diff --git a/doc/source/admin/troubleshooting-guide.rst b/doc/source/admin/troubleshooting-guide.rst index 229d70b376..546059203d 100644 --- a/doc/source/admin/troubleshooting-guide.rst +++ b/doc/source/admin/troubleshooting-guide.rst @@ -178,7 +178,11 @@ specified). If it fails, that means the credential you provided is invalid. TLS --- -*To be filled in* +The cluster nodes will validate the Certificate Authority by default +when making requests to the OpenStack APIs (Keystone, Magnum, Heat). +If you need to disable CA validation, the configuration parameter +verify_ca can be set to False. More information on `CA Validation +`_. Barbican service diff --git a/magnum/conf/__init__.py b/magnum/conf/__init__.py index 35b4cb07c3..6f9f4e23cc 100644 --- a/magnum/conf/__init__.py +++ b/magnum/conf/__init__.py @@ -26,6 +26,7 @@ from magnum.conf import conductor from magnum.conf import database from magnum.conf import docker from magnum.conf import docker_registry +from magnum.conf import drivers from magnum.conf import glance from magnum.conf import heat from magnum.conf import keystone @@ -54,6 +55,7 @@ conductor.register_opts(CONF) database.register_opts(CONF) docker.register_opts(CONF) docker_registry.register_opts(CONF) +drivers.register_opts(CONF) glance.register_opts(CONF) heat.register_opts(CONF) keystone.register_opts(CONF) diff --git a/magnum/conf/drivers.py b/magnum/conf/drivers.py new file mode 100644 index 0000000000..96eef3fc63 --- /dev/null +++ b/magnum/conf/drivers.py @@ -0,0 +1,40 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from oslo_config import cfg + +drivers_group = cfg.OptGroup(name='drivers', + title='Options for the Drivers') + +drivers_opts = [ + cfg.BoolOpt('verify_ca', + default=True, + help='Indicates whether the cluster nodes validate the ' + 'Certificate Authority when making requests to the ' + 'OpenStack APIs (Keystone, Magnum, Heat). If you have ' + 'self-signed certificates for the OpenStack APIs or ' + 'you have your own Certificate Authority and you ' + 'have not installed the Certificate Authority to all ' + 'nodes, you may need to disable CA validation by ' + 'setting this flag to False.') +] + + +def register_opts(conf): + conf.register_group(drivers_group) + conf.register_opts(drivers_opts, group=drivers_group) + + +def list_opts(): + return { + drivers_group: drivers_opts, + } diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh index 04218018e1..1dcfd38487 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh @@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then exit 0 fi +if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" +else + VERIFY_CA="-k" +fi + cert_dir=/etc/kubernetes/certs mkdir -p "$cert_dir" @@ -55,11 +61,11 @@ EOF content_type='Content-Type: application/json' url="$AUTH_URL/auth/tokens" -USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ +USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \ | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'` # Get CA certificate for this cluster -curl -k -X GET \ +curl $VERIFY_CA -X GET \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT @@ -93,7 +99,7 @@ openssl req -new -days 1000 \ # Send csr to Magnum to have it signed csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()") -curl -k -X POST \ +curl $VERIFY_CA -X POST \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ -H "Content-Type: application/json" \ diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh index bbb412a803..aee8c539f4 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh @@ -24,6 +24,12 @@ if [ "$TLS_DISABLED" == "True" ]; then exit 0 fi +if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" +else + VERIFY_CA="-k" +fi + if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) fi @@ -87,11 +93,11 @@ EOF content_type='Content-Type: application/json' url="$AUTH_URL/auth/tokens" -USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ +USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \ | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'` # Get CA certificate for this cluster -curl -k -X GET \ +curl $VERIFY_CA -X GET \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT} @@ -120,7 +126,7 @@ openssl req -new -days 1000 \ # Send csr to Magnum to have it signed csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()") -curl -k -X POST \ +curl $VERIFY_CA -X POST \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ -H "Content-Type: application/json" \ diff --git a/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh index bc663c7eba..f8a86c1314 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/wc-notify-master.sh @@ -11,7 +11,7 @@ until curl -sf "http://127.0.0.1:8080/healthz"; do echo "Waiting for Kubernetes API..." sleep 5 done -$WAIT_CURL --data-binary '{"status": "SUCCESS"}' +$WAIT_CURL $VERIFY_CA --data-binary '{"status": "SUCCESS"}' EOF cat > $WC_NOTIFY_SERVICE < /etc/systemd/system/swarm-manager.service << END_SERVICE_TOP [Unit] Description=Swarm Manager @@ -46,7 +52,7 @@ cat >> /etc/systemd/system/swarm-manager.service << END_SERVICE_BOTTOM etcd://$ETCD_SERVER_IP:2379/v2/keys/swarm/ ExecStop=/usr/bin/docker stop swarm-manager Restart=always -ExecStartPost=/usr/bin/$WAIT_CURL \\ +ExecStartPost=/usr/bin/$WAIT_CURL $VERIFY_CA \\ --data-binary '{"status": "SUCCESS", "reason": "Setup complete", "data": "OK", "id": "$UUID"}' [Install] diff --git a/magnum/drivers/heat/template_def.py b/magnum/drivers/heat/template_def.py index 922662603b..26fe24a732 100755 --- a/magnum/drivers/heat/template_def.py +++ b/magnum/drivers/heat/template_def.py @@ -244,6 +244,7 @@ class