Merge "Add verify_ca configuration parameter"
This commit is contained in:
commit
d9430cbf4d
|
@ -178,7 +178,11 @@ specified). If it fails, that means the credential you provided is invalid.
|
|||
|
||||
TLS
|
||||
---
|
||||
*To be filled in*
|
||||
The cluster nodes will validate the Certificate Authority by default
|
||||
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
|
||||
If you need to disable CA validation, the configuration parameter
|
||||
verify_ca can be set to False. More information on `CA Validation
|
||||
<https://bugs.launchpad.net/magnum/+bug/1663757>`_.
|
||||
|
||||
|
||||
Barbican service
|
||||
|
|
|
@ -26,6 +26,7 @@ from magnum.conf import conductor
|
|||
from magnum.conf import database
|
||||
from magnum.conf import docker
|
||||
from magnum.conf import docker_registry
|
||||
from magnum.conf import drivers
|
||||
from magnum.conf import glance
|
||||
from magnum.conf import heat
|
||||
from magnum.conf import keystone
|
||||
|
@ -54,6 +55,7 @@ conductor.register_opts(CONF)
|
|||
database.register_opts(CONF)
|
||||
docker.register_opts(CONF)
|
||||
docker_registry.register_opts(CONF)
|
||||
drivers.register_opts(CONF)
|
||||
glance.register_opts(CONF)
|
||||
heat.register_opts(CONF)
|
||||
keystone.register_opts(CONF)
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
|
||||
drivers_group = cfg.OptGroup(name='drivers',
|
||||
title='Options for the Drivers')
|
||||
|
||||
drivers_opts = [
|
||||
cfg.BoolOpt('verify_ca',
|
||||
default=True,
|
||||
help='Indicates whether the cluster nodes validate the '
|
||||
'Certificate Authority when making requests to the '
|
||||
'OpenStack APIs (Keystone, Magnum, Heat). If you have '
|
||||
'self-signed certificates for the OpenStack APIs or '
|
||||
'you have your own Certificate Authority and you '
|
||||
'have not installed the Certificate Authority to all '
|
||||
'nodes, you may need to disable CA validation by '
|
||||
'setting this flag to False.')
|
||||
]
|
||||
|
||||
|
||||
def register_opts(conf):
|
||||
conf.register_group(drivers_group)
|
||||
conf.register_opts(drivers_opts, group=drivers_group)
|
||||
|
||||
|
||||
def list_opts():
|
||||
return {
|
||||
drivers_group: drivers_opts,
|
||||
}
|
|
@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$VERIFY_CA" == "True" ]; then
|
||||
VERIFY_CA=""
|
||||
else
|
||||
VERIFY_CA="-k"
|
||||
fi
|
||||
|
||||
cert_dir=/etc/kubernetes/certs
|
||||
|
||||
mkdir -p "$cert_dir"
|
||||
|
@ -55,11 +61,11 @@ EOF
|
|||
|
||||
content_type='Content-Type: application/json'
|
||||
url="$AUTH_URL/auth/tokens"
|
||||
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
|
||||
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
|
||||
| grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
|
||||
|
||||
# Get CA certificate for this cluster
|
||||
curl -k -X GET \
|
||||
curl $VERIFY_CA -X GET \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
-H "OpenStack-API-Version: container-infra latest" \
|
||||
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT
|
||||
|
@ -93,7 +99,7 @@ openssl req -new -days 1000 \
|
|||
|
||||
# Send csr to Magnum to have it signed
|
||||
csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
|
||||
curl -k -X POST \
|
||||
curl $VERIFY_CA -X POST \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
-H "OpenStack-API-Version: container-infra latest" \
|
||||
-H "Content-Type: application/json" \
|
||||
|
|
|
@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$VERIFY_CA" == "True" ]; then
|
||||
VERIFY_CA=""
|
||||
else
|
||||
VERIFY_CA="-k"
|
||||
fi
|
||||
|
||||
if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
|
||||
KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
|
||||
fi
|
||||
|
@ -87,11 +93,11 @@ EOF
|
|||
|
||||
content_type='Content-Type: application/json'
|
||||
url="$AUTH_URL/auth/tokens"
|
||||
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
|
||||
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
|
||||
| grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
|
||||
|
||||
# Get CA certificate for this cluster
|
||||
curl -k -X GET \
|
||||
curl $VERIFY_CA -X GET \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
-H "OpenStack-API-Version: container-infra latest" \
|
||||
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT}
|
||||
|
@ -120,7 +126,7 @@ openssl req -new -days 1000 \
|
|||
|
||||
# Send csr to Magnum to have it signed
|
||||
csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
|
||||
curl -k -X POST \
|
||||
curl $VERIFY_CA -X POST \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
-H "OpenStack-API-Version: container-infra latest" \
|
||||
-H "Content-Type: application/json" \
|
||||
|
|
|
@ -11,7 +11,7 @@ until curl -sf "http://127.0.0.1:8080/healthz"; do
|
|||
echo "Waiting for Kubernetes API..."
