(drivers_group)
34 conf.register_opts(drivers_opts, group=drivers_group)
35
36
37def list_opts():
38 return {
39 drivers_group: drivers_opts,
40 }
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
index 0421801..1dcfd38 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
@@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
24 exit 0 24 exit 0
25fi 25fi
26 26
27if [ "$VERIFY_CA" == "True" ]; then
28 VERIFY_CA=""
29else
30 VERIFY_CA="-k"
31fi
32
27cert_dir=/etc/kubernetes/certs 33cert_dir=/etc/kubernetes/certs
28 34
29mkdir -p "$cert_dir" 35mkdir -p "$cert_dir"
@@ -55,11 +61,11 @@ EOF
55 61
56content_type='Content-Type: application/json' 62content_type='Content-Type: application/json'
57url="$AUTH_URL/auth/tokens" 63url="$AUTH_URL/auth/tokens"
58USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ 64USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
59 | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'` 65 | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
60 66
61# Get CA certificate for this cluster 67# Get CA certificate for this cluster
62curl -k -X GET \ 68curl $VERIFY_CA -X GET \
63 -H "X-Auth-Token: $USER_TOKEN" \ 69 -H "X-Auth-Token: $USER_TOKEN" \
64 -H "OpenStack-API-Version: container-infra latest" \ 70 -H "OpenStack-API-Version: container-infra latest" \
65 $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT 71 $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT
@@ -93,7 +99,7 @@ openssl req -new -days 1000 \
93 99
94# Send csr to Magnum to have it signed 100# Send csr to Magnum to have it signed
95csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()") 101csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
96curl -k -X POST \ 102curl $VERIFY_CA -X POST \
97 -H "X-Auth-Token: $USER_TOKEN" \ 103 -H "X-Auth-Token: $USER_TOKEN" \
98 -H "OpenStack-API-Version: container-infra latest" \ 104 -H "OpenStack-API-Version: container-infra latest" \
99 -H "Content-Type: application/json" \ 105 -H "Content-Type: application/json" \
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
index bbb412a..aee8c53 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
@@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
24 exit 0 24 exit 0
25fi 25fi
26 26
27if [ "$VERIFY_CA" == "True" ]; then
28 VERIFY_CA=""
29else
30 VERIFY_CA="-k"
31fi
32
27if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then 33if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
28 KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) 34 KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
29fi 35fi
@@ -87,11 +93,11 @@ EOF
87 93
88content_type='Content-Type: application/json' 94content_type='Content-Type: application/json'
89url="$AUTH_URL/auth/tokens" 95url="$AUTH_URL/auth/tokens"
90USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ 96USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
91 | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'` 97 | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
92 98
93# Get CA certificate for this cluster 99# Get CA certificate for this cluster
94curl -k -X GET \ 100curl $VERIFY_CA -X GET \
95 -H "X-Auth-Token: $USER_TOKEN" \ 101 -H "X-Auth-Token: $USER_TOKEN" \
96 -H "OpenStack-API-Version: container-infra latest" \ 102 -H "OpenStack-API-Version: container-infra latest" \
97 $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT} 103 $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT}
@@ -120,7 +126,7 @@ openssl req -new -days 1000 \
120 126
121# Send csr to Magnum to have it signed 127# Send csr to Magnum to have it signed
122csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()") 128csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
123curl -k -X POST \ 129curl $VERIFY_CA -X POST \
124 -H "X-Auth-Token: $USER_TOKEN" \ 130 -H "X-Auth-Token: $USER_TOKEN" \
125 -H "OpenStack-API-Version: container-infra latest" \ 131 -H "OpenStack-API-Version: container-infra latest" \
126 -H "Content-Type: application/json" \ 132 -H "Content-Type: application/json" \
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh
index bc663c7..f8a86c1 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh
@@ -11,7 +11,7 @@ until curl -sf "http://127.0.0.1:8080/healthz"; do
11 echo "Waiting for Kubernetes API..." 11 echo "Waiting for Kubernetes API..."
12 sleep 5 12 sleep 5
13done 13done
14$WAIT_CURL --data-binary '{"status": "SUCCESS"}' 14$WAIT_CURL $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
15EOF 15EOF
16 16
17cat > $WC_NOTIFY_SERVICE <<EOF 17cat > $WC_NOTIFY_SERVICE <<EOF
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
index 085463e..3bf9600 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
@@ -30,6 +30,7 @@ write_files:
30 CLUSTER_SUBNET="$CLUSTER_SUBNET" 30 CLUSTER_SUBNET="$CLUSTER_SUBNET"
31 TLS_DISABLED="$TLS_DISABLED" 31 TLS_DISABLED="$TLS_DISABLED"
32 KUBE_DASHBOARD_ENABLED="$KUBE_DASHBOARD_ENABLED" 32 KUBE_DASHBOARD_ENABLED="$KUBE_DASHBOARD_ENABLED"
33 VERIFY_CA="$VERIFY_CA"
33 CLUSTER_UUID="$CLUSTER_UUID" 34 CLUSTER_UUID="$CLUSTER_UUID"
34 MAGNUM_URL="$MAGNUM_URL" 35 MAGNUM_URL="$MAGNUM_URL"
35 VOLUME_DRIVER="$VOLUME_DRIVER" 36 VOLUME_DRIVER="$VOLUME_DRIVER"
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
index 27f41ab..e1b65bf 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
@@ -24,6 +24,7 @@ write_files:
24 REGISTRY_INSECURE="$REGISTRY_INSECURE" 24 REGISTRY_INSECURE="$REGISTRY_INSECURE"
25 REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE" 25 REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
26 TLS_DISABLED="$TLS_DISABLED" 26 TLS_DISABLED="$TLS_DISABLED"
27 VERIFY_CA="$VERIFY_CA"
27 CLUSTER_UUID="$CLUSTER_UUID" 28 CLUSTER_UUID="$CLUSTER_UUID"
28 MAGNUM_URL="$MAGNUM_URL" 29 MAGNUM_URL="$MAGNUM_URL"
29 AUTH_URL="$AUTH_URL" 30 AUTH_URL="$AUTH_URL"
diff --git a/magnum/drivers/common/templates/swarm/fragments/cfn-signal.sh b/magnum/drivers/common/templates/swarm/fragments/cfn-signal.sh
index ebe9268..f15672c 100644
--- a/magnum/drivers/common/templates/swarm/fragments/cfn-signal.sh
+++ b/magnum/drivers/common/templates/swarm/fragments/cfn-signal.sh
@@ -4,6 +4,12 @@
4 4
5echo "notifying heat" 5echo "notifying heat"
6 6
7if [ "$VERIFY_CA" == "True" ]; then
8 VERIFY_CA=""
9else
10 VERIFY_CA="-k"
11fi
12
7STATUS="SUCCESS" 13STATUS="SUCCESS"
8REASON="Setup complete" 14REASON="Setup complete"
9DATA="OK" 15DATA="OK"
@@ -11,4 +17,4 @@ UUID=`uuidgen`
11 17
12data=$(echo '{"status": "'${STATUS}'", "reason": "'$REASON'", "data": "'${DATA}'", "id": "'$UUID'"}') 18data=$(echo '{"status": "'${STATUS}'", "reason": "'$REASON'", "data": "'${DATA}'", "id": "'$UUID'"}')
13 19
14sh -c "${WAIT_CURL} --data-binary '${data}'" 20sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '${data}'"
diff --git a/magnum/drivers/common/templates/swarm/fragments/make-cert.py b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
index 844b035..03f4ada 100644
--- a/magnum/drivers/common/templates/swarm/fragments/make-cert.py
+++ b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
@@ -81,13 +81,14 @@ def _build_subject_alt_names(config):
81 return ','.join(subject_alt_names) 81 return ','.join(subject_alt_names)
82 82
83 83
84def write_ca_cert(config): 84def write_ca_cert(config, verify_ca):