BaseTemplateDefinition(TemplateDefinition): extra_params['trustee_user_id'] = cluster.trustee_user_id extra_params['trustee_username'] = cluster.trustee_username extra_params['trustee_password'] = cluster.trustee_password + extra_params['verify_ca'] = CONF.drivers.verify_ca # Only pass trust ID into the template if allowed by the config file if CONF.trust.cluster_user_trust: diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml index ac1029c6dc..dc910bfd44 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml @@ -40,6 +40,12 @@ write_files: exit 0 fi + if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" + else + VERIFY_CA="-k" + fi + cert_conf_dir=${KUBE_CERTS_PATH}/conf mkdir -p ${cert_conf_dir} @@ -72,12 +78,12 @@ write_files: } EOF - USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ + USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` rm -rf auth.json - ca_cert_json=$(curl -k -X GET \ + ca_cert_json=$(curl $VERIFY_CA -X GET \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ $MAGNUM_URL/certificates/$CLUSTER_UUID) @@ -114,7 +120,7 @@ write_files: csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g') csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}" # Send csr to Magnum to have it signed - client_cert_json=$(curl -k -X POST \ + client_cert_json=$(curl $VERIFY_CA -X POST \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ -H "Content-Type: application/json" \ diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml index 07daf2d991..8ef1128270 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml @@ -40,6 +40,12 @@ write_files: exit 0 fi + if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" + else + VERIFY_CA="-k" + fi + if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) fi @@ -103,13 +109,13 @@ write_files: } EOF - USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ + USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` rm -rf auth.json # Get CA certificate for this cluster - ca_cert_json=$(curl -k -X GET \ + ca_cert_json=$(curl $VERIFY_CA -X GET \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ $MAGNUM_URL/certificates/$CLUSTER_UUID) @@ -141,7 +147,7 @@ write_files: csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g') csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}" # Send csr to Magnum to have it signed - server_cert_json=$(curl -k -X POST \ + server_cert_json=$(curl $VERIFY_CA -X POST \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ -H "Content-Type: application/json" \ diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml index 6d8a295632..7857bd771d 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml @@ -20,5 +20,5 @@ write_files: permissions: "0755" content: | #!/bin/bash -v - command="$WAIT_CURL --insecure --data-binary '{\"status\": \"SUCCESS\"}'" + command="$WAIT_CURL $VERIFY_CA --data-binary '{\"status\": \"SUCCESS\"}'" eval $(echo "$command") diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml index d738795c0f..f89810a52b 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml @@ -25,6 +25,7 @@ write_files: TENANT_NAME="$TENANT_NAME" CLUSTER_SUBNET="$CLUSTER_SUBNET" TLS_DISABLED="$TLS_DISABLED" + VERIFY_CA="$VERIFY_CA" CLUSTER_UUID="$CLUSTER_UUID" MAGNUM_URL="$MAGNUM_URL" HTTP_PROXY="$HTTP_PROXY" diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml index 8eb8e02590..31c861c540 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml @@ -21,6 +21,7 @@ write_files: REGISTRY_INSECURE="$REGISTRY_INSECURE" REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE" TLS_DISABLED="$TLS_DISABLED" + VERIFY_CA="$VERIFY_CA" CLUSTER_UUID="$CLUSTER_UUID" MAGNUM_URL="$MAGNUM_URL" AUTH_URL="$AUTH_URL" diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml index 99efb03d4a..1fbae2d062 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml @@ -155,6 +155,10 @@ parameters: description: whether or not to disable kubernetes dashboard default: True + verify_ca: + type: boolean + description: whether or not to validate certificate authority + loadbalancing_protocol: type: string description: > @@ -431,6 +435,7 @@ resources: kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} kube_dashboard_enabled: {get_param: kube_dashboard_enabled} + verify_ca: {get_param: verify_ca} secgroup_kube_master_id: {get_resource: secgroup_master} http_proxy: {get_param: http_proxy} https_proxy: {get_param: https_proxy} @@ -489,6 +494,7 @@ resources: network_driver: {get_param: network_driver} kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open} http_proxy: {get_param: http_proxy} https_proxy: {get_param: https_proxy} diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml index 960a604fa2..875046adb9 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml @@ -115,6 +115,10 @@ parameters: type: boolean description: whether or not to disable kubernetes dashboard + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -280,6 +284,7 @@ resources: "$NETWORK_DRIVER": {get_param: network_driver} "$KUBE_API_PORT": {get_param: kubernetes_port} "$TLS_DISABLED": {get_param: tls_disabled} + "$VERIFY_CA": {get_param: verify_ca} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} "$KUBE_VERSION": {get_param: kube_version} "$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version} diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml index cb2f7b09a9..c138756136 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml @@ -42,6 +42,10 @@ parameters: type: boolean description: whether or not to enable TLS + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -185,6 +189,7 @@ resources: "$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]} "$KUBE_API_PORT": {get_param: