Merge "Add openstack_ca_file configuration option" into stable/pike
This commit is contained in:
commit
b6f49ca72e
|
@ -177,6 +177,24 @@ specified). If it fails, that means the credential you provided is invalid.
|
|||
|
||||
TLS
|
||||
---
|
||||
In production deployments, operators run the OpenStack APIs using
|
||||
ssl certificates and in private clouds it is common to use self-signed
|
||||
or certificates signed from CAs that they are usually not included
|
||||
in the systems' default CA-bundles. Magnum clusters with TLS enabled
|
||||
have their own CA but they need to make requests to the OpenStack
|
||||
APIs for several reasons. Eg Get the cluster CA and sign node
|
||||
certificates (Keystone, Magnum), signal the Heat API for stack
|
||||
completion, create resources (volumes, load balancers) or get
|
||||
information for each node (Cinder, Neutron, Nova). In these cases,
|
||||
the cluster nodes need the CA used for to run the APIs.
|
||||
|
||||
To pass the OpenStack CA bundle to the nodes you can set the CA
|
||||
using the `openstack_ca_file` option in the `drivers` section of
|
||||
Magnum's configuration file (usually `/etc/magnum/magnum.conf`).
|
||||
The default drivers in magnum install this CA in the system and
|
||||
set it in all the places it might be needed (eg when configuring
|
||||
the kubernetes cloud provider or for the heat-agents.)
|
||||
|
||||
The cluster nodes will validate the Certificate Authority by default
|
||||
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
|
||||
If you need to disable CA validation, the configuration parameter
|
||||
|
|
|
@ -278,3 +278,13 @@ def generate_password(length, symbolgroups=None):
|
|||
r.shuffle(password)
|
||||
|
||||
return ''.join(password)
|
||||
|
||||
|
||||
def get_openstack_ca():
|
||||
openstack_ca_file = CONF.drivers.openstack_ca_file
|
||||
|
||||
if openstack_ca_file:
|
||||
with open(openstack_ca_file) as fd:
|
||||
return fd.read()
|
||||
else:
|
||||
return ''
|
||||
|
|
|
@ -25,7 +25,11 @@ drivers_opts = [
|
|||
'you have your own Certificate Authority and you '
|
||||
'have not installed the Certificate Authority to all '
|
||||
'nodes, you may need to disable CA validation by '
|
||||
'setting this flag to False.')
|
||||
'setting this flag to False.'),
|
||||
cfg.StrOpt('openstack_ca_file',
|
||||
default="",
|
||||
help='Path to the OpenStack CA-bundle file to pass and '
|
||||
'install in all cluster nodes.')
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh -ux
|
||||
|
||||
CA_FILE=/etc/pki/ca-trust/source/anchors/openstack-ca.pem
|
||||
|
||||
if [ -n "$OPENSTACK_CA" ] ; then
|
||||
cat >> $CA_FILE <<EOF
|
||||
$OPENSTACK_CA
|
||||
EOF
|
||||
chmod 444 $CA_FILE
|
||||
chown root:root $CA_FILE
|
||||
update-ca-trust extract
|
||||
fi
|
|
@ -3,6 +3,7 @@
|
|||
. /etc/sysconfig/heat-params
|
||||
|
||||
KUBE_OS_CLOUD_CONFIG=/etc/kubernetes/kube_openstack_config
|
||||
cp /etc/pki/tls/certs/ca-bundle.crt /etc/kubernetes/ca-bundle.crt
|
||||
|
||||
# Generate a the configuration for Kubernetes services
|
||||
# to talk to OpenStack Neutron and Cinder
|
||||
|
@ -12,6 +13,7 @@ auth-url=$AUTH_URL
|
|||
user-id=$TRUSTEE_USER_ID
|
||||
password=$TRUSTEE_PASSWORD
|
||||
trust-id=$TRUST_ID
|
||||
ca-file=/etc/kubernetes/ca-bundle.crt
|
||||
[LoadBalancer]
|
||||
subnet-id=$CLUSTER_SUBNET
|
||||
create-monitor=yes
|
||||
|
|
|
@ -20,6 +20,7 @@ import six
|
|||
|
||||
from magnum.common import clients
|
||||
from magnum.common import exception
|
||||
from magnum.common import utils
|
||||
import magnum.conf
|
||||
|
||||
from requests import exceptions as req_exceptions
|
||||
|
@ -245,6 +246,7 @@ class BaseTemplateDefinition(TemplateDefinition):
|
|||
extra_params['trustee_username'] = cluster.trustee_username
|
||||
extra_params['trustee_password'] = cluster.trustee_password
|
||||
extra_params['verify_ca'] = CONF.drivers.verify_ca