85 cluster_cert_url = '%s/certificates/%s' % (config['MAGNUM_URL'], 85 cluster_cert_url = '%s/certificates/%s' % (config['MAGNUM_URL'],
86 config['CLUSTER_UUID']) 86 config['CLUSTER_UUID'])
87 headers = {'X-Auth-Token': config['USER_TOKEN'], 87 headers = {'X-Auth-Token': config['USER_TOKEN'],
88 'OpenStack-API-Version': 'container-infra latest'} 88 'OpenStack-API-Version': 'container-infra latest'}
89 ca_cert_resp = requests.get(cluster_cert_url, 89 ca_cert_resp = requests.get(cluster_cert_url,
90 headers=headers) 90 headers=headers,
91 verify=verify_ca)
91 92
92 with open(CA_CERT_PATH, 'w') as fp: 93 with open(CA_CERT_PATH, 'w') as fp:
93 fp.write(ca_cert_resp.json()['pem']) 94 fp.write(ca_cert_resp.json()['pem'])
@@ -121,7 +122,7 @@ def create_server_csr(config):
121 return {'cluster_uuid': config['CLUSTER_UUID'], 'csr': fp.read()} 122 return {'cluster_uuid': config['CLUSTER_UUID'], 'csr': fp.read()}
122 123
123 124
124def write_server_cert(config, csr_req): 125def write_server_cert(config, csr_req, verify_ca):
125 cert_url = '%s/certificates' % config['MAGNUM_URL'] 126 cert_url = '%s/certificates' % config['MAGNUM_URL']
126 headers = { 127 headers = {
127 'Content-Type': 'application/json', 128 'Content-Type': 'application/json',
@@ -130,13 +131,14 @@ def write_server_cert(config, csr_req):
130 } 131 }
131 csr_resp = requests.post(cert_url, 132 csr_resp = requests.post(cert_url,
132 data=json.dumps(csr_req), 133 data=json.dumps(csr_req),
133 headers=headers) 134 headers=headers,
135 verify=verify_ca)
134 136
135 with open(SERVER_CERT_PATH, 'w') as fp: 137 with open(SERVER_CERT_PATH, 'w') as fp:
136 fp.write(csr_resp.json()['pem']) 138 fp.write(csr_resp.json()['pem'])
137 139
138 140
139def get_user_token(config): 141def get_user_token(config, verify_ca):
140 creds_str = ''' 142 creds_str = '''
141{ 143{
142 "auth": { 144 "auth": {
@@ -161,7 +163,7 @@ def get_user_token(config):
161 creds = creds_str % params 163 creds = creds_str % params
162 headers = {'Content-Type': 'application/json'} 164 headers = {'Content-Type': 'application/json'}
163 url = config['AUTH_URL'] + '/auth/tokens' 165 url = config['AUTH_URL'] + '/auth/tokens'
164 r = requests.post(url, headers=headers, data=creds) 166 r = requests.post(url, headers=headers, data=creds, verify=verify_ca)
165 config['USER_TOKEN'] = r.headers['X-Subject-Token'] 167 config['USER_TOKEN'] = r.headers['X-Subject-Token']
166 return config 168 return config
167 169
@@ -169,12 +171,13 @@ def get_user_token(config):
169def main(): 171def main():
170 config = load_config() 172 config = load_config()
171 if config['TLS_DISABLED'] == 'False': 173 if config['TLS_DISABLED'] == 'False':
174 verify_ca = True if config['VERIFY_CA'] == 'True' else False
172 create_dirs() 175 create_dirs()
173 config = get_user_token(config) 176 config = get_user_token(config, verify_ca)
174 write_ca_cert(config) 177 write_ca_cert(config, verify_ca)
175 write_server_key() 178 write_server_key()
176 csr_req = create_server_csr(config) 179 csr_req = create_server_csr(config)
177 write_server_cert(config, csr_req) 180 write_server_cert(config, csr_req, verify_ca)
178 181
179 182
180if __name__ == '__main__': 183if __name__ == '__main__':
diff --git a/magnum/drivers/common/templates/swarm/fragments/write-cluster-failure-service.yaml b/magnum/drivers/common/templates/swarm/fragments/write-cluster-failure-service.yaml
index a4c152e..ed727f6 100644
--- a/magnum/drivers/common/templates/swarm/fragments/write-cluster-failure-service.yaml
+++ b/magnum/drivers/common/templates/swarm/fragments/write-cluster-failure-service.yaml
@@ -11,5 +11,5 @@ write_files:
11 [Service] 11 [Service]
12 Type=simple 12 Type=simple
13 TimeoutStartSec=0 13 TimeoutStartSec=0
14 ExecStart=/usr/bin/$WAIT_CURL \ 14 ExecStart=/usr/bin/$WAIT_CURL $VERIFY_CA \
15 --data-binary '{"status": "FAILURE", "reason": "$SERVICE service failed to start.", "data": "Failure"}' 15 --data-binary '{"status": "FAILURE", "reason": "$SERVICE service failed to start.", "data": "Failure"}'
diff --git a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml
index 690a3ff..a4c316f 100644
--- a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml
@@ -18,6 +18,7 @@ write_files:
18 CLUSTER_UUID="$CLUSTER_UUID" 18 CLUSTER_UUID="$CLUSTER_UUID"
19 MAGNUM_URL="$MAGNUM_URL" 19 MAGNUM_URL="$MAGNUM_URL"
20 TLS_DISABLED="$TLS_DISABLED" 20 TLS_DISABLED="$TLS_DISABLED"
21 VERIFY_CA="$VERIFY_CA"
21 NETWORK_DRIVER="$NETWORK_DRIVER" 22 NETWORK_DRIVER="$NETWORK_DRIVER"
22 FLANNEL_NETWORK_CIDR="$FLANNEL_NETWORK_CIDR" 23 FLANNEL_NETWORK_CIDR="$FLANNEL_NETWORK_CIDR"
23 FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN" 24 FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
diff --git a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml
index 14769c9..f1183b4 100644
--- a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml
+++ b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml
@@ -17,6 +17,7 @@ write_files:
17 CLUSTER_UUID="$CLUSTER_UUID" 17 CLUSTER_UUID="$CLUSTER_UUID"
18 MAGNUM_URL="$MAGNUM_URL" 18 MAGNUM_URL="$MAGNUM_URL"
19 TLS_DISABLED="$TLS_DISABLED" 19 TLS_DISABLED="$TLS_DISABLED"
20 VERIFY_CA="$VERIFY_CA"
20 NETWORK_DRIVER="$NETWORK_DRIVER" 21 NETWORK_DRIVER="$NETWORK_DRIVER"
21 ETCD_SERVER_IP="$ETCD_SERVER_IP" 22 ETCD_SERVER_IP="$ETCD_SERVER_IP"
22 API_IP_ADDRESS="$API_IP_ADDRESS" 23 API_IP_ADDRESS="$API_IP_ADDRESS"
diff --git a/magnum/drivers/common/templates/swarm/fragments/write-swarm-agent-service.sh b/magnum/drivers/common/templates/swarm/fragments/write-swarm-agent-service.sh
index d9d2b73..784b7a4 100644
--- a/magnum/drivers/common/templates/swarm/fragments/write-swarm-agent-service.sh
+++ b/magnum/drivers/common/templates/swarm/fragments/write-swarm-agent-service.sh
@@ -4,6 +4,12 @@
4 4
5myip="$SWARM_NODE_IP" 5myip="$SWARM_NODE_IP"
6 6
7if [ "$VERIFY_CA" == "True" ]; then
8 VERIFY_CA=""
9else
10 VERIFY_CA="-k"
11fi
12
7CONF_FILE=/etc/systemd/system/swarm-agent.service 13CONF_FILE=/etc/systemd/system/swarm-agent.service
8CERT_DIR=/etc/docker 14CERT_DIR=/etc/docker
9PROTOCOL=https 15PROTOCOL=https
@@ -76,7 +82,7 @@ do
76 sleep 5 82 sleep 5
77done 83done
78 84
79${WAIT_CURL} \ 85${WAIT_CURL} {$VERIFY_CA} \
80 --data-binary '{"status": "SUCCESS", "reason": "Swarm agent ready", "data": "OK", "id": "${UUID}"}' 86 --data-binary '{"status": "SUCCESS", "reason": "Swarm agent ready", "data": "OK", "id": "${UUID}"}'
81EOF 87EOF
82 88
diff --git a/magnum/drivers/common/templates/swarm/fragments/write-swarm-master-service.sh b/magnum/drivers/common/templates/swarm/fragments/write-swarm-master-service.sh
index 3976943..14ce507 100644
--- a/magnum/drivers/common/templates/swarm/fragments/write-swarm-master-service.sh
+++ b/magnum/drivers/common/templates/swarm/fragments/write-swarm-master-service.sh
@@ -2,6 +2,12 @@
2 2
3CERT_DIR=/etc/docker 3CERT_DIR=/etc/docker
4 4
5if [ "$VERIFY_CA" == "True" ]; then
6 VERIFY_CA=""
7else
8 VERIFY_CA="-k"
9fi
10
5cat > /etc/systemd/system/swarm-manager.service << END_SERVICE_TOP 11cat > /etc/systemd/system/swarm-manager.service << END_SERVICE_TOP
6[Unit] 12[Unit]
7Description=Swarm Manager 13Description=Swarm Manager