|
||||
sleep 5
|
||||
done
|
||||
$WAIT_CURL --data-binary '{"status": "SUCCESS"}'
|
||||
$WAIT_CURL $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
|
||||
EOF
|
||||
|
||||
cat > $WC_NOTIFY_SERVICE <<EOF
|
||||
|
|
|
@ -30,6 +30,7 @@ write_files:
|
|||
CLUSTER_SUBNET="$CLUSTER_SUBNET"
|
||||
TLS_DISABLED="$TLS_DISABLED"
|
||||
KUBE_DASHBOARD_ENABLED="$KUBE_DASHBOARD_ENABLED"
|
||||
VERIFY_CA="$VERIFY_CA"
|
||||
CLUSTER_UUID="$CLUSTER_UUID"
|
||||
MAGNUM_URL="$MAGNUM_URL"
|
||||
VOLUME_DRIVER="$VOLUME_DRIVER"
|
||||
|
|
|
@ -24,6 +24,7 @@ write_files:
|
|||
REGISTRY_INSECURE="$REGISTRY_INSECURE"
|
||||
REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
|
||||
TLS_DISABLED="$TLS_DISABLED"
|
||||
VERIFY_CA="$VERIFY_CA"
|
||||
CLUSTER_UUID="$CLUSTER_UUID"
|
||||
MAGNUM_URL="$MAGNUM_URL"
|
||||
AUTH_URL="$AUTH_URL"
|
||||
|
|
|
@ -4,6 +4,12 @@
|
|||
|
||||
echo "notifying heat"
|
||||
|
||||
if [ "$VERIFY_CA" == "True" ]; then
|
||||
VERIFY_CA=""
|
||||
else
|
||||
VERIFY_CA="-k"
|
||||
fi
|
||||
|
||||
STATUS="SUCCESS"
|
||||
REASON="Setup complete"
|
||||
DATA="OK"
|
||||
|
@ -11,4 +17,4 @@ UUID=`uuidgen`
|
|||
|
||||
data=$(echo '{"status": "'${STATUS}'", "reason": "'$REASON'", "data": "'${DATA}'", "id": "'$UUID'"}')
|
||||
|
||||
sh -c "${WAIT_CURL} --data-binary '${data}'"
|
||||
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '${data}'"
|
||||
|
|
|
@ -81,13 +81,14 @@ def _build_subject_alt_names(config):
|
|||
return ','.join(subject_alt_names)
|
||||
|
||||
|
||||
def write_ca_cert(config):
|
||||
def write_ca_cert(config, verify_ca):
|
||||
cluster_cert_url = '%s/certificates/%s' % (config['MAGNUM_URL'],
|
||||
config['CLUSTER_UUID'])
|
||||
headers = {'X-Auth-Token': config['USER_TOKEN'],
|
||||
'OpenStack-API-Version': 'container-infra latest'}
|
||||
ca_cert_resp = requests.get(cluster_cert_url,
|
||||
headers=headers)
|
||||
headers=headers,
|
||||
verify=verify_ca)
|
||||
|
||||
with open(CA_CERT_PATH, 'w') as fp:
|
||||
fp.write(ca_cert_resp.json()['pem'])
|
||||
|
@ -121,7 +122,7 @@ def create_server_csr(config):
|
|||
return {'cluster_uuid': config['CLUSTER_UUID'], 'csr': fp.read()}
|
||||
|
||||
|
||||
def write_server_cert(config, csr_req):
|
||||
def write_server_cert(config, csr_req, verify_ca):
|
||||
cert_url = '%s/certificates' % config['MAGNUM_URL']
|
||||
headers = {
|
||||
'Content-Type': 'application/json',
|
||||
|
@ -130,13 +131,14 @@ def write_server_cert(config, csr_req):
|
|||
}
|
||||
csr_resp = requests.post(cert_url,
|
||||
data=json.dumps(csr_req),
|
||||
headers=headers)
|
||||
headers=headers,
|
||||
verify=verify_ca)
|
||||
|
||||
with open(SERVER_CERT_PATH, 'w') as fp:
|
||||
fp.write(csr_resp.json()['pem'])
|
||||
|
||||
|
||||
def get_user_token(config):
|
||||
def get_user_token(config, verify_ca):
|
||||
creds_str = '''
|
||||
{
|
||||
"auth": {
|
||||
|
@ -161,7 +163,7 @@ def get_user_token(config):
|
|||
creds = creds_str % params
|
||||
headers = {'Content-Type': 'application/json'}
|
||||
url = config['AUTH_URL'] + '/auth/tokens'
|
||||
r = requests.post(url, headers=headers, data=creds)
|
||||
r = requests.post(url, headers=headers, data=creds, verify=verify_ca)
|
||||
config['USER_TOKEN'] = r.headers['X-Subject-Token']
|
||||
return config
|
||||
|
||||
|
@ -169,12 +171,13 @@ def get_user_token(config):
|
|||
def main():
|
||||
config = load_config()
|
||||
if config['TLS_DISABLED'] == 'False':
|
||||
verify_ca = True if config['VERIFY_CA'] == 'True' else False
|
||||
create_dirs()
|
||||
config = get_user_token(config)
|
||||
write_ca_cert(config)
|
||||
config = get_user_token(config, verify_ca)
|
||||
write_ca_cert(config, verify_ca)
|
||||
write_server_key()
|
||||
csr_req = create_server_csr(config)
|
||||
write_server_cert(config, csr_req)
|
||||
write_server_cert(config, csr_req, verify_ca)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
|
|
@ -11,5 +11,5 @@ write_files:
|
|||
[Service]
|
||||
Type=simple
|
||||
TimeoutStartSec=0
|
||||
ExecStart=/usr/bin/$WAIT_CURL \
|
||||
ExecStart=/usr/bin/$WAIT_CURL $VERIFY_CA \
|
||||
