Add verify_ca configuration parameter

Added configuration parameter, verify_ca, to magnum.conf with default
value of True. This parameter is passed to the heat templates to
indicate whether the cluster nodes validate the Certificate Authority
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
This configuration parameter can be set to False to disable CA
validation.

Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com>

Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413
Partial-Bug: #1663757
This commit is contained in:
Kirsten G 2017-10-25 01:27:40 -07:00
parent 8e8fbe9214
commit b07b6f34d5
45 changed files with 275 additions and 44 deletions

View File

@ -178,7 +178,11 @@ specified). If it fails, that means the credential you provided is invalid.
TLS
---
*To be filled in*
The cluster nodes will validate the Certificate Authority by default
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
If you need to disable CA validation, the configuration parameter
verify_ca can be set to False. More information on `CA Validation
<https://bugs.launchpad.net/magnum/+bug/1663757>`_.
Barbican service

View File

@ -26,6 +26,7 @@ from magnum.conf import conductor
from magnum.conf import database
from magnum.conf import docker
from magnum.conf import docker_registry
from magnum.conf import drivers
from magnum.conf import glance
from magnum.conf import heat
from magnum.conf import keystone
@ -54,6 +55,7 @@ conductor.register_opts(CONF)
database.register_opts(CONF)
docker.register_opts(CONF)
docker_registry.register_opts(CONF)
drivers.register_opts(CONF)
glance.register_opts(CONF)
heat.register_opts(CONF)
keystone.register_opts(CONF)

40
magnum/conf/drivers.py Normal file
View File

@ -0,0 +1,40 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_config import cfg
drivers_group = cfg.OptGroup(name='drivers',
title='Options for the Drivers')
drivers_opts = [
cfg.BoolOpt('verify_ca',
default=True,
help='Indicates whether the cluster nodes validate the '
'Certificate Authority when making requests to the '
'OpenStack APIs (Keystone, Magnum, Heat). If you have '
'self-signed certificates for the OpenStack APIs or '
'you have your own Certificate Authority and you '
'have not installed the Certificate Authority to all '
'nodes, you may need to disable CA validation by '
'setting this flag to False.')
]
def register_opts(conf):
conf.register_group(drivers_group)
conf.register_opts(drivers_opts, group=drivers_group)
def list_opts():
return {
drivers_group: drivers_opts,
}

View File

@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cert_dir=/etc/kubernetes/certs
mkdir -p "$cert_dir"
@ -55,11 +61,11 @@ EOF
content_type='Content-Type: application/json'
url="$AUTH_URL/auth/tokens"
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
| grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
# Get CA certificate for this cluster
curl -k -X GET \
curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT
@ -93,7 +99,7 @@ openssl req -new -days 1000 \
# Send csr to Magnum to have it signed
csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
curl -k -X POST \
curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \

View File

@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
fi
@ -87,11 +93,11 @@ EOF
content_type='Content-Type: application/json'
url="$AUTH_URL/auth/tokens"
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
| grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
# Get CA certificate for this cluster
curl -k -X GET \
curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT}
@ -120,7 +126,7 @@ openssl req -new -days 1000 \
# Send csr to Magnum to have it signed
csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
curl -k -X POST \
curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \

View File

@ -11,7 +11,7 @@ until curl -sf "http://127.0.0.1:8080/healthz"; do
echo "Waiting for Kubernetes API..."
sleep 5
done
$WAIT_CURL --data-binary '{"status": "SUCCESS"}'
$WAIT_CURL $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
EOF
cat > $WC_NOTIFY_SERVICE <<EOF

View File

@ -30,6 +30,7 @@ write_files:
CLUSTER_SUBNET="$CLUSTER_SUBNET"
TLS_DISABLED="$TLS_DISABLED"
KUBE_DASHBOARD_ENABLED="$KUBE_DASHBOARD_ENABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
VOLUME_DRIVER="$VOLUME_DRIVER"

View File

@ -24,6 +24,7 @@ write_files:
REGISTRY_INSECURE="$REGISTRY_INSECURE"
REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
AUTH_URL="$AUTH_URL"