@@ -46,7 +52,7 @@ cat >> /etc/systemd/system/swarm-manager.service << END_SERVICE_BOTTOM
46 etcd://$ETCD_SERVER_IP:2379/v2/keys/swarm/ 52 etcd://$ETCD_SERVER_IP:2379/v2/keys/swarm/
47ExecStop=/usr/bin/docker stop swarm-manager 53ExecStop=/usr/bin/docker stop swarm-manager
48Restart=always 54Restart=always
49ExecStartPost=/usr/bin/$WAIT_CURL \\ 55ExecStartPost=/usr/bin/$WAIT_CURL $VERIFY_CA \\
50 --data-binary '{"status": "SUCCESS", "reason": "Setup complete", "data": "OK", "id": "$UUID"}' 56 --data-binary '{"status": "SUCCESS", "reason": "Setup complete", "data": "OK", "id": "$UUID"}'
51 57
52[Install] 58[Install]
diff --git a/magnum/drivers/heat/template_def.py b/magnum/drivers/heat/template_def.py
index 9226626..26fe24a 100755
--- a/magnum/drivers/heat/template_def.py
+++ b/magnum/drivers/heat/template_def.py
@@ -244,6 +244,7 @@ class BaseTemplateDefinition(TemplateDefinition):
244 extra_params['trustee_user_id'] = cluster.trustee_user_id 244 extra_params['trustee_user_id'] = cluster.trustee_user_id
245 extra_params['trustee_username'] = cluster.trustee_username 245 extra_params['trustee_username'] = cluster.trustee_username
246 extra_params['trustee_password'] = cluster.trustee_password 246 extra_params['trustee_password'] = cluster.trustee_password
247 extra_params['verify_ca'] = CONF.drivers.verify_ca
247 248
248 # Only pass trust ID into the template if allowed by the config file 249 # Only pass trust ID into the template if allowed by the config file
249 if CONF.trust.cluster_user_trust: 250 if CONF.trust.cluster_user_trust:
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
index ac1029c..dc910bf 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
@@ -40,6 +40,12 @@ write_files:
40 exit 0 40 exit 0
41 fi 41 fi
42 42
43 if [ "$VERIFY_CA" == "True" ]; then
44 VERIFY_CA=""
45 else
46 VERIFY_CA="-k"
47 fi
48
43 cert_conf_dir=${KUBE_CERTS_PATH}/conf 49 cert_conf_dir=${KUBE_CERTS_PATH}/conf
44 50
45 mkdir -p ${cert_conf_dir} 51 mkdir -p ${cert_conf_dir}
@@ -72,12 +78,12 @@ write_files:
72 } 78 }
73 EOF 79 EOF
74 80
75 USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ 81 USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
76 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` 82 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
77 83
78 rm -rf auth.json 84 rm -rf auth.json
79 85
80 ca_cert_json=$(curl -k -X GET \ 86 ca_cert_json=$(curl $VERIFY_CA -X GET \
81 -H "X-Auth-Token: $USER_TOKEN" \ 87 -H "X-Auth-Token: $USER_TOKEN" \
82 -H "OpenStack-API-Version: container-infra latest" \ 88 -H "OpenStack-API-Version: container-infra latest" \
83 $MAGNUM_URL/certificates/$CLUSTER_UUID) 89 $MAGNUM_URL/certificates/$CLUSTER_UUID)
@@ -114,7 +120,7 @@ write_files:
114 csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g') 120 csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
115 csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}" 121 csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
116 # Send csr to Magnum to have it signed 122 # Send csr to Magnum to have it signed
117 client_cert_json=$(curl -k -X POST \ 123 client_cert_json=$(curl $VERIFY_CA -X POST \
118 -H "X-Auth-Token: $USER_TOKEN" \ 124 -H "X-Auth-Token: $USER_TOKEN" \
119 -H "OpenStack-API-Version: container-infra latest" \ 125 -H "OpenStack-API-Version: container-infra latest" \
120 -H "Content-Type: application/json" \ 126 -H "Content-Type: application/json" \
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
index 07daf2d..8ef1128 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
@@ -40,6 +40,12 @@ write_files:
40 exit 0 40 exit 0
41 fi 41 fi
42 42
43 if [ "$VERIFY_CA" == "True" ]; then
44 VERIFY_CA=""
45 else
46 VERIFY_CA="-k"
47 fi
48
43 if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then 49 if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
44 KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) 50 KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
45 fi 51 fi
@@ -103,13 +109,13 @@ write_files:
103 } 109 }
104 EOF 110 EOF
105 111
106 USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ 112 USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
107 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` 113 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
108 114
109 rm -rf auth.json 115 rm -rf auth.json
110 116
111 # Get CA certificate for this cluster 117 # Get CA certificate for this cluster
112 ca_cert_json=$(curl -k -X GET \ 118 ca_cert_json=$(curl $VERIFY_CA -X GET \
113 -H "X-Auth-Token: $USER_TOKEN" \ 119 -H "X-Auth-Token: $USER_TOKEN" \
114 -H "OpenStack-API-Version: container-infra latest" \ 120 -H "OpenStack-API-Version: container-infra latest" \
115 $MAGNUM_URL/certificates/$CLUSTER_UUID) 121 $MAGNUM_URL/certificates/$CLUSTER_UUID)
@@ -141,7 +147,7 @@ write_files:
141 csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g') 147 csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
142 csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}" 148 csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
143 # Send csr to Magnum to have it signed 149 # Send csr to Magnum to have it signed
144 server_cert_json=$(curl -k -X POST \ 150 server_cert_json=$(curl $VERIFY_CA -X POST \
145 -H "X-Auth-Token: $USER_TOKEN" \ 151 -H "X-Auth-Token: $USER_TOKEN" \
146 -H "OpenStack-API-Version: container-infra latest" \ 152 -H "OpenStack-API-Version: container-infra latest" \
147 -H "Content-Type: application/json" \ 153 -H "Content-Type: application/json" \
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml
index 6d8a295..7857bd7 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml
@@ -20,5 +20,5 @@ write_files:
20 permissions: "0755" 20 permissions: "0755"
21 content: | 21 content: |
22 #!/bin/bash -v 22 #!/bin/bash -v
23 command="$WAIT_CURL --insecure --data-binary '{\"status\": \"SUCCESS\"}'" 23 command="$WAIT_CURL $VERIFY_CA --data-binary '{\"status\": \"SUCCESS\"}'"
24 eval $(echo "$command") 24 eval $(echo "$command")
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
index d738795..f89810a 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
@@ -25,6 +25,7 @@ write_files:
25 TENANT_NAME="$TENANT_NAME" 25 TENANT_NAME="$TENANT_NAME"
26 CLUSTER_SUBNET="$CLUSTER_SUBNET" 26 CLUSTER_SUBNET="$CLUSTER_SUBNET"
27 TLS_DISABLED="$TLS_DISABLED" 27 TLS_DISABLED="$TLS_DISABLED"
28 VERIFY_CA="$VERIFY_CA"
28 CLUSTER_UUID="$CLUSTER_UUID" 29 CLUSTER_UUID="$CLUSTER_UUID"
29 MAGNUM_URL="$MAGNUM_URL" 30 MAGNUM_URL="$MAGNUM_URL"
30 HTTP_PROXY="$HTTP_PROXY" 31 HTTP_PROXY="$HTTP_PROXY"
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
index 8eb8e02..31c861c 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
@@ -21,6 +21,7 @@ write_files:
21 REGISTRY_INSECURE="$REGISTRY_INSECURE" 21 REGISTRY_INSECURE="$REGISTRY_INSECURE"
22 REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE" 22 REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
23 TLS_DISABLED="$TLS_DISABLED" 23 TLS_DISABLED="$TLS_DISABLED"
24 VERIFY_CA="$VERIFY_CA"
24 CLUSTER_UUID="$CLUSTER_UUID" 25 CLUSTER_UUID="$CLUSTER_UUID"
25 MAGNUM_URL="$MAGNUM_URL" 26 MAGNUM_URL="$MAGNUM_URL"
26 AUTH_URL="$AUTH_URL" 27 AUTH_URL="$AUTH_URL"
diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