--data-binary '{"status": "FAILURE", "reason": "$SERVICE service failed to start.", "data": "Failure"}'
|
||||
|
|
|
@ -18,6 +18,7 @@ write_files:
|
|||
CLUSTER_UUID="$CLUSTER_UUID"
|
||||
MAGNUM_URL="$MAGNUM_URL"
|
||||
TLS_DISABLED="$TLS_DISABLED"
|
||||
VERIFY_CA="$VERIFY_CA"
|
||||
NETWORK_DRIVER="$NETWORK_DRIVER"
|
||||
FLANNEL_NETWORK_CIDR="$FLANNEL_NETWORK_CIDR"
|
||||
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
|
||||
|
|
|
@ -17,6 +17,7 @@ write_files:
|
|||
CLUSTER_UUID="$CLUSTER_UUID"
|
||||
MAGNUM_URL="$MAGNUM_URL"
|
||||
TLS_DISABLED="$TLS_DISABLED"
|
||||
VERIFY_CA="$VERIFY_CA"
|
||||
NETWORK_DRIVER="$NETWORK_DRIVER"
|
||||
ETCD_SERVER_IP="$ETCD_SERVER_IP"
|
||||
API_IP_ADDRESS="$API_IP_ADDRESS"
|
||||
|
|
|
@ -4,6 +4,12 @@
|
|||
|
||||
myip="$SWARM_NODE_IP"
|
||||
|
||||
if [ "$VERIFY_CA" == "True" ]; then
|
||||
VERIFY_CA=""
|
||||
else
|
||||
VERIFY_CA="-k"
|
||||
fi
|
||||
|
||||
CONF_FILE=/etc/systemd/system/swarm-agent.service
|
||||
CERT_DIR=/etc/docker
|
||||
PROTOCOL=https
|
||||
|
@ -76,7 +82,7 @@ do
|
|||
sleep 5
|
||||
done
|
||||
|
||||
${WAIT_CURL} \
|
||||
${WAIT_CURL} {$VERIFY_CA} \
|
||||
--data-binary '{"status": "SUCCESS", "reason": "Swarm agent ready", "data": "OK", "id": "${UUID}"}'
|
||||
EOF
|
||||
|
||||
|
|
|
@ -2,6 +2,12 @@
|
|||
|
||||
CERT_DIR=/etc/docker
|
||||
|
||||
if [ "$VERIFY_CA" == "True" ]; then
|
||||
VERIFY_CA=""
|
||||
else
|
||||
VERIFY_CA="-k"
|
||||
fi
|
||||
|
||||
cat > /etc/systemd/system/swarm-manager.service << END_SERVICE_TOP
|
||||
[Unit]
|
||||
Description=Swarm Manager
|
||||
|
@ -46,7 +52,7 @@ cat >> /etc/systemd/system/swarm-manager.service << END_SERVICE_BOTTOM
|
|||
etcd://$ETCD_SERVER_IP:2379/v2/keys/swarm/
|
||||
ExecStop=/usr/bin/docker stop swarm-manager
|
||||
Restart=always
|
||||
ExecStartPost=/usr/bin/$WAIT_CURL \\
|
||||
ExecStartPost=/usr/bin/$WAIT_CURL $VERIFY_CA \\
|
||||
--data-binary '{"status": "SUCCESS", "reason": "Setup complete", "data": "OK", "id": "$UUID"}'
|
||||
|
||||
[Install]
|
||||
|
|
|
@ -244,6 +244,7 @@ class BaseTemplateDefinition(TemplateDefinition):
|
|||
extra_params['trustee_user_id'] = cluster.trustee_user_id
|
||||
extra_params['trustee_username'] = cluster.trustee_username
|
||||
extra_params['trustee_password'] = cluster.trustee_password
|
||||
extra_params['verify_ca'] = CONF.drivers.verify_ca
|
||||
|
||||
# Only pass trust ID into the template if allowed by the config file
|
||||
if CONF.trust.cluster_user_trust:
|
||||
|
|
|
@ -40,6 +40,12 @@ write_files:
|
|||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$VERIFY_CA" == "True" ]; then
|
||||
VERIFY_CA=""
|
||||
else
|
||||
VERIFY_CA="-k"
|
||||
fi
|
||||
|
||||
cert_conf_dir=${KUBE_CERTS_PATH}/conf
|
||||
|
||||
mkdir -p ${cert_conf_dir}
|
||||
|
@ -72,12 +78,12 @@ write_files:
|
|||
}
|
||||
EOF
|
||||
|
||||
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
||||
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
||||
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
|
||||
|
||||
rm -rf auth.json
|
||||
|
||||
ca_cert_json=$(curl -k -X GET \
|
||||
ca_cert_json=$(curl $VERIFY_CA -X GET \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
-H "OpenStack-API-Version: container-infra latest" \
|
||||
$MAGNUM_URL/certificates/$CLUSTER_UUID)
|
||||
|
@ -114,7 +120,7 @@ write_files:
|
|||
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
|
||||
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
|
||||
# Send csr to Magnum to have it signed
|
||||
client_cert_json=$(curl -k -X POST \
|
||||
client_cert_json=$(curl $VERIFY_CA -X POST \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
-H "OpenStack-API-Version: container-infra latest" \
|
||||
-H "Content-Type: application/json" \
|
||||
|
|
|
@ -40,6 +40,12 @@ write_files:
|
|||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$VERIFY_CA" == "True" ]; then
|
||||
VERIFY_CA=""
|
||||
else
|
||||
VERIFY_CA="-k"
|
||||
fi
|
||||
|
||||
if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
|
||||
KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
|
||||
fi
|
||||
|
@ -103,13 +109,13 @@ write_files:
|
|||
}
|
||||
EOF
|
||||
|
||||
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
||||
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
||||
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
|
||||
|
||||
rm -rf auth.json
|
||||
|
||||
# Get CA certificate for this cluster
|
||||
ca_cert_json=$(curl -k -X GET \
|
||||
ca_cert_json=$(curl $VERIFY_CA -X GET \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
-H "OpenStack-API-Version: container-infra latest" \
|
||||
$MAGNUM_URL/certificates/$CLUSTER_UUID)
|
||||
|
@ -141,7 +147,7 @@ write_files:
|
|||
csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
|
||||
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
|
||||
# Send csr to Magnum to have it signed
|
||||
server_cert_json=$(curl -k -X POST \
|
||||
server_cert_json=$(curl $VERIFY_CA -X POST \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
-H "OpenStack-API-Version: container-infra latest" \
|
||||
-H "Content-Type: application/json" \
|
||||
|
|
|
@ -20,5 +20,5 @@ write_files:
|
|||
permissions: "0755"
|
||||
content: |
|
||||
#!/bin/bash -v
|
||||
command="$WAIT_CURL --insecure --data-binary '{\"status\": \"SUCCESS\"}'"
|
||||
command="$WAIT_CURL $VERIFY_CA --data-binary '{\"status\": \"SUCCESS\"}'"
|
||||
eval $(echo "$command")
|
||||
|
|
|
@ -25,6 +25,7 @@ write_files:
|
|||
TENANT_NAME="$TENANT_NAME"
|
||||
CLUSTER_SUBNET="$CLUSTER_SUBNET"
|
||||
TLS_DISABLED="$TLS_DISABLED"
|
||||
VERIFY_CA="$VERIFY_CA"
|
||||
CLUSTER_UUID="$CLUSTER_UUID"
|
||||
MAGNUM_URL="$MAGNUM_URL"
|
||||
HTTP_PROXY="$HTTP_PROXY"
|
||||
|
|
|
@ -21,6 +21,7 @@ write_files:
|
|||
REGISTRY_INSECURE="$REGISTRY_INSECURE"
|
||||
REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
|
||||
TLS_DISABLED="$TLS_DISABLED"
|
||||
VERIFY_CA="$VERIFY_CA"
|
||||
CLUSTER_UUID="$CLUSTER_UUID"
|
||||
MAGNUM_URL="$MAGNUM_URL"
|
||||
AUTH_URL="$AUTH_URL"
|
||||
|
|
|
@ -155,6 +155,10 @@ parameters:
|
|||
description: whether or not to disable kubernetes dashboard
|
||||
default: True
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
loadbalancing_protocol:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -431,6 +435,7 @@ resources:
|
|||
kubernetes_port: {get_param: kubernetes_port}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
secgroup_kube_master_id: {get_resource: secgroup_master}
|
||||
http_proxy: {get_param: http_proxy}
|
||||
https_proxy: {get_param: https_proxy}
|
||||
|
@ -489,6 +494,7 @@ resources:
|
|||
network_driver: {get_param: network_driver}
|
||||
kubernetes_port: {get_param: kubernetes_port}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open}
|
||||
http_proxy: {get_param: http_proxy}
|
||||
https_proxy: {get_param: https_proxy}
|
||||
|
|
|
@ -115,6 +115,10 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to disable kubernetes dashboard
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
kubernetes_port:
|
||||
type: number
|
||||
description: >
|
||||
|
@ -280,6 +284,7 @@ resources:
|
|||
"$NETWORK_DRIVER": {get_param: network_driver}
|
||||
"$KUBE_API_PORT": {get_param: kubernetes_port}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
|
||||
"$KUBE_VERSION": {get_param: kube_version}
|
||||
"$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version}
|
||||
|
|
|
@ -42,6 +42,10 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to enable TLS
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
kubernetes_port:
|
||||
type: number
|
||||
description: >
|
||||
|
@ -185,6 +189,7 @@ resources:
|
|||
"$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]}
|
||||
"$KUBE_API_PORT": {get_param: kubernetes_port}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
"$NETWORK_DRIVER": {get_param: network_driver}
|
||||
"$ETCD_SERVER_IP": {get_param: etcd_server_ip}
|
||||
"$KUBE_VERSION": {get_param: kube_version}
|
||||
|
|
|
@ -252,6 +252,10 @@ parameters:
|
|||
description: whether or not to enable kubernetes dashboard
|
||||
default: True
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
kubernetes_port:
|
||||
type: number
|
||||
description: >
|
||||
|