View File

@ -4,6 +4,12 @@
echo "notifying heat"
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
STATUS="SUCCESS"
REASON="Setup complete"
DATA="OK"
@ -11,4 +17,4 @@ UUID=`uuidgen`
data=$(echo '{"status": "'${STATUS}'", "reason": "'$REASON'", "data": "'${DATA}'", "id": "'$UUID'"}')
sh -c "${WAIT_CURL} --data-binary '${data}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '${data}'"

View File

@ -81,13 +81,14 @@ def _build_subject_alt_names(config):
return ','.join(subject_alt_names)
def write_ca_cert(config):
def write_ca_cert(config, verify_ca):
cluster_cert_url = '%s/certificates/%s' % (config['MAGNUM_URL'],
config['CLUSTER_UUID'])
headers = {'X-Auth-Token': config['USER_TOKEN'],
'OpenStack-API-Version': 'container-infra latest'}
ca_cert_resp = requests.get(cluster_cert_url,
headers=headers)
headers=headers,
verify=verify_ca)
with open(CA_CERT_PATH, 'w') as fp:
fp.write(ca_cert_resp.json()['pem'])
@ -121,7 +122,7 @@ def create_server_csr(config):
return {'cluster_uuid': config['CLUSTER_UUID'], 'csr': fp.read()}
def write_server_cert(config, csr_req):
def write_server_cert(config, csr_req, verify_ca):
cert_url = '%s/certificates' % config['MAGNUM_URL']
headers = {
'Content-Type': 'application/json',
@ -130,13 +131,14 @@ def write_server_cert(config, csr_req):
}
csr_resp = requests.post(cert_url,
data=json.dumps(csr_req),
headers=headers)
headers=headers,
verify=verify_ca)
with open(SERVER_CERT_PATH, 'w') as fp:
fp.write(csr_resp.json()['pem'])
def get_user_token(config):
def get_user_token(config, verify_ca):
creds_str = '''
{
"auth": {
@ -161,7 +163,7 @@ def get_user_token(config):
creds = creds_str % params
headers = {'Content-Type': 'application/json'}
url = config['AUTH_URL'] + '/auth/tokens'
r = requests.post(url, headers=headers, data=creds)
r = requests.post(url, headers=headers, data=creds, verify=verify_ca)
config['USER_TOKEN'] = r.headers['X-Subject-Token']
return config
@ -169,12 +171,13 @@ def get_user_token(config):
def main():
config = load_config()
if config['TLS_DISABLED'] == 'False':
verify_ca = True if config['VERIFY_CA'] == 'True' else False
create_dirs()
config = get_user_token(config)
write_ca_cert(config)
config = get_user_token(config, verify_ca)
write_ca_cert(config, verify_ca)
write_server_key()
csr_req = create_server_csr(config)
write_server_cert(config, csr_req)
write_server_cert(config, csr_req, verify_ca)
if __name__ == '__main__':

View File

@ -11,5 +11,5 @@ write_files:
[Service]
Type=simple
TimeoutStartSec=0
ExecStart=/usr/bin/$WAIT_CURL \
ExecStart=/usr/bin/$WAIT_CURL $VERIFY_CA \
--data-binary '{"status": "FAILURE", "reason": "$SERVICE service failed to start.", "data": "Failure"}'

View File

@ -18,6 +18,7 @@ write_files:
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
NETWORK_DRIVER="$NETWORK_DRIVER"
FLANNEL_NETWORK_CIDR="$FLANNEL_NETWORK_CIDR"
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"

View File

@ -17,6 +17,7 @@ write_files:
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
NETWORK_DRIVER="$NETWORK_DRIVER"
ETCD_SERVER_IP="$ETCD_SERVER_IP"
API_IP_ADDRESS="$API_IP_ADDRESS"

View File

@ -4,6 +4,12 @@
myip="$SWARM_NODE_IP"
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
CONF_FILE=/etc/systemd/system/swarm-agent.service
CERT_DIR=/etc/docker
PROTOCOL=https
@ -76,7 +82,7 @@ do
sleep 5
done
${WAIT_CURL} \
${WAIT_CURL} {$VERIFY_CA} \
--data-binary '{"status": "SUCCESS", "reason": "Swarm agent ready", "data": "OK", "id": "${UUID}"}'
EOF