index 99efb03..1fbae2d 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
@@ -155,6 +155,10 @@ parameters:
155 description: whether or not to disable kubernetes dashboard 155 description: whether or not to disable kubernetes dashboard
156 default: True 156 default: True
157 157
158 verify_ca:
159 type: boolean
160 description: whether or not to validate certificate authority
161
158 loadbalancing_protocol: 162 loadbalancing_protocol:
159 type: string 163 type: string
160 description: > 164 description: >
@@ -431,6 +435,7 @@ resources:
431 kubernetes_port: {get_param: kubernetes_port} 435 kubernetes_port: {get_param: kubernetes_port}
432 tls_disabled: {get_param: tls_disabled} 436 tls_disabled: {get_param: tls_disabled}
433 kube_dashboard_enabled: {get_param: kube_dashboard_enabled} 437 kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
438 verify_ca: {get_param: verify_ca}
434 secgroup_kube_master_id: {get_resource: secgroup_master} 439 secgroup_kube_master_id: {get_resource: secgroup_master}
435 http_proxy: {get_param: http_proxy} 440 http_proxy: {get_param: http_proxy}
436 https_proxy: {get_param: https_proxy} 441 https_proxy: {get_param: https_proxy}
@@ -489,6 +494,7 @@ resources:
489 network_driver: {get_param: network_driver} 494 network_driver: {get_param: network_driver}
490 kubernetes_port: {get_param: kubernetes_port} 495 kubernetes_port: {get_param: kubernetes_port}
491 tls_disabled: {get_param: tls_disabled} 496 tls_disabled: {get_param: tls_disabled}
497 verify_ca: {get_param: verify_ca}
492 secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open} 498 secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open}
493 http_proxy: {get_param: http_proxy} 499 http_proxy: {get_param: http_proxy}
494 https_proxy: {get_param: https_proxy} 500 https_proxy: {get_param: https_proxy}
diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
index 960a604..875046a 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
@@ -115,6 +115,10 @@ parameters:
115 type: boolean 115 type: boolean
116 description: whether or not to disable kubernetes dashboard 116 description: whether or not to disable kubernetes dashboard
117 117
118 verify_ca:
119 type: boolean
120 description: whether or not to validate certificate authority
121
118 kubernetes_port: 122 kubernetes_port:
119 type: number 123 type: number
120 description: > 124 description: >
@@ -280,6 +284,7 @@ resources:
280 "$NETWORK_DRIVER": {get_param: network_driver} 284 "$NETWORK_DRIVER": {get_param: network_driver}
281 "$KUBE_API_PORT": {get_param: kubernetes_port} 285 "$KUBE_API_PORT": {get_param: kubernetes_port}
282 "$TLS_DISABLED": {get_param: tls_disabled} 286 "$TLS_DISABLED": {get_param: tls_disabled}
287 "$VERIFY_CA": {get_param: verify_ca}
283 "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} 288 "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
284 "$KUBE_VERSION": {get_param: kube_version} 289 "$KUBE_VERSION": {get_param: kube_version}
285 "$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version} 290 "$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version}
diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
index cb2f7b0..c138756 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
@@ -42,6 +42,10 @@ parameters:
42 type: boolean 42 type: boolean
43 description: whether or not to enable TLS 43 description: whether or not to enable TLS
44 44
45 verify_ca:
46 type: boolean
47 description: whether or not to validate certificate authority
48
45 kubernetes_port: 49 kubernetes_port:
46 type: number 50 type: number
47 description: > 51 description: >
@@ -185,6 +189,7 @@ resources:
185 "$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]} 189 "$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]}
186 "$KUBE_API_PORT": {get_param: kubernetes_port} 190 "$KUBE_API_PORT": {get_param: kubernetes_port}
187 "$TLS_DISABLED": {get_param: tls_disabled} 191 "$TLS_DISABLED": {get_param: tls_disabled}
192 "$VERIFY_CA": {get_param: verify_ca}
188 "$NETWORK_DRIVER": {get_param: network_driver} 193 "$NETWORK_DRIVER": {get_param: network_driver}
189 "$ETCD_SERVER_IP": {get_param: etcd_server_ip} 194 "$ETCD_SERVER_IP": {get_param: etcd_server_ip}
190 "$KUBE_VERSION": {get_param: kube_version} 195 "$KUBE_VERSION": {get_param: kube_version}
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
index 7235687..8a05721 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@@ -252,6 +252,10 @@ parameters:
252 description: whether or not to enable kubernetes dashboard 252 description: whether or not to enable kubernetes dashboard
253 default: True 253 default: True
254 254
255 verify_ca:
256 type: boolean
257 description: whether or not to validate certificate authority
258
255 kubernetes_port: 259 kubernetes_port:
256 type: number 260 type: number
257 description: > 261 description: >
@@ -512,6 +516,7 @@ resources:
512 kubernetes_port: {get_param: kubernetes_port} 516 kubernetes_port: {get_param: kubernetes_port}
513 tls_disabled: {get_param: tls_disabled} 517 tls_disabled: {get_param: tls_disabled}
514 kube_dashboard_enabled: {get_param: kube_dashboard_enabled} 518 kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
519 verify_ca: {get_param: verify_ca}
515 secgroup_kube_master_id: {get_resource: secgroup_kube_master} 520 secgroup_kube_master_id: {get_resource: secgroup_kube_master}
516 http_proxy: {get_param: http_proxy} 521 http_proxy: {get_param: http_proxy}
517 https_proxy: {get_param: https_proxy} 522 https_proxy: {get_param: https_proxy}
@@ -580,6 +585,7 @@ resources:
580 password: {get_param: password} 585 password: {get_param: password}
581 kubernetes_port: {get_param: kubernetes_port} 586 kubernetes_port: {get_param: kubernetes_port}
582 tls_disabled: {get_param: tls_disabled} 587 tls_disabled: {get_param: tls_disabled}
588 verify_ca: {get_param: verify_ca}
583 secgroup_kube_minion_id: {get_resource: secgroup_kube_minion} 589 secgroup_kube_minion_id: {get_resource: secgroup_kube_minion}
584 http_proxy: {get_param: http_proxy} 590 http_proxy: {get_param: http_proxy}
585 https_proxy: {get_param: https_proxy} 591 https_proxy: {get_param: https_proxy}
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
index 9d266fc..6bdc0ac 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
@@ -114,6 +114,10 @@ parameters:
114 type: boolean 114 type: boolean
115 description: whether or not to disable kubernetes dashboard 115 description: whether or not to disable kubernetes dashboard
116 116
117 verify_ca:
118 type: boolean
119 description: whether or not to validate certificate authority
120
117 kubernetes_port: 121 kubernetes_port:
118 type: number 122 type: number
119 description: > 123 description: >
@@ -324,6 +328,7 @@ resources:
324 "$CLUSTER_SUBNET": {get_param: fixed_subnet} 328 "$CLUSTER_SUBNET": {get_param: fixed_subnet}
325 "$TLS_DISABLED": {get_param: tls_disabled} 329 "$TLS_DISABLED": {get_param: tls_disabled}
326 "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} 330 "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
331 "$VERIFY_CA": {get_param: verify_ca}
327 "$CLUSTER_UUID": {get_param: cluster_uuid} 332 "$CLUSTER_UUID": {get_param: cluster_uuid}