@ -512,6 +516,7 @@ resources:
|
|||
kubernetes_port: {get_param: kubernetes_port}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
secgroup_kube_master_id: {get_resource: secgroup_kube_master}
|
||||
http_proxy: {get_param: http_proxy}
|
||||
https_proxy: {get_param: https_proxy}
|
||||
|
@ -580,6 +585,7 @@ resources:
|
|||
password: {get_param: password}
|
||||
kubernetes_port: {get_param: kubernetes_port}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
secgroup_kube_minion_id: {get_resource: secgroup_kube_minion}
|
||||
http_proxy: {get_param: http_proxy}
|
||||
https_proxy: {get_param: https_proxy}
|
||||
|
|
|
@ -114,6 +114,10 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to disable kubernetes dashboard
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
kubernetes_port:
|
||||
type: number
|
||||
description: >
|
||||
|
@ -324,6 +328,7 @@ resources:
|
|||
"$CLUSTER_SUBNET": {get_param: fixed_subnet}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
"$CLUSTER_UUID": {get_param: cluster_uuid}
|
||||
"$MAGNUM_URL": {get_param: magnum_url}
|
||||
"$VOLUME_DRIVER": {get_param: volume_driver}
|
||||
|
|
|
@ -57,6 +57,10 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to enable TLS
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
kubernetes_port:
|
||||
type: number
|
||||
description: >
|
||||
|
@ -269,6 +273,7 @@ resources:
|
|||
$REGISTRY_INSECURE: {get_param: registry_insecure}
|
||||
$REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
|
||||
$TLS_DISABLED: {get_param: tls_disabled}
|
||||
$VERIFY_CA: {get_param: verify_ca}
|
||||
$CLUSTER_UUID: {get_param: cluster_uuid}
|
||||
$MAGNUM_URL: {get_param: magnum_url}
|
||||
$USERNAME: {get_param: username}
|
||||
|
|
|
@ -250,6 +250,10 @@ parameters:
|
|||
description: whether or not to disable kubernetes dashboard
|
||||
default: True
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
kubernetes_port:
|
||||
type: number
|
||||
description: >
|
||||
|
@ -484,6 +488,7 @@ resources:
|
|||
kubernetes_port: {get_param: kubernetes_port}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
secgroup_base_id: {get_resource: secgroup_base}
|
||||
secgroup_kube_master_id: {get_resource: secgroup_kube_master}
|
||||
http_proxy: {get_param: http_proxy}
|
||||
|
@ -574,6 +579,7 @@ resources:
|
|||
password: {get_param: password}
|
||||
kubernetes_port: {get_param: kubernetes_port}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
http_proxy: {get_param: http_proxy}
|
||||
https_proxy: {get_param: https_proxy}
|
||||
no_proxy: {get_param: no_proxy}
|
||||
|
|
|
@ -99,6 +99,10 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to disable kubernetes dashboard
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
kubernetes_port:
|
||||
type: number
|
||||
description: >
|
||||
|
@ -289,6 +293,7 @@ resources:
|
|||
"$CLUSTER_SUBNET": {get_param: fixed_subnet}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
"$CLUSTER_UUID": {get_param: cluster_uuid}
|
||||
"$MAGNUM_URL": {get_param: magnum_url}
|
||||
"$HTTP_PROXY": {get_param: http_proxy}
|
||||
|
|
|
@ -29,6 +29,10 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to enable TLS
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
kubernetes_port:
|
||||
type: number
|
||||
description: >
|
||||
|
@ -203,6 +207,7 @@ resources:
|
|||
$REGISTRY_INSECURE: {get_param: registry_insecure}
|
||||
$REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
|
||||
$TLS_DISABLED: {get_param: tls_disabled}
|
||||
$VERIFY_CA: {get_param: verify_ca}
|
||||
$CLUSTER_UUID: {get_param: cluster_uuid}
|
||||
$MAGNUM_URL: {get_param: magnum_url}
|
||||
$USERNAME: {get_param: username}
|
||||
|
|
|
@ -64,6 +64,10 @@ parameters:
|
|||
enables any host to take control of a volume irrespective of whether
|
||||
other hosts are using the volume
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
mesos_slave_isolation:
|
||||
type: string
|
||||
description: >
|
||||
|
@ -154,9 +158,10 @@ resources:
|
|||
str_replace:
|
||||
template: |
|
||||
#!/bin/bash -v
|
||||
wc_notify --data-binary '{"status": "SUCCESS"}'
|
||||