View File

@ -2,6 +2,12 @@
CERT_DIR=/etc/docker
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cat > /etc/systemd/system/swarm-manager.service << END_SERVICE_TOP
[Unit]
Description=Swarm Manager
@ -46,7 +52,7 @@ cat >> /etc/systemd/system/swarm-manager.service << END_SERVICE_BOTTOM
etcd://$ETCD_SERVER_IP:2379/v2/keys/swarm/
ExecStop=/usr/bin/docker stop swarm-manager
Restart=always
ExecStartPost=/usr/bin/$WAIT_CURL \\
ExecStartPost=/usr/bin/$WAIT_CURL $VERIFY_CA \\
--data-binary '{"status": "SUCCESS", "reason": "Setup complete", "data": "OK", "id": "$UUID"}'
[Install]

View File

@ -244,6 +244,7 @@ class BaseTemplateDefinition(TemplateDefinition):
extra_params['trustee_user_id'] = cluster.trustee_user_id
extra_params['trustee_username'] = cluster.trustee_username
extra_params['trustee_password'] = cluster.trustee_password
extra_params['verify_ca'] = CONF.drivers.verify_ca
# Only pass trust ID into the template if allowed by the config file
if CONF.trust.cluster_user_trust:

View File

@ -40,6 +40,12 @@ write_files:
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cert_conf_dir=${KUBE_CERTS_PATH}/conf
mkdir -p ${cert_conf_dir}
@ -72,12 +78,12 @@ write_files:
}
EOF
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
rm -rf auth.json
ca_cert_json=$(curl -k -X GET \
ca_cert_json=$(curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID)
@ -114,7 +120,7 @@ write_files:
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
client_cert_json=$(curl -k -X POST \
client_cert_json=$(curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \

View File

@ -40,6 +40,12 @@ write_files:
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
fi
@ -103,13 +109,13 @@ write_files:
}
EOF
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
rm -rf auth.json
# Get CA certificate for this cluster
ca_cert_json=$(curl -k -X GET \
ca_cert_json=$(curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID)
@ -141,7 +147,7 @@ write_files:
csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
server_cert_json=$(curl -k -X POST \
server_cert_json=$(curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \

View File

@ -20,5 +20,5 @@ write_files:
permissions: "0755"
content: |
#!/bin/bash -v
command="$WAIT_CURL --insecure --data-binary '{\"status\": \"SUCCESS\"}'"
command="$WAIT_CURL $VERIFY_CA --data-binary '{\"status\": \"SUCCESS\"}'"
eval $(echo "$command")

View File

@ -25,6 +25,7 @@ write_files:
TENANT_NAME="$TENANT_NAME"
CLUSTER_SUBNET="$CLUSTER_SUBNET"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
HTTP_PROXY="$HTTP_PROXY"

View File

@ -21,6 +21,7 @@ write_files:
REGISTRY_INSECURE="$REGISTRY_INSECURE"
REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
AUTH_URL="$AUTH_URL"

View File

@ -155,6 +155,10 @@ parameters:
description: whether or not to disable kubernetes dashboard
default: True
verify_ca:
type: boolean
description: whether or not to validate certificate authority
loadbalancing_protocol:
type: string
description: >
@ -431,6 +435,7 @@ resources:
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_master_id: {get_resource: secgroup_master}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}
@ -489,6 +494,7 @@ resources:
network_driver: {get_param: network_driver}
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}

View File

@ -115,6 +115,10 @@ parameters:
type: boolean
description: whether or not to disable kubernetes dashboard
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -280,6 +284,7 @@ resources:
"$NETWORK_DRIVER": {get_param: network_driver}
"$KUBE_API_PORT": {get_param: kubernetes_port}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$KUBE_VERSION": {get_param: kube_version}
"$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version}

View File

@ -42,6 +42,10 @@ parameters:
type: boolean
description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -185,6 +189,7 @@ resources:
"$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]}
"$KUBE_API_PORT": {get_param: kubernetes_port}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$NETWORK_DRIVER": {get_param: network_driver}
"$ETCD_SERVER_IP": {get_param: etcd_server_ip}
"$KUBE_VERSION": {get_param: kube_version}