328 "$MAGNUM_URL": {get_param: magnum_url} 333 "$MAGNUM_URL": {get_param: magnum_url}
329 "$VOLUME_DRIVER": {get_param: volume_driver} 334 "$VOLUME_DRIVER": {get_param: volume_driver}
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
index 207e467..16ba69f 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
@@ -57,6 +57,10 @@ parameters:
57 type: boolean 57 type: boolean
58 description: whether or not to enable TLS 58 description: whether or not to enable TLS
59 59
60 verify_ca:
61 type: boolean
62 description: whether or not to validate certificate authority
63
60 kubernetes_port: 64 kubernetes_port:
61 type: number 65 type: number
62 description: > 66 description: >
@@ -269,6 +273,7 @@ resources:
269 $REGISTRY_INSECURE: {get_param: registry_insecure} 273 $REGISTRY_INSECURE: {get_param: registry_insecure}
270 $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize} 274 $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
271 $TLS_DISABLED: {get_param: tls_disabled} 275 $TLS_DISABLED: {get_param: tls_disabled}
276 $VERIFY_CA: {get_param: verify_ca}
272 $CLUSTER_UUID: {get_param: cluster_uuid} 277 $CLUSTER_UUID: {get_param: cluster_uuid}
273 $MAGNUM_URL: {get_param: magnum_url} 278 $MAGNUM_URL: {get_param: magnum_url}
274 $USERNAME: {get_param: username} 279 $USERNAME: {get_param: username}
diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
index 219eb8f..0225633 100644
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
@@ -250,6 +250,10 @@ parameters:
250 description: whether or not to disable kubernetes dashboard 250 description: whether or not to disable kubernetes dashboard
251 default: True 251 default: True
252 252
253 verify_ca:
254 type: boolean
255 description: whether or not to validate certificate authority
256
253 kubernetes_port: 257 kubernetes_port:
254 type: number 258 type: number
255 description: > 259 description: >
@@ -484,6 +488,7 @@ resources:
484 kubernetes_port: {get_param: kubernetes_port} 488 kubernetes_port: {get_param: kubernetes_port}
485 tls_disabled: {get_param: tls_disabled} 489 tls_disabled: {get_param: tls_disabled}
486 kube_dashboard_enabled: {get_param: kube_dashboard_enabled} 490 kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
491 verify_ca: {get_param: verify_ca}
487 secgroup_base_id: {get_resource: secgroup_base} 492 secgroup_base_id: {get_resource: secgroup_base}
488 secgroup_kube_master_id: {get_resource: secgroup_kube_master} 493 secgroup_kube_master_id: {get_resource: secgroup_kube_master}
489 http_proxy: {get_param: http_proxy} 494 http_proxy: {get_param: http_proxy}
@@ -574,6 +579,7 @@ resources:
574 password: {get_param: password} 579 password: {get_param: password}
575 kubernetes_port: {get_param: kubernetes_port} 580 kubernetes_port: {get_param: kubernetes_port}
576 tls_disabled: {get_param: tls_disabled} 581 tls_disabled: {get_param: tls_disabled}
582 verify_ca: {get_param: verify_ca}
577 http_proxy: {get_param: http_proxy} 583 http_proxy: {get_param: http_proxy}
578 https_proxy: {get_param: https_proxy} 584 https_proxy: {get_param: https_proxy}
579 no_proxy: {get_param: no_proxy} 585 no_proxy: {get_param: no_proxy}
diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
index e384df4..43b987d 100644
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
@@ -99,6 +99,10 @@ parameters:
99 type: boolean 99 type: boolean
100 description: whether or not to disable kubernetes dashboard 100 description: whether or not to disable kubernetes dashboard
101 101
102 verify_ca:
103 type: boolean
104 description: whether or not to validate certificate authority
105
102 kubernetes_port: 106 kubernetes_port:
103 type: number 107 type: number
104 description: > 108 description: >
@@ -289,6 +293,7 @@ resources:
289 "$CLUSTER_SUBNET": {get_param: fixed_subnet} 293 "$CLUSTER_SUBNET": {get_param: fixed_subnet}
290 "$TLS_DISABLED": {get_param: tls_disabled} 294 "$TLS_DISABLED": {get_param: tls_disabled}
291 "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} 295 "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
296 "$VERIFY_CA": {get_param: verify_ca}
292 "$CLUSTER_UUID": {get_param: cluster_uuid} 297 "$CLUSTER_UUID": {get_param: cluster_uuid}
293 "$MAGNUM_URL": {get_param: magnum_url} 298 "$MAGNUM_URL": {get_param: magnum_url}
294 "$HTTP_PROXY": {get_param: http_proxy} 299 "$HTTP_PROXY": {get_param: http_proxy}
diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml
index 695d8d9..a5d3298 100644
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml
@@ -29,6 +29,10 @@ parameters:
29 type: boolean 29 type: boolean
30 description: whether or not to enable TLS 30 description: whether or not to enable TLS
31 31
32 verify_ca:
33 type: boolean
34 description: whether or not to validate certificate authority
35
32 kubernetes_port: 36 kubernetes_port:
33 type: number 37 type: number
34 description: > 38 description: >
@@ -203,6 +207,7 @@ resources:
203 $REGISTRY_INSECURE: {get_param: registry_insecure} 207 $REGISTRY_INSECURE: {get_param: registry_insecure}
204 $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize} 208 $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
205 $TLS_DISABLED: {get_param: tls_disabled} 209 $TLS_DISABLED: {get_param: tls_disabled}
210 $VERIFY_CA: {get_param: verify_ca}
206 $CLUSTER_UUID: {get_param: cluster_uuid} 211 $CLUSTER_UUID: {get_param: cluster_uuid}
207 $MAGNUM_URL: {get_param: magnum_url} 212 $MAGNUM_URL: {get_param: magnum_url}
208 $USERNAME: {get_param: username} 213 $USERNAME: {get_param: username}
diff --git a/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml b/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml
index 3737d50..e54037b 100644
--- a/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml
+++ b/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml
@@ -64,6 +64,10 @@ parameters:
64 enables any host to take control of a volume irrespective of whether 64 enables any host to take control of a volume irrespective of whether
65 other hosts are using the volume 65 other hosts are using the volume
66 66
67 verify_ca:
68 type: boolean
69 description: whether or not to validate certificate authority
70
67 mesos_slave_isolation: 71 mesos_slave_isolation:
68 type: string 72 type: string
69 description: > 73 description: >
@@ -154,9 +158,10 @@ resources:
154 str_replace: 158 str_replace:
155 template: | 159 template: |
156 #!/bin/bash -v 160 #!/bin/bash -v
157 wc_notify --data-binary '{"status": "SUCCESS"}' 161 wc_notify $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
158 params: 162 params:
159 wc_notify: {get_param: mesos_slave_wc_curl_cli} 163 wc_notify: {get_param: mesos_slave_wc_curl_cli}
164 "$VERIFY_CA": {get_param: verify_ca}
160 165
161 add_proxy: 166 add_proxy:
162 type: OS::Heat::SoftwareConfig 167 type: OS::Heat::SoftwareConfig
diff --git a/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml b/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml
index 514a1a6..3a9e65c 100644
--- a/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml
+++ b/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml
@@ -207,6 +207,10 @@ parameters:
207 be empty when doing a create. 207 be empty when doing a create.