wc_notify $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
|
||||
params:
|
||||
wc_notify: {get_param: mesos_slave_wc_curl_cli}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
|
||||
add_proxy:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
|
|
@ -207,6 +207,10 @@ parameters:
|
|||
be empty when doing a create.
|
||||
default: []
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
resources:
|
||||
|
||||
######################################################################
|
||||
|
@ -458,6 +462,7 @@ resources:
|
|||
mesos_slave_image_providers: {get_param: mesos_slave_image_providers}
|
||||
mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables}
|
||||
mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -100,6 +100,10 @@ parameters:
|
|||
description: whether or not to enable TLS
|
||||
default: False
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
network_driver:
|
||||
type: string
|
||||
description: network driver to use for instantiating container networks
|
||||
|
@ -374,6 +378,7 @@ resources:
|
|||
cluster_uuid: {get_param: cluster_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager}
|
||||
network_driver: {get_param: network_driver}
|
||||
flannel_network_cidr: {get_param: flannel_network_cidr}
|
||||
|
@ -422,6 +427,7 @@ resources:
|
|||
cluster_uuid: {get_param: cluster_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
secgroup_swarm_node_id: {get_resource: secgroup_swarm_node}
|
||||
flannel_network_cidr: {get_param: flannel_network_cidr}
|
||||
network_driver: {get_param: network_driver}
|
||||
|
|
|
@ -90,6 +90,10 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to enable TLS
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
network_driver:
|
||||
type: string
|
||||
description: network driver to use for instantiating container networks
|
||||
|
@ -243,6 +247,7 @@ resources:
|
|||
"$CLUSTER_UUID": {get_param: cluster_uuid}
|
||||
"$MAGNUM_URL": {get_param: magnum_url}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
"$NETWORK_DRIVER": {get_param: network_driver}
|
||||
"$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr}
|
||||
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
|
||||
|
@ -319,6 +324,7 @@ resources:
|
|||
params:
|
||||
"$SERVICE": swarm-manager
|
||||
"$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
|
||||
write_docker_socket:
|
||||
type: "OS::Heat::SoftwareConfig"
|
||||
|
@ -341,6 +347,7 @@ resources:
|
|||
"$HTTPS_PROXY": {get_param: https_proxy}
|
||||
"$NO_PROXY": {get_attr: [no_proxy_extended, value]}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
"$SWARM_VERSION": {get_param: swarm_version}
|
||||
"$SWARM_STRATEGY": {get_param: swarm_strategy}
|
||||
|
||||
|
|
|
@ -93,6 +93,10 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to disable TLS
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
swarm_version:
|
||||
type: string
|
||||
description: version of swarm used for swarm cluster
|
||||
|
@ -220,6 +224,7 @@ resources:
|
|||
"$CLUSTER_UUID": {get_param: cluster_uuid}
|
||||
"$MAGNUM_URL": {get_param: magnum_url}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
"$NETWORK_DRIVER": {get_param: network_driver}
|
||||
"$ETCD_SERVER_IP": {get_param: etcd_server_ip}
|
||||
"$API_IP_ADDRESS": {get_param: api_ip_address}
|
||||
|
@ -295,6 +300,7 @@ resources:
|
|||
params:
|
||||
"$SERVICE": swarm-agent
|
||||
"$WAIT_CURL": {get_attr: [node_wait_handle, curl_cli]}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
|
||||
write_swarm_agent_service:
|
||||
type: "OS::Heat::SoftwareConfig"
|
||||
|
|
|
@ -26,3 +26,4 @@ write_files:
|
|||
AUTH_URL="$AUTH_URL"
|
||||
VOLUME_DRIVER="$VOLUME_DRIVER"
|
||||
REXRAY_PREEMPT="$REXRAY_PREEMPT"
|
||||
VERIFY_CA="$VERIFY_CA"
|
||||
|
|
|
@ -4,6 +4,12 @@
|
|||
|
||||
set -x
|
||||
|
||||
if [ "$VERIFY_CA" == "True" ]; then
|
||||
VERIFY_CA=""
|
||||
else
|
||||
VERIFY_CA="-k"
|
||||
fi
|
||||
|
||||
if [ "${IS_PRIMARY_MASTER}" = "True" ]; then
|
||||
cat > /usr/local/bin/magnum-start-swarm-manager << START_SWARM_BIN
|
||||
#!/bin/bash -xe
|
||||
|
@ -16,7 +22,7 @@ else