|
||||
extra_params['openstack_ca'] = utils.get_openstack_ca()
|
||||
|
||||
# Only pass trust ID into the template if allowed by the config file
|
||||
if CONF.trust.cluster_user_trust:
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
#cloud-config
|
||||
merge_how: dict(recurse_array)+list(append)
|
||||
write_files:
|
||||
- path: /etc/systemd/system/add-ext-ca-certs.service
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Install custom CA certificates
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/etc/sysconfig/add-ext-ca-certs.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
- path: /etc/sysconfig/add-ext-ca-certs.sh
|
||||
owner: "root:root"
|
||||
permissions: "0755"
|
||||
content: |
|
||||
#!/bin/sh
|
||||
|
||||
CERT_FILE=/etc/ssl/certs/openstack-ca.pem
|
||||
if [ -n "$OPENSTACK_CA" ]
|
||||
then
|
||||
echo -ne "$OPENSTACK_CA" | tee -a ${CERT_FILE}
|
||||
|
||||
chmod 0644 ${CERT_FILE}
|
||||
chown root:root ${CERT_FILE}
|
||||
update-ca-certificates
|
||||
fi
|
|
@ -289,6 +289,11 @@ parameters:
|
|||
domain name for cluster DNS
|
||||
default: "cluster.local"
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
hidden: true
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
######################################################################
|
||||
|
@ -459,6 +464,7 @@ resources:
|
|||
etcd_lb_vip: {get_attr: [etcd_lb, address]}
|
||||
dns_service_ip: {get_param: dns_service_ip}
|
||||
dns_cluster_domain: {get_param: dns_cluster_domain}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
@ -513,6 +519,7 @@ resources:
|
|||
prometheus_monitoring: {get_param: prometheus_monitoring}
|
||||
dns_service_ip: {get_param: dns_service_ip}
|
||||
dns_cluster_domain: {get_param: dns_cluster_domain}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -226,6 +226,10 @@ parameters:
|
|||
description: >
|
||||
domain name for cluster DNS
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
master_wait_handle:
|
||||
|
@ -311,6 +315,16 @@ resources:
|
|||
"$DNS_SERVICE_IP": {get_param: dns_service_ip}
|
||||
"$DNS_CLUSTER_DOMAIN": {get_param: dns_cluster_domain}
|
||||
|
||||
add_ext_ca_certs:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
template: {get_file: fragments/add-ext-ca-certs.yaml}
|
||||
|
||||
configure_etcd:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -408,6 +422,7 @@ resources:
|
|||
config:
|
||||
str_replace:
|
||||
template: |
|
||||
$add_ext_ca_certs
|
||||
$write_heat_params
|
||||
$make_cert
|
||||
$configure_docker
|
||||
|
@ -426,6 +441,8 @@ resources:
|
|||
$wc_notify
|
||||
coreos:
|
||||
units:
|
||||
- name: "add-ext-ca-certs.service"
|
||||
command: "start"
|
||||
- name: "make-cert.service"
|
||||
command: "start"
|
||||
- name: "configure-docker.service"
|
||||
|
@ -457,6 +474,7 @@ resources:
|
|||
- name: "wc-notify.service"
|
||||
command: "start"
|
||||
params:
|
||||
"$add_ext_ca_certs": {get_attr: [add_ext_ca_certs, config]}
|
||||
"$write_heat_params": {get_attr: [write_heat_params, config]}
|
||||
"$make_cert": {get_attr: [make_cert, config]}
|
||||
"$configure_docker": {get_attr: [configure_docker, config]}
|
||||
|
|
|
@ -156,6 +156,10 @@ parameters:
|
|||
description: >
|
||||
domain name for cluster DNS
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
minion_wait_handle:
|
||||
|
@ -215,6 +219,16 @@ resources:
|
|||
"$DNS_SERVICE_IP": {get_param: dns_service_ip}
|
||||
"$DNS_CLUSTER_DOMAIN": {get_param: dns_cluster_domain}
|
||||
|
||||
add_ext_ca_certs:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
template: {get_file: fragments/add-ext-ca-certs.yaml}
|
||||
|
||||
write_kubeconfig:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -270,6 +284,7 @@ resources:
|
|||
config:
|
||||
str_replace:
|
||||
template: |
|
||||
$add_ext_ca_certs
|
||||
$write_heat_params
|
||||
$write_kubeconfig
|
||||