208 default: [] 208 default: []
209 209
210 verify_ca:
211 type: boolean
212 description: whether or not to validate certificate authority
213
210resources: 214resources:
211 215
212 ###################################################################### 216 ######################################################################
@@ -458,6 +462,7 @@ resources:
458 mesos_slave_image_providers: {get_param: mesos_slave_image_providers} 462 mesos_slave_image_providers: {get_param: mesos_slave_image_providers}
459 mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables} 463 mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables}
460 mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]} 464 mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]}
465 verify_ca: {get_param: verify_ca}
461 466
462outputs: 467outputs:
463 468
diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml
index 389a985..aacafda 100644
--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml
@@ -100,6 +100,10 @@ parameters:
100 description: whether or not to enable TLS 100 description: whether or not to enable TLS
101 default: False 101 default: False
102 102
103 verify_ca:
104 type: boolean
105 description: whether or not to validate certificate authority
106
103 network_driver: 107 network_driver:
104 type: string 108 type: string
105 description: network driver to use for instantiating container networks 109 description: network driver to use for instantiating container networks
@@ -374,6 +378,7 @@ resources:
374 cluster_uuid: {get_param: cluster_uuid} 378 cluster_uuid: {get_param: cluster_uuid}
375 magnum_url: {get_param: magnum_url} 379 magnum_url: {get_param: magnum_url}
376 tls_disabled: {get_param: tls_disabled} 380 tls_disabled: {get_param: tls_disabled}
381 verify_ca: {get_param: verify_ca}
377 secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager} 382 secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager}
378 network_driver: {get_param: network_driver} 383 network_driver: {get_param: network_driver}
379 flannel_network_cidr: {get_param: flannel_network_cidr} 384 flannel_network_cidr: {get_param: flannel_network_cidr}
@@ -422,6 +427,7 @@ resources:
422 cluster_uuid: {get_param: cluster_uuid} 427 cluster_uuid: {get_param: cluster_uuid}
423 magnum_url: {get_param: magnum_url} 428 magnum_url: {get_param: magnum_url}
424 tls_disabled: {get_param: tls_disabled} 429 tls_disabled: {get_param: tls_disabled}
430 verify_ca: {get_param: verify_ca}
425 secgroup_swarm_node_id: {get_resource: secgroup_swarm_node} 431 secgroup_swarm_node_id: {get_resource: secgroup_swarm_node}
426 flannel_network_cidr: {get_param: flannel_network_cidr} 432 flannel_network_cidr: {get_param: flannel_network_cidr}
427 network_driver: {get_param: network_driver} 433 network_driver: {get_param: network_driver}
diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
index 541abe6..c535676 100644
--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
@@ -90,6 +90,10 @@ parameters:
90 type: boolean 90 type: boolean
91 description: whether or not to enable TLS 91 description: whether or not to enable TLS
92 92
93 verify_ca:
94 type: boolean
95 description: whether or not to validate certificate authority
96
93 network_driver: 97 network_driver:
94 type: string 98 type: string
95 description: network driver to use for instantiating container networks 99 description: network driver to use for instantiating container networks
@@ -243,6 +247,7 @@ resources:
243 "$CLUSTER_UUID": {get_param: cluster_uuid} 247 "$CLUSTER_UUID": {get_param: cluster_uuid}
244 "$MAGNUM_URL": {get_param: magnum_url} 248 "$MAGNUM_URL": {get_param: magnum_url}
245 "$TLS_DISABLED": {get_param: tls_disabled} 249 "$TLS_DISABLED": {get_param: tls_disabled}
250 "$VERIFY_CA": {get_param: verify_ca}
246 "$NETWORK_DRIVER": {get_param: network_driver} 251 "$NETWORK_DRIVER": {get_param: network_driver}
247 "$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr} 252 "$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr}
248 "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen} 253 "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
@@ -319,6 +324,7 @@ resources:
319 params: 324 params:
320 "$SERVICE": swarm-manager 325 "$SERVICE": swarm-manager
321 "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]} 326 "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
327 "$VERIFY_CA": {get_param: verify_ca}
322 328
323 write_docker_socket: 329 write_docker_socket:
324 type: "OS::Heat::SoftwareConfig" 330 type: "OS::Heat::SoftwareConfig"
@@ -341,6 +347,7 @@ resources:
341 "$HTTPS_PROXY": {get_param: https_proxy} 347 "$HTTPS_PROXY": {get_param: https_proxy}
342 "$NO_PROXY": {get_attr: [no_proxy_extended, value]} 348 "$NO_PROXY": {get_attr: [no_proxy_extended, value]}
343 "$TLS_DISABLED": {get_param: tls_disabled} 349 "$TLS_DISABLED": {get_param: tls_disabled}
350 "$VERIFY_CA": {get_param: verify_ca}
344 "$SWARM_VERSION": {get_param: swarm_version} 351 "$SWARM_VERSION": {get_param: swarm_version}
345 "$SWARM_STRATEGY": {get_param: swarm_strategy} 352 "$SWARM_STRATEGY": {get_param: swarm_strategy}
346 353
diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
index a93c0cd..d4562e1 100644
--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
@@ -93,6 +93,10 @@ parameters:
93 type: boolean 93 type: boolean
94 description: whether or not to disable TLS 94 description: whether or not to disable TLS
95 95
96 verify_ca:
97 type: boolean
98 description: whether or not to validate certificate authority
99
96 swarm_version: 100 swarm_version:
97 type: string 101 type: string
98 description: version of swarm used for swarm cluster 102 description: version of swarm used for swarm cluster
@@ -220,6 +224,7 @@ resources:
220 "$CLUSTER_UUID": {get_param: cluster_uuid} 224 "$CLUSTER_UUID": {get_param: cluster_uuid}
221 "$MAGNUM_URL": {get_param: magnum_url} 225 "$MAGNUM_URL": {get_param: magnum_url}
222 "$TLS_DISABLED": {get_param: tls_disabled} 226 "$TLS_DISABLED": {get_param: tls_disabled}
227 "$VERIFY_CA": {get_param: verify_ca}
223 "$NETWORK_DRIVER": {get_param: network_driver} 228 "$NETWORK_DRIVER": {get_param: network_driver}
224 "$ETCD_SERVER_IP": {get_param: etcd_server_ip} 229 "$ETCD_SERVER_IP": {get_param: etcd_server_ip}
225 "$API_IP_ADDRESS": {get_param: api_ip_address} 230 "$API_IP_ADDRESS": {get_param: api_ip_address}
@@ -295,6 +300,7 @@ resources:
295 params: 300 params:
296 "$SERVICE": swarm-agent 301 "$SERVICE": swarm-agent
297 "$WAIT_CURL": {get_attr: [node_wait_handle, curl_cli]} 302 "$WAIT_CURL": {get_attr: [node_wait_handle, curl_cli]}
303 "$VERIFY_CA": {get_param: verify_ca}
298 304
299 write_swarm_agent_service: 305 write_swarm_agent_service:
300 type: "OS::Heat::SoftwareConfig" 306 type: "OS::Heat::SoftwareConfig"
diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml
index f6f2d5f..4f15412 100644
--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml
@@ -26,3 +26,4 @@ write_files:
26 AUTH_URL="$AUTH_URL" 26 AUTH_URL="$AUTH_URL"
27 VOLUME_DRIVER="$VOLUME_DRIVER" 27 VOLUME_DRIVER="$VOLUME_DRIVER"
28 REXRAY_PREEMPT="$REXRAY_PREEMPT" 28 REXRAY_PREEMPT="$REXRAY_PREEMPT"
29 VERIFY_CA="$VERIFY_CA"
diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh
index 2c978b4..a31bb3d 100644
--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh
@@ -4,6 +4,12 @@
4 4
5set -x 5set -x
6 6
7if [ "$VERIFY_CA" == "True" ]; then
8 VERIFY_CA=""
9else
10 VERIFY_CA="-k"
11fi
12
7if [ "${IS_PRIMARY_MASTER}" = "True" ]; then 13if [ "${IS_PRIMARY_MASTER}" = "True" ]; then
8 cat > /usr/local/bin/magnum-start-swarm-manager << START_SWARM_BIN 14 cat > /usr/local/bin/magnum-start-swarm-manager << START_SWARM_BIN
9#!/bin/bash -xe 15#!/bin/bash -xe
@@ -16,7 +22,7 @@ else
16 status="FAILURE" 22 status="FAILURE"
17 msg="Failed to init swarm." 23 msg="Failed to init swarm."