View File

@ -252,6 +252,10 @@ parameters:
description: whether or not to enable kubernetes dashboard
default: True
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -512,6 +516,7 @@ resources:
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_master_id: {get_resource: secgroup_kube_master}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}
@ -580,6 +585,7 @@ resources:
password: {get_param: password}
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_minion_id: {get_resource: secgroup_kube_minion}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}

View File

@ -114,6 +114,10 @@ parameters:
type: boolean
description: whether or not to disable kubernetes dashboard
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -324,6 +328,7 @@ resources:
"$CLUSTER_SUBNET": {get_param: fixed_subnet}
"$TLS_DISABLED": {get_param: tls_disabled}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$VERIFY_CA": {get_param: verify_ca}
"$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$VOLUME_DRIVER": {get_param: volume_driver}

View File

@ -57,6 +57,10 @@ parameters:
type: boolean
description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -269,6 +273,7 @@ resources:
$REGISTRY_INSECURE: {get_param: registry_insecure}
$REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
$TLS_DISABLED: {get_param: tls_disabled}
$VERIFY_CA: {get_param: verify_ca}
$CLUSTER_UUID: {get_param: cluster_uuid}
$MAGNUM_URL: {get_param: magnum_url}
$USERNAME: {get_param: username}

View File

@ -250,6 +250,10 @@ parameters:
description: whether or not to disable kubernetes dashboard
default: True
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -484,6 +488,7 @@ resources:
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
verify_ca: {get_param: verify_ca}
secgroup_base_id: {get_resource: secgroup_base}
secgroup_kube_master_id: {get_resource: secgroup_kube_master}
http_proxy: {get_param: http_proxy}
@ -574,6 +579,7 @@ resources:
password: {get_param: password}
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}
no_proxy: {get_param: no_proxy}

View File

@ -99,6 +99,10 @@ parameters:
type: boolean
description: whether or not to disable kubernetes dashboard
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -289,6 +293,7 @@ resources:
"$CLUSTER_SUBNET": {get_param: fixed_subnet}
"$TLS_DISABLED": {get_param: tls_disabled}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$VERIFY_CA": {get_param: verify_ca}
"$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$HTTP_PROXY": {get_param: http_proxy}

View File

@ -29,6 +29,10 @@ parameters:
type: boolean
description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
@ -203,6 +207,7 @@ resources:
$REGISTRY_INSECURE: {get_param: registry_insecure}
$REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
$TLS_DISABLED: {get_param: tls_disabled}
$VERIFY_CA: {get_param: verify_ca}
$CLUSTER_UUID: {get_param: cluster_uuid}
$MAGNUM_URL: {get_param: magnum_url}
$USERNAME: {get_param: username}

View File

@ -64,6 +64,10 @@ parameters:
enables any host to take control of a volume irrespective of whether
other hosts are using the volume
verify_ca:
type: boolean
description: whether or not to validate certificate authority
mesos_slave_isolation:
type: string
description: >
@ -154,9 +158,10 @@ resources:
str_replace:
template: |
#!/bin/bash -v
wc_notify --data-binary '{"status": "SUCCESS"}'
wc_notify $VERIFY_CA --data-binary '{"status": "SUCCESS"}'
params:
wc_notify: {get_param: mesos_slave_wc_curl_cli}
"$VERIFY_CA": {get_param: verify_ca}
add_proxy:
type: OS::Heat::SoftwareConfig

View File

@ -207,6 +207,10 @@ parameters:
be empty when doing a create.
default: []
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources:
######################################################################
@ -458,6 +462,7 @@ resources:
mesos_slave_image_providers: {get_param: mesos_slave_image_providers}
mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables}
mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]}
verify_ca: {get_param: verify_ca}
outputs:

View File

@ -100,6 +100,10 @@ parameters:
description: whether or not to enable TLS
default: False
verify_ca:
type: boolean
description: whether or not to validate certificate authority
network_driver:
type: string
description: network driver to use for instantiating container networks
@ -374,6 +378,7 @@ resources:
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager}
network_driver: {get_param: network_driver}
flannel_network_cidr: {get_param: flannel_network_cidr}
@ -422,6 +427,7 @@ resources:
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_swarm_node_id: {get_resource: secgroup_swarm_node}
flannel_network_cidr: {get_param: flannel_network_cidr}
network_driver: {get_param: network_driver}