$make_cert
|
||||
|
@ -281,6 +296,8 @@ resources:
|
|||
$wc_notify
|
||||
coreos:
|
||||
units:
|
||||
- name: "add-ext-ca-certs.service"
|
||||
command: "start"
|
||||
- name: "make-cert.service"
|
||||
command: "start"
|
||||
- name: "configure-docker.service"
|
||||
|
@ -296,6 +313,7 @@ resources:
|
|||
- name: "wc-notify.service"
|
||||
command: "start"
|
||||
params:
|
||||
"$add_ext_ca_certs": {get_attr: [add_ext_ca_certs, config]}
|
||||
"$write_heat_params": {get_attr: [write_heat_params, config]}
|
||||
"$write_kubeconfig": {get_attr: [write_kubeconfig, config]}
|
||||
"$make_cert": {get_attr: [make_cert, config]}
|
||||
|
|
|
@ -344,6 +344,11 @@ parameters:
|
|||
domain name for cluster DNS
|
||||
default: "cluster.local"
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
hidden: true
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
######################################################################
|
||||
|
@ -523,6 +528,7 @@ resources:
|
|||
etcd_lb_vip: {get_attr: [etcd_lb, address]}
|
||||
dns_service_ip: {get_param: dns_service_ip}
|
||||
dns_cluster_domain: {get_param: dns_cluster_domain}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
@ -590,6 +596,7 @@ resources:
|
|||
insecure_registry_url: {get_param: insecure_registry_url}
|
||||
dns_service_ip: {get_param: dns_service_ip}
|
||||
dns_cluster_domain: {get_param: dns_cluster_domain}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -255,6 +255,10 @@ parameters:
|
|||
description: >
|
||||
domain name for cluster DNS
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
master_wait_handle:
|
||||
|
@ -341,6 +345,16 @@ resources:
|
|||
"$DNS_SERVICE_IP": {get_param: dns_service_ip}
|
||||
"$DNS_CLUSTER_DOMAIN": {get_param: dns_cluster_domain}
|
||||
|
||||
install_openstack_ca:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
|
||||
|
||||
make_cert:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -445,6 +459,7 @@ resources:
|
|||
type: OS::Heat::MultipartMime
|
||||
properties:
|
||||
parts:
|
||||
- config: {get_resource: install_openstack_ca}
|
||||
- config: {get_resource: disable_selinux}
|
||||
- config: {get_resource: write_heat_params}
|
||||
- config: {get_resource: configure_etcd}
|
||||
|
|
|
@ -223,6 +223,10 @@ parameters:
|
|||
description: >
|
||||
domain name for cluster DNS
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
minion_wait_handle:
|
||||
|
@ -294,6 +298,16 @@ resources:
|
|||
group: ungrouped
|
||||
config: {get_file: ../../common/templates/kubernetes/fragments/write-kubeconfig.yaml}
|
||||
|
||||
install_openstack_ca:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
|
||||
|
||||
write_kube_os_config:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -386,6 +400,7 @@ resources:
|
|||
type: OS::Heat::MultipartMime
|
||||
properties:
|
||||
parts:
|
||||
- config: {get_resource: install_openstack_ca}
|
||||
- config: {get_resource: disable_selinux}
|
||||
- config: {get_resource: write_heat_params}
|
||||
- config: {get_resource: write_kubeconfig}
|
||||
|
|
|
@ -335,6 +335,11 @@ parameters:
|
|||
description: insecure registry url
|
||||
default: ""
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
hidden: true
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
api_lb:
|
||||
|
@ -495,6 +500,7 @@ resources:
|
|||
insecure_registry_url: {get_param: insecure_registry_url}
|
||||
wc_curl_cli: {get_attr: [master_wait_handle, curl_cli]}
|
||||
etcd_lb_vip: {get_attr: [etcd_lb, address]}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
@ -582,6 +588,7 @@ resources:
|
|||
trust_id: {get_param: trust_id}
|
||||
insecure_registry_url: {get_param: insecure_registry_url}
|
||||
wc_curl_cli: {get_attr: [minion_wait_handle, curl_cli]}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
|
|
@ -234,6 +234,10 @@ parameters:
|
|||
etcd lb vip private used to generate certs on master.