|
|||
status="FAILURE"
|
||||
msg="Failed to init swarm."
|
||||
fi
|
||||
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'"
|
||||
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'"
|
||||
START_SWARM_BIN
|
||||
else
|
||||
if [ "${TLS_DISABLED}" = 'False' ]; then
|
||||
|
@ -37,7 +43,7 @@ do
|
|||
done
|
||||
|
||||
if [[ -z \$token ]] ; then
|
||||
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
|
||||
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
|
||||
fi
|
||||
|
||||
i=0
|
||||
|
@ -48,9 +54,9 @@ do
|
|||
sleep 5
|
||||
done
|
||||
if [[ \$i -ge 5 ]] ; then
|
||||
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'"
|
||||
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'"
|
||||
else
|
||||
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'"
|
||||
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'"
|
||||
fi
|
||||
START_SWARM_BIN
|
||||
fi
|
||||
|
|
|
@ -4,6 +4,12 @@
|
|||
|
||||
set -x
|
||||
|
||||
if [ "$VERIFY_CA" == "True" ]; then
|
||||
VERIFY_CA=""
|
||||
else
|
||||
VERIFY_CA="-k"
|
||||
fi
|
||||
|
||||
if [ "${TLS_DISABLED}" = 'False' ]; then
|
||||
tls="--tlsverify"
|
||||
tls=$tls" --tlscacert=/etc/docker/ca.crt"
|
||||
|
@ -22,7 +28,7 @@ do
|
|||
done
|
||||
|
||||
if [[ -z \$token ]] ; then
|
||||
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
|
||||
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
|
||||
fi
|
||||
|
||||
i=0
|
||||
|
@ -33,9 +39,9 @@ do
|
|||
sleep 5
|
||||
done
|
||||
if [[ \$i -ge 5 ]] ; then
|
||||
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'"
|
||||
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'"
|
||||
else
|
||||
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'"
|
||||
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'"
|
||||
fi
|
||||
START_SWARM_BIN
|
||||
|
||||
|
|
|
@ -179,6 +179,9 @@ parameters:
|
|||
other hosts are using the volume
|
||||
default: "false"
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -301,6 +304,7 @@ resources:
|
|||
auth_url: {get_param: auth_url}
|
||||
volume_driver: {get_param: volume_driver}
|
||||
rexray_preempt: {get_param: rexray_preempt}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
|
||||
swarm_secondary_masters:
|
||||
type: "OS::Heat::ResourceGroup"
|
||||
|
@ -342,6 +346,7 @@ resources:
|
|||
auth_url: {get_param: auth_url}
|
||||
volume_driver: {get_param: volume_driver}
|
||||
rexray_preempt: {get_param: rexray_preempt}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
|
||||
swarm_nodes:
|
||||
type: "OS::Heat::ResourceGroup"
|
||||
|
@ -383,6 +388,7 @@ resources:
|
|||
auth_url: {get_param: auth_url}
|
||||
volume_driver: {get_param: volume_driver}
|
||||
rexray_preempt: {get_param: rexray_preempt}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -135,6 +135,10 @@ parameters:
|
|||
description: whether this master is primary or not
|
||||
default: False
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
resources:
|
||||
|
||||
master_wait_handle:
|
||||
|
@ -195,6 +199,7 @@ resources:
|
|||
"$AUTH_URL": {get_param: auth_url}
|
||||
"$VOLUME_DRIVER": {get_param: volume_driver}
|
||||
"$REXRAY_PREEMPT": {get_param: rexray_preempt}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
|
||||
remove_docker_key:
|
||||
type: "OS::Heat::SoftwareConfig"
|
||||
|
|
|
@ -127,6 +127,10 @@ parameters:
|
|||
other hosts are using the volume
|
||||
default: "false"
|
||||
|
||||
verify_ca:
|
||||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
resources:
|
||||
|
||||
node_wait_handle:
|
||||
|
@ -172,6 +176,7 @@ resources:
|
|||
"$AUTH_URL": {get_param: auth_url}
|
||||
"$VOLUME_DRIVER": {get_param: volume_driver}
|
||||
"$REXRAY_PREEMPT": {get_param: rexray_preempt}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
|
||||
remove_docker_key:
|
||||
type: "OS::Heat::SoftwareConfig"
|
||||
|
|
|
@ -225,6 +225,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'verify_ca': True,
|
||||
}
|
||||
if missing_attr is not None:
|
||||
expected.pop(mapping[missing_attr], None)
|
||||
|
@ -319,6 +320,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'volume_driver': 'volume_driver',