View File

@ -90,6 +90,10 @@ parameters:
type: boolean
description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
network_driver:
type: string
description: network driver to use for instantiating container networks
@ -243,6 +247,7 @@ resources:
"$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$NETWORK_DRIVER": {get_param: network_driver}
"$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr}
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
@ -319,6 +324,7 @@ resources:
params:
"$SERVICE": swarm-manager
"$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
"$VERIFY_CA": {get_param: verify_ca}
write_docker_socket:
type: "OS::Heat::SoftwareConfig"
@ -341,6 +347,7 @@ resources:
"$HTTPS_PROXY": {get_param: https_proxy}
"$NO_PROXY": {get_attr: [no_proxy_extended, value]}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$SWARM_VERSION": {get_param: swarm_version}
"$SWARM_STRATEGY": {get_param: swarm_strategy}

View File

@ -93,6 +93,10 @@ parameters:
type: boolean
description: whether or not to disable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
swarm_version:
type: string
description: version of swarm used for swarm cluster
@ -220,6 +224,7 @@ resources:
"$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$NETWORK_DRIVER": {get_param: network_driver}
"$ETCD_SERVER_IP": {get_param: etcd_server_ip}
"$API_IP_ADDRESS": {get_param: api_ip_address}
@ -295,6 +300,7 @@ resources:
params:
"$SERVICE": swarm-agent
"$WAIT_CURL": {get_attr: [node_wait_handle, curl_cli]}
"$VERIFY_CA": {get_param: verify_ca}
write_swarm_agent_service:
type: "OS::Heat::SoftwareConfig"

View File

@ -26,3 +26,4 @@ write_files:
AUTH_URL="$AUTH_URL"
VOLUME_DRIVER="$VOLUME_DRIVER"
REXRAY_PREEMPT="$REXRAY_PREEMPT"
VERIFY_CA="$VERIFY_CA"

View File

@ -4,6 +4,12 @@
set -x
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [ "${IS_PRIMARY_MASTER}" = "True" ]; then
cat > /usr/local/bin/magnum-start-swarm-manager << START_SWARM_BIN
#!/bin/bash -xe
@ -16,7 +22,7 @@ else
status="FAILURE"
msg="Failed to init swarm."
fi
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'"
START_SWARM_BIN
else
if [ "${TLS_DISABLED}" = 'False' ]; then
@ -37,7 +43,7 @@ do
done
if [[ -z \$token ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
fi
i=0
@ -48,9 +54,9 @@ do
sleep 5
done
if [[ \$i -ge 5 ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'"
else
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'"
fi
START_SWARM_BIN
fi

View File

@ -4,6 +4,12 @@
set -x
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [ "${TLS_DISABLED}" = 'False' ]; then
tls="--tlsverify"
tls=$tls" --tlscacert=/etc/docker/ca.crt"
@ -22,7 +28,7 @@ do
done
if [[ -z \$token ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'"
fi
i=0
@ -33,9 +39,9 @@ do
sleep 5
done
if [[ \$i -ge 5 ]] ; then
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'"
else
sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'"
sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'"
fi
START_SWARM_BIN

View File

@ -179,6 +179,9 @@ parameters:
other hosts are using the volume
default: "false"
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources:
@ -301,6 +304,7 @@ resources:
auth_url: {get_param: auth_url}
volume_driver: {get_param: volume_driver}
rexray_preempt: {get_param: rexray_preempt}
verify_ca: {get_param: verify_ca}
swarm_secondary_masters:
type: "OS::Heat::ResourceGroup"
@ -342,6 +346,7 @@ resources:
auth_url: {get_param: auth_url}
volume_driver: {get_param: volume_driver}
rexray_preempt: {get_param: rexray_preempt}
verify_ca: {get_param: verify_ca}
swarm_nodes:
type: "OS::Heat::ResourceGroup"
@ -383,6 +388,7 @@ resources:
auth_url: {get_param: auth_url}
volume_driver: {get_param: volume_driver}
rexray_preempt: {get_param: rexray_preempt}
verify_ca: {get_param: verify_ca}
outputs:

View File

@ -135,6 +135,10 @@ parameters:
description: whether this master is primary or not
default: False
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources:
master_wait_handle:
@ -195,6 +199,7 @@ resources:
"$AUTH_URL": {get_param: auth_url}
"$VOLUME_DRIVER": {get_param: volume_driver}
"$REXRAY_PREEMPT": {get_param: rexray_preempt}
"$VERIFY_CA": {get_param: verify_ca}
remove_docker_key:
type: "OS::Heat::SoftwareConfig"

View File

@ -127,6 +127,10 @@ parameters:
other hosts are using the volume
default: "false"
verify_ca:
type: boolean
description: whether or not to validate certificate authority
resources:
node_wait_handle:
@ -172,6 +176,7 @@ resources:
"$AUTH_URL": {get_param: auth_url}
"$VOLUME_DRIVER": {get_param: volume_driver}
"$REXRAY_PREEMPT": {get_param: rexray_preempt}
"$VERIFY_CA": {get_param: verify_ca}
remove_docker_key:
type: "OS::Heat::SoftwareConfig"

View File

@ -225,6 +225,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'auth_url': 'http://192.168.10.10:5000/v3',
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'verify_ca': True,
}
if missing_attr is not None:
expected.pop(mapping[missing_attr], None)
@ -319,6 +320,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'volume_driver': 'volume_driver',
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'verify_ca': True,
}
self.assertEqual(expected, definition)
@ -398,7 +400,8 @@ class TestClusterConductorWithK8s(base.TestCase):
'trustee_password': 'fake_trustee_password',
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
'trustee_username': 'fake_trustee',
'username': 'fake_user'
'username': 'fake_user',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -475,6 +478,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'magnum_url': self.mock_osc.magnum_url.return_value,
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -546,6 +550,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'magnum_url': self.mock_osc.magnum_url.return_value,
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -731,6 +736,7 @@ class TestClusterConductorWithK8s(base.TestCase):
'auth_url': 'http://192.168.10.10:5000/v3',
'insecure_registry_url': '10.0.0.1:5000',
'kube_version': 'fake-version',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(

View File

@ -137,7 +137,8 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_executor_env_variables': '{}',
'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker'
'mesos_slave_image_providers': 'docker',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -192,6 +193,7 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker',
'master_flavor': 'master_flavor_id',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -248,7 +250,8 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_executor_env_variables': '{}',
'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker'
'mesos_slave_image_providers': 'docker',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -306,7 +309,8 @@ class TestClusterConductorWithMesos(base.TestCase):
'mesos_slave_executor_env_variables': '{}',
'mesos_slave_isolation': 'docker/runtime,filesystem/linux',
'mesos_slave_work_dir': '/tmp/mesos/slave',
'mesos_slave_image_providers': 'docker'
'mesos_slave_image_providers': 'docker',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(

View File

@ -160,7 +160,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread',
'volume_driver': 'rexray',
'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1'
'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -236,7 +237,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread',
'volume_driver': 'rexray',
'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1'
'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -306,6 +308,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
'docker_volume_type': 'lvmdriver-1',
'docker_volume_size': 20,
'master_flavor': 'master_flavor_id',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -375,7 +378,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread',
'volume_driver': 'rexray',
'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1'
'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(
@ -446,7 +450,8 @@ class TestClusterConductorWithSwarm(base.TestCase):
'swarm_strategy': u'spread',
'volume_driver': 'rexray',
'rexray_preempt': 'False',
'docker_volume_type': 'lvmdriver-1'
'docker_volume_type': 'lvmdriver-1',
'verify_ca': True,
}
self.assertEqual(expected, definition)
self.assertEqual(

View File

@ -0,0 +1,12 @@
---
fixes:
- |
[`bug 1663757 <https://bugs.launchpad.net/magnum/+bug/1663757>`_]
A configuration parameter, verify_ca, was added to magnum.conf
with a default value of True and passed to the heat templates to indicate
whether the cluster nodes validate the Certificate Authority when making
requests to the OpenStack APIs (Keystone, Magnum, Heat). This parameter
can be set to False to disable CA validation if you have self-signed
certificates for the OpenStack APIs or you have your own Certificate
Authority and you have not installed the Certificate Authority to all
nodes.