|
||||
default: ""
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
######################################################################
|
||||
|
@ -304,6 +308,16 @@ resources:
|
|||
"$ENABLE_CINDER": "False"
|
||||
"$ETCD_LB_VIP": {get_param: etcd_lb_vip}
|
||||
|
||||
install_openstack_ca:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
|
||||
|
||||
make_cert:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -414,6 +428,7 @@ resources:
|
|||
type: OS::Heat::MultipartMime
|
||||
properties:
|
||||
parts:
|
||||
- config: {get_resource: install_openstack_ca}
|
||||
- config: {get_resource: disable_selinux}
|
||||
- config: {get_resource: write_heat_params}
|
||||
- config: {get_resource: configure_etcd}
|
||||
|
|
|
@ -169,6 +169,10 @@ parameters:
|
|||
description : >
|
||||
Wait condition notify command for Minion.
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
######################################################################
|
||||
|
@ -229,6 +233,16 @@ resources:
|
|||
group: ungrouped
|
||||
config: {get_file: ../../common/templates/kubernetes/fragments/write-kubeconfig.yaml}
|
||||
|
||||
install_openstack_ca:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
|
||||
|
||||
make_cert:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -321,6 +335,7 @@ resources:
|
|||
type: OS::Heat::MultipartMime
|
||||
properties:
|
||||
parts:
|
||||
- config: {get_resource: install_openstack_ca}
|
||||
- config: {get_resource: disable_selinux}
|
||||
- config: {get_resource: write_heat_params}
|
||||
- config: {get_resource: write_kubeconfig}
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
#!/bin/sh
|
||||
|
||||
CACERTS=$(cat <<-EOF
|
||||
@@CACERTS_CONTENT@@
|
||||
EOF
|
||||
)
|
||||
|
||||
CA_FILE=/usr/local/share/ca-certificates/magnum-external.crt
|
||||
|
||||
if [ -n "$CACERTS" ]; then
|
||||
touch $CA_FILE
|
||||
echo "$CACERTS" | tee -a $CA_FILE
|
||||
chmod 0644 $CA_FILE
|
||||
chown root:root $CA_FILE
|
||||
update-ca-certificates
|
||||
# Legacy versions of requests shipped with os-collect-config can have own CA cert database
|
||||
for REQUESTS_LOCATION in \
|
||||
/opt/stack/venvs/os-collect-config/lib/python2.7/site-packages/requests \
|
||||
/usr/local/lib/python2.7/dist-packages/requests; do
|
||||
if [ -f "${REQUESTS_LOCATION}/cacert.pem" ]; then
|
||||
echo "$CACERTS" | tee -a "${REQUESTS_LOCATION}/cacert.pem"
|
||||
fi
|
||||
done
|
||||
if [ -f /etc/init/os-collect-config.conf ]; then
|
||||
service os-collect-config restart
|
||||
fi
|
||||
fi
|
|
@ -104,6 +104,10 @@ parameters:
|
|||
type: string
|
||||
description: Wait condition notify command for slave.