|
||||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'verify_ca': True,
|
||||
}
|
||||
|
||||
self.assertEqual(expected, definition)
|
||||
|
@ -398,7 +400,8 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trustee_username': 'fake_trustee',
|
||||
'username': 'fake_user'
|
||||
'username': 'fake_user',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -475,6 +478,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -546,6 +550,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -731,6 +736,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
|
|
@ -137,7 +137,8 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'mesos_slave_executor_env_variables': '{}',
|
||||
'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
|
||||
'mesos_slave_work_dir': '/tmp/mesos/slave',
|
||||
'mesos_slave_image_providers': 'docker'
|
||||
'mesos_slave_image_providers': 'docker',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -192,6 +193,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'mesos_slave_work_dir': '/tmp/mesos/slave',
|
||||
'mesos_slave_image_providers': 'docker',
|
||||
'master_flavor': 'master_flavor_id',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -248,7 +250,8 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'mesos_slave_executor_env_variables': '{}',
|
||||
'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
|
||||
'mesos_slave_work_dir': '/tmp/mesos/slave',
|
||||
'mesos_slave_image_providers': 'docker'
|
||||
'mesos_slave_image_providers': 'docker',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -306,7 +309,8 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'mesos_slave_executor_env_variables': '{}',
|
||||
'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
|
||||
'mesos_slave_work_dir': '/tmp/mesos/slave',
|
||||
'mesos_slave_image_providers': 'docker'
|
||||
'mesos_slave_image_providers': 'docker',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
|
|
@ -160,7 +160,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'swarm_strategy': u'spread',
|
||||
'volume_driver': 'rexray',
|
||||
'rexray_preempt': 'False',
|
||||
'docker_volume_type': 'lvmdriver-1'
|
||||
'docker_volume_type': 'lvmdriver-1',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -236,7 +237,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'swarm_strategy': u'spread',
|
||||
'volume_driver': 'rexray',
|
||||
'rexray_preempt': 'False',
|
||||
'docker_volume_type': 'lvmdriver-1'
|
||||
'docker_volume_type': 'lvmdriver-1',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -306,6 +308,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'docker_volume_type': 'lvmdriver-1',
|
||||
'docker_volume_size': 20,
|
||||
'master_flavor': 'master_flavor_id',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -375,7 +378,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'swarm_strategy': u'spread',
|
||||
'volume_driver': 'rexray',
|
||||
'rexray_preempt': 'False',
|
||||
'docker_volume_type': 'lvmdriver-1'
|
||||
'docker_volume_type': 'lvmdriver-1',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -446,7 +450,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'swarm_strategy': u'spread',
|
||||
'volume_driver': 'rexray',
|
||||
'rexray_preempt': 'False',
|
||||
'docker_volume_type': 'lvmdriver-1'
|
||||
'docker_volume_type': 'lvmdriver-1',
|
||||
'verify_ca': True,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1663757 <https://bugs.launchpad.net/magnum/+bug/1663757>`_]
|
||||
A configuration parameter, verify_ca, was added to magnum.conf
|
||||
with a default value of True and passed to the heat templates to indicate
|
||||
whether the cluster nodes validate the Certificate Authority when making
|
||||
requests to the OpenStack APIs (Keystone, Magnum, Heat). This parameter
|
||||
can be set to False to disable CA validation if you have self-signed
|
||||
certificates for the OpenStack APIs or you have your own Certificate
|
||||
Authority and you have not installed the Certificate Authority to all
|
||||
nodes.
|
Loading…
Reference in New Issue