18fi 24fi
19sh -c "${WAIT_CURL} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'" 25sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'"
20START_SWARM_BIN 26START_SWARM_BIN
21else 27else
22 if [ "${TLS_DISABLED}" = 'False' ]; then 28 if [ "${TLS_DISABLED}" = 'False' ]; then
@@ -37,7 +43,7 @@ do
37done 43done
38 44
39if [[ -z \$token ]] ; then 45if [[ -z \$token ]] ; then
40 sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" 46 sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
41fi 47fi
42 48
43i=0 49i=0
@@ -48,9 +54,9 @@ do
48 sleep 5 54 sleep 5
49done 55done
50if [[ \$i -ge 5 ]] ; then 56if [[ \$i -ge 5 ]] ; then
51 sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'" 57 sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'"
52else 58else
53 sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'" 59 sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'"
54fi 60fi
55START_SWARM_BIN 61START_SWARM_BIN
56fi 62fi
diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh
index 6bc8448..bc947a8 100644
--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh
@@ -4,6 +4,12 @@
4 4
5set -x 5set -x
6 6
7if [ "$VERIFY_CA" == "True" ]; then
8 VERIFY_CA=""
9else
10 VERIFY_CA="-k"
11fi
12
7if [ "${TLS_DISABLED}" = 'False' ]; then 13if [ "${TLS_DISABLED}" = 'False' ]; then
8 tls="--tlsverify" 14 tls="--tlsverify"
9 tls=$tls" --tlscacert=/etc/docker/ca.crt" 15 tls=$tls" --tlscacert=/etc/docker/ca.crt"
@@ -22,7 +28,7 @@ do
22done 28done
23 29
24if [[ -z \$token ]] ; then 30if [[ -z \$token ]] ; then
25 sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" 31 sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
26fi 32fi
27 33
28i=0 34i=0
@@ -33,9 +39,9 @@ do
33 sleep 5 39 sleep 5
34done 40done
35if [[ \$i -ge 5 ]] ; then 41if [[ \$i -ge 5 ]] ; then
36 sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'" 42 sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'"
37else 43else
38 sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'" 44 sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'"
39fi 45fi
40START_SWARM_BIN 46START_SWARM_BIN
41 47
diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml
index 6af9ebe..9687836 100644
--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml
@@ -179,6 +179,9 @@ parameters:
179 other hosts are using the volume 179 other hosts are using the volume
180 default: "false" 180 default: "false"
181 181
182 verify_ca:
183 type: boolean
184 description: whether or not to validate certificate authority
182 185
183resources: 186resources:
184 187
@@ -301,6 +304,7 @@ resources:
301 auth_url: {get_param: auth_url} 304 auth_url: {get_param: auth_url}
302 volume_driver: {get_param: volume_driver} 305 volume_driver: {get_param: volume_driver}
303 rexray_preempt: {get_param: rexray_preempt} 306 rexray_preempt: {get_param: rexray_preempt}
307 verify_ca: {get_param: verify_ca}
304 308
305 swarm_secondary_masters: 309 swarm_secondary_masters:
306 type: "OS::Heat::ResourceGroup" 310 type: "OS::Heat::ResourceGroup"
@@ -342,6 +346,7 @@ resources:
342 auth_url: {get_param: auth_url} 346 auth_url: {get_param: auth_url}
343 volume_driver: {get_param: volume_driver} 347 volume_driver: {get_param: volume_driver}
344 rexray_preempt: {get_param: rexray_preempt} 348 rexray_preempt: {get_param: rexray_preempt}
349 verify_ca: {get_param: verify_ca}
345 350
346 swarm_nodes: 351 swarm_nodes:
347 type: "OS::Heat::ResourceGroup" 352 type: "OS::Heat::ResourceGroup"
@@ -383,6 +388,7 @@ resources:
383 auth_url: {get_param: auth_url} 388 auth_url: {get_param: auth_url}
384 volume_driver: {get_param: volume_driver} 389 volume_driver: {get_param: volume_driver}
385 rexray_preempt: {get_param: rexray_preempt} 390 rexray_preempt: {get_param: rexray_preempt}
391 verify_ca: {get_param: verify_ca}
386 392
387outputs: 393outputs:
388 394
diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml
index a9b0e54..8f8d6ff 100644
--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml
@@ -135,6 +135,10 @@ parameters:
135 description: whether this master is primary or not 135 description: whether this master is primary or not
136 default: False 136 default: False
137 137
138 verify_ca:
139 type: boolean
140 description: whether or not to validate certificate authority
141
138resources: 142resources:
139 143
140 master_wait_handle: 144 master_wait_handle:
@@ -195,6 +199,7 @@ resources:
195 "$AUTH_URL": {get_param: auth_url} 199 "$AUTH_URL": {get_param: auth_url}
196 "$VOLUME_DRIVER": {get_param: volume_driver} 200 "$VOLUME_DRIVER": {get_param: volume_driver}
197 "$REXRAY_PREEMPT": {get_param: rexray_preempt} 201 "$REXRAY_PREEMPT": {get_param: rexray_preempt}
202 "$VERIFY_CA": {get_param: verify_ca}
198 203
199 remove_docker_key: 204 remove_docker_key:
200 type: "OS::Heat::SoftwareConfig" 205 type: "OS::Heat::SoftwareConfig"
diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml
index 913f1ee..c0c362a 100644
--- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml
@@ -127,6 +127,10 @@ parameters:
127 other hosts are using the volume 127 other hosts are using the volume
128 default: "false" 128 default: "false"
129 129
130 verify_ca:
131 type: boolean
132 description: whether or not to validate certificate authority
133
130resources: 134resources:
131 135
132 node_wait_handle: 136 node_wait_handle:
@@ -172,6 +176,7 @@ resources:
172 "$AUTH_URL": {get_param: auth_url} 176 "$AUTH_URL": {get_param: auth_url}
173 "$VOLUME_DRIVER": {get_param: volume_driver} 177 "$VOLUME_DRIVER": {get_param: volume_driver}
174 "$REXRAY_PREEMPT": {get_param: rexray_preempt} 178 "$REXRAY_PREEMPT": {get_param: rexray_preempt}
179 "$VERIFY_CA": {get_param: verify_ca}
175 180
176 remove_docker_key: 181 remove_docker_key:
177 type: "OS::Heat::SoftwareConfig" 182 type: "OS::Heat::SoftwareConfig"
diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
index 2fc0725..6cf4947 100644
--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
@@ -225,6 +225,7 @@ class TestClusterConductorWithK8s(base.TestCase):
225 'auth_url': 'http://192.168.10.10:5000/v3', 225 'auth_url': 'http://192.168.10.10:5000/v3',
226 'insecure_registry_url': '10.0.0.1:5000', 226 'insecure_registry_url': '10.0.0.1:5000',
227 'kube_version': 'fake-version', 227 'kube_version': 'fake-version',
228 'verify_ca': True,
228 } 229 }
229 if missing_attr is not None: 230 if missing_attr is not None:
230 expected.pop(mapping[missing_attr], None) 231 expected.pop(mapping[missing_attr], None)
@@ -319,6 +320,7 @@ class TestClusterConductorWithK8s(base.TestCase):
319 'volume_driver': 'volume_driver', 320 'volume_driver': 'volume_driver',
320 'insecure_registry_url': '10.0.0.1:5000', 321 'insecure_registry_url': '10.0.0.1:5000',
321 'kube_version': 'fake-version', 322 'kube_version': 'fake-version',
323 'verify_ca': True,
322 } 324 }
323 325
324 self.assertEqual(expected, definition) 326 self.assertEqual(expected, definition)
@@ -398,7 +400,8 @@ class TestClusterConductorWithK8s(base.TestCase):
398 'trustee_password': 'fake_trustee_password', 400 'trustee_password': 'fake_trustee_password',
399 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 401 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
400 'trustee_username': 'fake_trustee', 402 'trustee_username': 'fake_trustee',
401 'username': 'fake_user' 403 'username': 'fake_user',
404 'verify_ca': True,
402 } 405 }
403 self.assertEqual(expected, definition) 406 self.assertEqual(expected, definition)
404 self.assertEqual( 407 self.assertEqual(
@@ -475,6 +478,7 @@ class TestClusterConductorWithK8s(base.TestCase):