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
######################################################################
|
||||
|
@ -138,6 +142,16 @@ resources:
|
|||
"$IMAGE_PROVIDERS": {get_param: mesos_slave_image_providers}
|
||||
"$EXECUTOR_ENVIRONMENT_VARIABLES": {get_param: mesos_slave_executor_env_variables}
|
||||
|
||||
add_ext_ca_certs:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
template: {get_file: fragments/add-ext-ca-certs.sh}
|
||||
params:
|
||||
"@@CACERTS_CONTENT@@": {get_param: openstack_ca}
|
||||
|
||||
configure_mesos_slave:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -179,6 +193,7 @@ resources:
|
|||
type: OS::Heat::MultipartMime
|
||||
properties:
|
||||
parts:
|
||||
- config: {get_resource: add_ext_ca_certs}
|
||||
- config: {get_resource: write_heat_params}
|
||||
- config: {get_resource: configure_mesos_slave}
|
||||
- config: {get_resource: add_proxy}
|
||||
|
|
|
@ -211,6 +211,11 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
hidden: true
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
######################################################################
|
||||
|
@ -391,6 +396,7 @@ resources:
|
|||
fixed_subnet: {get_attr: [network, fixed_subnet]}
|
||||
secgroup_mesos_id: {get_resource: secgroup_master}
|
||||
api_pool_id: {get_attr: [api_lb, pool_id]}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
@ -463,6 +469,7 @@ resources:
|
|||
mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables}
|
||||
mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -43,8 +43,29 @@ parameters:
|
|||
type: string
|
||||
description: ID of the load balancer pool of Marathon.
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
hidden: true
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
add_ext_ca_certs:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: script
|
||||
config:
|
||||
str_replace:
|
||||
template: {get_file: fragments/add-ext-ca-certs.sh}
|
||||
params:
|
||||
"@@CACERTS_CONTENT@@": {get_param: openstack_ca}
|
||||
|
||||
mesos_master_init:
|
||||
type: OS::Heat::MultipartMime
|
||||
properties:
|
||||
parts:
|
||||
- config: {get_resource: add_ext_ca_certs}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# Mesos master server.
|
||||
|
@ -61,6 +82,7 @@ resources:
|
|||
flavor: {get_param: master_flavor}
|
||||
key_name: {get_param: ssh_key_name}
|
||||
user_data_format: SOFTWARE_CONFIG
|
||||
user_data: {get_resource: mesos_master_init}
|
||||
networks:
|
||||
- port: {get_resource: mesos_master_eth0}
|
||||
|
||||
|
|
|
@ -252,6 +252,11 @@ parameters:
|
|||
other hosts are using the volume
|
||||
default: "false"
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
hidden: true
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -397,6 +402,7 @@ resources:
|
|||
auth_url: {get_param: auth_url}
|
||||
volume_driver: {get_param: volume_driver}
|
||||
rexray_preempt: {get_param: rexray_preempt}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
swarm_nodes:
|
||||
type: "OS::Heat::ResourceGroup"
|
||||
|
@ -448,6 +454,7 @@ resources:
|
|||
registry_chunksize: {get_param: registry_chunksize}
|
||||
volume_driver: {get_param: volume_driver}
|
||||
rexray_preempt: {get_param: rexray_preempt}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -176,6 +176,10 @@ parameters:
|
|||
other hosts are using the volume
|
||||
default: "false"
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
master_wait_handle:
|
||||
|
@ -262,6 +266,16 @@ resources:
|
|||
"$VOLUME_DRIVER": {get_param: volume_driver}
|
||||
"$REXRAY_PREEMPT": {get_param: rexray_preempt}
|
||||
|
||||
install_openstack_ca:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
|
||||
|
||||
write_network_config:
|
||||
type: "OS::Heat::SoftwareConfig"
|
||||
properties:
|
||||
|
@ -389,6 +403,7 @@ resources:
|
|||
type: "OS::Heat::MultipartMime"
|
||||
properties:
|
||||
parts:
|
||||
- config: {get_resource: install_openstack_ca}
|
||||
- config: {get_resource: configure_selinux}
|
||||
- config: {get_resource: remove_docker_key}
|
||||
- config: {get_resource: write_heat_params}
|
||||
|
|
|
@ -175,6 +175,10 @@ parameters:
|
|||
other hosts are using the volume
|
||||
default: "false"
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
node_wait_handle:
|
||||
|
@ -244,6 +248,16 @@ resources:
|
|||
"$VOLUME_DRIVER": {get_param: volume_driver}
|
||||
"$REXRAY_PREEMPT": {get_param: rexray_preempt}
|
||||
|
||||
install_openstack_ca:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
|
||||
|
||||
remove_docker_key:
|
||||
type: "OS::Heat::SoftwareConfig"
|
||||
properties:
|
||||
|
@ -352,6 +366,7 @@ resources:
|
|||
type: "OS::Heat::MultipartMime"
|
||||
properties:
|
||||
parts:
|
||||
- config: {get_resource: install_openstack_ca}
|
||||
- config: {get_resource: configure_selinux}
|
||||
- config: {get_resource: remove_docker_key}
|
||||
- config: {get_resource: write_heat_params}
|
||||
|
|
|
@ -183,6 +183,11 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
hidden: true
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
######################################################################
|
||||
|
@ -305,6 +310,7 @@ resources:
|
|||
volume_driver: {get_param: volume_driver}
|
||||
rexray_preempt: {get_param: rexray_preempt}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
swarm_secondary_masters:
|
||||
type: "OS::Heat::ResourceGroup"
|
||||
|
@ -347,6 +353,7 @@ resources:
|
|||
volume_driver: {get_param: volume_driver}
|
||||
rexray_preempt: {get_param: rexray_preempt}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
swarm_nodes:
|
||||
type: "OS::Heat::ResourceGroup"
|
||||
|
@ -389,6 +396,7 @@ resources:
|
|||
volume_driver: {get_param: volume_driver}
|
||||
rexray_preempt: {get_param: rexray_preempt}
|
||||
verify_ca: {get_param: verify_ca}
|
||||
openstack_ca: {get_param: openstack_ca}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -139,6 +139,10 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
master_wait_handle:
|
||||
|
@ -201,6 +205,16 @@ resources:
|
|||
"$REXRAY_PREEMPT": {get_param: rexray_preempt}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
|
||||
install_openstack_ca:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
|
||||
|
||||
remove_docker_key:
|
||||
type: "OS::Heat::SoftwareConfig"
|
||||
properties:
|
||||
|
@ -273,6 +287,7 @@ resources:
|
|||
type: "OS::Heat::MultipartMime"
|
||||
properties:
|
||||
parts:
|
||||
- config: {get_resource: install_openstack_ca}
|
||||
- config: {get_resource: configure_selinux}
|
||||
- config: {get_resource: remove_docker_key}
|
||||
- config: {get_resource: write_heat_params}
|
||||
|
|
|
@ -131,6 +131,10 @@ parameters:
|
|||
type: boolean
|
||||
description: whether or not to validate certificate authority
|
||||
|
||||
openstack_ca:
|
||||
type: string
|
||||
description: The OpenStack CA certificate to install on the node.
|
||||
|
||||
resources:
|
||||
|
||||
node_wait_handle:
|
||||
|
@ -178,6 +182,16 @@ resources:
|
|||
"$REXRAY_PREEMPT": {get_param: rexray_preempt}
|
||||
"$VERIFY_CA": {get_param: verify_ca}
|
||||
|
||||
install_openstack_ca:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
template: {get_file: ../../common/templates/fragments/atomic-install-openstack-ca.sh}
|
||||
|
||||
remove_docker_key:
|
||||
type: "OS::Heat::SoftwareConfig"
|
||||
properties:
|
||||
|
@ -250,6 +264,7 @@ resources:
|
|||
type: "OS::Heat::MultipartMime"
|
||||
properties:
|
||||
parts:
|
||||
- config: {get_resource: install_openstack_ca}
|
||||
- config: {get_resource: configure_selinux}
|
||||
- config: {get_resource: remove_docker_key}
|
||||
- config: {get_resource: write_heat_params}
|
||||
|
|
|
@ -25,8 +25,11 @@ from oslo_utils import netutils
|
|||
|
||||
from magnum.common import exception
|
||||
from magnum.common import utils
|
||||
import magnum.conf
|
||||
from magnum.tests import base
|
||||
|
||||
CONF = magnum.conf.CONF
|
||||
|
||||
|
||||
class UtilsTestCase(base.TestCase):
|
||||
|
||||
|
@ -52,6 +55,24 @@ class UtilsTestCase(base.TestCase):
|
|||
self.assertRaises(exception.UnsupportedDockerQuantityFormat,
|
||||
utils.get_docker_quantity, '512B')
|
||||
|
||||
def test_get_openstasck_ca(self):
|
||||
# openstack_ca_file is empty
|
||||
self.assertEqual('', utils.get_openstack_ca())
|
||||
|
||||
# openstack_ca_file is set but the file doesn't exist
|
||||
CONF.set_override('openstack_ca_file',
|
||||
'/tmp/invalid-ca.pem',
|
||||
group='drivers')
|
||||
self.assertRaises(IOError, utils.get_openstack_ca)
|
||||
|
||||
# openstack_ca_file is set and the file exists
|
||||
CONF.set_override('openstack_ca_file',
|
||||
'/tmp/invalid-ca.pem',
|
||||
group='drivers')
|
||||
with mock.patch('magnum.common.utils.open',
|
||||
mock.mock_open(read_data="CERT"), create=True):
|
||||
self.assertEqual('CERT', utils.get_openstack_ca())
|
||||
|
||||
|
||||
class ExecuteTestCase(base.TestCase):
|
||||
|
||||
|
|
|
@ -214,6 +214,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
if missing_attr is not None:
|
||||
expected.pop(mapping[missing_attr], None)
|
||||
|
@ -309,6 +310,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
|
||||
self.assertEqual(expected, definition)
|
||||
|
@ -389,6 +391,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'trustee_username': 'fake_trustee',
|
||||
'username': 'fake_user',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -466,6 +469,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -538,6 +542,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -739,6 +744,7 @@ class TestClusterConductorWithK8s(base.TestCase):
|
|||
'insecure_registry_url': '10.0.0.1:5000',
|
||||
'kube_version': 'fake-version',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
|
|
@ -131,6 +131,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'mesos_slave_work_dir': '/tmp/mesos/slave',
|
||||
'mesos_slave_image_providers': 'docker',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -185,6 +186,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'mesos_slave_work_dir': '/tmp/mesos/slave',
|
||||
'mesos_slave_image_providers': 'docker',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -243,6 +245,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'mesos_slave_work_dir': '/tmp/mesos/slave',
|
||||
'mesos_slave_image_providers': 'docker',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -302,6 +305,7 @@ class TestClusterConductorWithMesos(base.TestCase):
|
|||
'mesos_slave_work_dir': '/tmp/mesos/slave',
|
||||
'mesos_slave_image_providers': 'docker',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
|
|
@ -155,6 +155,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'rexray_preempt': 'False',
|
||||
'docker_volume_type': 'lvmdriver-1',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -232,6 +233,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'rexray_preempt': 'False',
|
||||
'docker_volume_type': 'lvmdriver-1',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -301,6 +303,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'docker_volume_type': 'lvmdriver-1',
|
||||
'docker_volume_size': 20,
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -372,6 +375,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'rexray_preempt': 'False',
|
||||
'docker_volume_type': 'lvmdriver-1',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
@ -444,6 +448,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
|
|||
'rexray_preempt': 'False',
|
||||
'docker_volume_type': 'lvmdriver-1',
|
||||
'verify_ca': True,
|
||||
'openstack_ca': '',
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
self.assertEqual(
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
Add new configuration option `openstack_ca_file` in the `drivers` section
|
||||
to pass the CA bundle used for the OpenStack API. Setting this file and
|
||||
setting `verify_ca` to `true` will result to all requests from the cluster
|
||||
nodes to the OpenStack APIs to be verified.
|
Loading…
Reference in New Issue