475 'magnum_url': self.mock_osc.magnum_url.return_value, 478 'magnum_url': self.mock_osc.magnum_url.return_value,
476 'insecure_registry_url': '10.0.0.1:5000', 479 'insecure_registry_url': '10.0.0.1:5000',
477 'kube_version': 'fake-version', 480 'kube_version': 'fake-version',
481 'verify_ca': True,
478 } 482 }
479 self.assertEqual(expected, definition) 483 self.assertEqual(expected, definition)
480 self.assertEqual( 484 self.assertEqual(
@@ -546,6 +550,7 @@ class TestClusterConductorWithK8s(base.TestCase):
546 'magnum_url': self.mock_osc.magnum_url.return_value, 550 'magnum_url': self.mock_osc.magnum_url.return_value,
547 'insecure_registry_url': '10.0.0.1:5000', 551 'insecure_registry_url': '10.0.0.1:5000',
548 'kube_version': 'fake-version', 552 'kube_version': 'fake-version',
553 'verify_ca': True,
549 } 554 }
550 self.assertEqual(expected, definition) 555 self.assertEqual(expected, definition)
551 self.assertEqual( 556 self.assertEqual(
@@ -731,6 +736,7 @@ class TestClusterConductorWithK8s(base.TestCase):
731 'auth_url': 'http://192.168.10.10:5000/v3', 736 'auth_url': 'http://192.168.10.10:5000/v3',
732 'insecure_registry_url': '10.0.0.1:5000', 737 'insecure_registry_url': '10.0.0.1:5000',
733 'kube_version': 'fake-version', 738 'kube_version': 'fake-version',
739 'verify_ca': True,
734 } 740 }
735 self.assertEqual(expected, definition) 741 self.assertEqual(expected, definition)
736 self.assertEqual( 742 self.assertEqual(
diff --git a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
index 2ecb1b2..ed6edcb 100644
--- a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
@@ -137,7 +137,8 @@ class TestClusterConductorWithMesos(base.TestCase):
137 'mesos_slave_executor_env_variables': '{}', 137 'mesos_slave_executor_env_variables': '{}',
138 'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 138 'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
139 'mesos_slave_work_dir': '/tmp/mesos/slave', 139 'mesos_slave_work_dir': '/tmp/mesos/slave',
140 'mesos_slave_image_providers': 'docker' 140 'mesos_slave_image_providers': 'docker',
141 'verify_ca': True,
141 } 142 }
142 self.assertEqual(expected, definition) 143 self.assertEqual(expected, definition)
143 self.assertEqual( 144 self.assertEqual(
@@ -192,6 +193,7 @@ class TestClusterConductorWithMesos(base.TestCase):
192 'mesos_slave_work_dir': '/tmp/mesos/slave', 193 'mesos_slave_work_dir': '/tmp/mesos/slave',
193 'mesos_slave_image_providers': 'docker', 194 'mesos_slave_image_providers': 'docker',
194 'master_flavor': 'master_flavor_id', 195 'master_flavor': 'master_flavor_id',
196 'verify_ca': True,
195 } 197 }
196 self.assertEqual(expected, definition) 198 self.assertEqual(expected, definition)
197 self.assertEqual( 199 self.assertEqual(
@@ -248,7 +250,8 @@ class TestClusterConductorWithMesos(base.TestCase):
248 'mesos_slave_executor_env_variables': '{}', 250 'mesos_slave_executor_env_variables': '{}',
249 'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 251 'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
250 'mesos_slave_work_dir': '/tmp/mesos/slave', 252 'mesos_slave_work_dir': '/tmp/mesos/slave',
251 'mesos_slave_image_providers': 'docker' 253 'mesos_slave_image_providers': 'docker',
254 'verify_ca': True,
252 } 255 }
253 self.assertEqual(expected, definition) 256 self.assertEqual(expected, definition)
254 self.assertEqual( 257 self.assertEqual(
@@ -306,7 +309,8 @@ class TestClusterConductorWithMesos(base.TestCase):
306 'mesos_slave_executor_env_variables': '{}', 309 'mesos_slave_executor_env_variables': '{}',
307 'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 310 'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
308 'mesos_slave_work_dir': '/tmp/mesos/slave', 311 'mesos_slave_work_dir': '/tmp/mesos/slave',
309 'mesos_slave_image_providers': 'docker' 312 'mesos_slave_image_providers': 'docker',
313 'verify_ca': True,
310 } 314 }
311 self.assertEqual(expected, definition) 315 self.assertEqual(expected, definition)
312 self.assertEqual( 316 self.assertEqual(
diff --git a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
index 0b2bcbe..315c1bd 100644
--- a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
@@ -160,7 +160,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
160 'swarm_strategy': u'spread', 160 'swarm_strategy': u'spread',
161 'volume_driver': 'rexray', 161 'volume_driver': 'rexray',
162 'rexray_preempt': 'False', 162 'rexray_preempt': 'False',
163 'docker_volume_type': 'lvmdriver-1' 163 'docker_volume_type': 'lvmdriver-1',
164 'verify_ca': True,
164 } 165 }
165 self.assertEqual(expected, definition) 166 self.assertEqual(expected, definition)
166 self.assertEqual( 167 self.assertEqual(
@@ -236,7 +237,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
236 'swarm_strategy': u'spread', 237 'swarm_strategy': u'spread',
237 'volume_driver': 'rexray', 238 'volume_driver': 'rexray',
238 'rexray_preempt': 'False', 239 'rexray_preempt': 'False',
239 'docker_volume_type': 'lvmdriver-1' 240 'docker_volume_type': 'lvmdriver-1',
241 'verify_ca': True,
240 } 242 }
241 self.assertEqual(expected, definition) 243 self.assertEqual(expected, definition)
242 self.assertEqual( 244 self.assertEqual(
@@ -306,6 +308,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
306 'docker_volume_type': 'lvmdriver-1', 308 'docker_volume_type': 'lvmdriver-1',
307 'docker_volume_size': 20, 309 'docker_volume_size': 20,
308 'master_flavor': 'master_flavor_id', 310 'master_flavor': 'master_flavor_id',
311 'verify_ca': True,
309 } 312 }
310 self.assertEqual(expected, definition) 313 self.assertEqual(expected, definition)
311 self.assertEqual( 314 self.assertEqual(
@@ -375,7 +378,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
375 'swarm_strategy': u'spread', 378 'swarm_strategy': u'spread',
376 'volume_driver': 'rexray', 379 'volume_driver': 'rexray',
377 'rexray_preempt': 'False', 380 'rexray_preempt': 'False',
378 'docker_volume_type': 'lvmdriver-1' 381 'docker_volume_type': 'lvmdriver-1',
382 'verify_ca': True,
379 } 383 }
380 self.assertEqual(expected, definition) 384 self.assertEqual(expected, definition)
381 self.assertEqual( 385 self.assertEqual(
@@ -446,7 +450,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
446 'swarm_strategy': u'spread', 450 'swarm_strategy': u'spread',
447 'volume_driver': 'rexray', 451 'volume_driver': 'rexray',
448 'rexray_preempt': 'False', 452 'rexray_preempt': 'False',
449 'docker_volume_type': 'lvmdriver-1' 453 'docker_volume_type': 'lvmdriver-1',
454 'verify_ca': True,
450 } 455 }
451 self.assertEqual(expected, definition) 456 self.assertEqual(expected, definition)
452 self.assertEqual( 457 self.assertEqual(
diff --git a/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml b/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml
new file mode 100644
index 0000000..67106fb
--- /dev/null
+++ b/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml
@@ -0,0 +1,12 @@
1---
2fixes:
3 - |
4 [`bug 1663757 <https://bugs.launchpad.net/magnum/+bug/1663757>`_]
5 A configuration parameter, verify_ca, was added to magnum.conf
6 with a default value of True and passed to the heat templates to indicate
7 whether the cluster nodes validate the Certificate Authority when making
8 requests to the OpenStack APIs (Keystone, Magnum, Heat). This parameter
9 can be set to False to disable CA validation if you have self-signed
10 certificates for the OpenStack APIs or you have your own Certificate
11 Authority and you have not installed the Certificate Authority to all
12 nodes.