kubernetes_port} "$TLS_DISABLED": {get_param: tls_disabled} + "$VERIFY_CA": {get_param: verify_ca} "$NETWORK_DRIVER": {get_param: network_driver} "$ETCD_SERVER_IP": {get_param: etcd_server_ip} "$KUBE_VERSION": {get_param: kube_version} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index 7235687fa0..8a05721aa1 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -252,6 +252,10 @@ parameters: description: whether or not to enable kubernetes dashboard default: True + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -512,6 +516,7 @@ resources: kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} kube_dashboard_enabled: {get_param: kube_dashboard_enabled} + verify_ca: {get_param: verify_ca} secgroup_kube_master_id: {get_resource: secgroup_kube_master} http_proxy: {get_param: http_proxy} https_proxy: {get_param: https_proxy} @@ -580,6 +585,7 @@ resources: password: {get_param: password} kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} secgroup_kube_minion_id: {get_resource: secgroup_kube_minion} http_proxy: {get_param: http_proxy} https_proxy: {get_param: https_proxy} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml index 9d266fcfd0..6bdc0acc50 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml @@ -114,6 +114,10 @@ parameters: type: boolean description: whether or not to disable kubernetes dashboard + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -324,6 +328,7 @@ resources: "$CLUSTER_SUBNET": {get_param: fixed_subnet} "$TLS_DISABLED": {get_param: tls_disabled} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} + "$VERIFY_CA": {get_param: verify_ca} "$CLUSTER_UUID": {get_param: cluster_uuid} "$MAGNUM_URL": {get_param: magnum_url} "$VOLUME_DRIVER": {get_param: volume_driver} diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml index 207e467086..16ba69fe4d 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml @@ -57,6 +57,10 @@ parameters: type: boolean description: whether or not to enable TLS + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -269,6 +273,7 @@ resources: $REGISTRY_INSECURE: {get_param: registry_insecure} $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize} $TLS_DISABLED: {get_param: tls_disabled} + $VERIFY_CA: {get_param: verify_ca} $CLUSTER_UUID: {get_param: cluster_uuid} $MAGNUM_URL: {get_param: magnum_url} $USERNAME: {get_param: username} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml index 219eb8fbbe..0225633e0f 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml @@ -250,6 +250,10 @@ parameters: description: whether or not to disable kubernetes dashboard default: True + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -484,6 +488,7 @@ resources: kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} kube_dashboard_enabled: {get_param: kube_dashboard_enabled} + verify_ca: {get_param: verify_ca} secgroup_base_id: {get_resource: secgroup_base} secgroup_kube_master_id: {get_resource: secgroup_kube_master} http_proxy: {get_param: http_proxy} @@ -574,6 +579,7 @@ resources: password: {get_param: password} kubernetes_port: {get_param: kubernetes_port} tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} http_proxy: {get_param: http_proxy} https_proxy: {get_param: https_proxy} no_proxy: {get_param: no_proxy} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml index e384df4d9c..43b987d75f 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml @@ -99,6 +99,10 @@ parameters: type: boolean description: whether or not to disable kubernetes dashboard + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -289,6 +293,7 @@ resources: "$CLUSTER_SUBNET": {get_param: fixed_subnet} "$TLS_DISABLED": {get_param: tls_disabled} "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} + "$VERIFY_CA": {get_param: verify_ca} "$CLUSTER_UUID": {get_param: cluster_uuid} "$MAGNUM_URL": {get_param: magnum_url} "$HTTP_PROXY": {get_param: http_proxy} diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml index 695d8d96f3..a5d3298c7f 100644 --- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml +++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubeminion_software_configs.yaml @@ -29,6 +29,10 @@ parameters: type: boolean description: whether or not to enable TLS + verify_ca: + type: boolean + description: whether or not to validate certificate authority + kubernetes_port: type: number description: > @@ -203,6 +207,7 @@ resources: $REGISTRY_INSECURE: {get_param: registry_insecure} $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize} $TLS_DISABLED: {get_param: tls_disabled} + $VERIFY_CA: {get_param: verify_ca} $CLUSTER_UUID: {get_param: cluster_uuid} $MAGNUM_URL: {get_param: magnum_url} $USERNAME: {get_param: username} diff --git a/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml b/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml index 3737d508bf..e54037b36f 100644 --- a/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml +++ b/magnum/drivers/mesos_ubuntu_v1/templates/mesos_slave_software_configs.yaml @@ -64,6 +64,10 @@ parameters: enables any host to take control of a volume irrespective of whether other hosts are using the volume + verify_ca: + type: boolean + description: whether or not to validate certificate authority + mesos_slave_isolation: type: string description: > @@ -154,9 +158,10 @@ resources: str_replace: template: | #!/bin/bash -v - wc_notify --data-binary '{"status": "SUCCESS"}' + wc_notify $VERIFY_CA --data-binary '{"status": "SUCCESS"}' params: wc_notify: {get_param: mesos_slave_wc_curl_cli} + "$VERIFY_CA": {get_param: verify_ca} add_proxy: type: OS::Heat::SoftwareConfig diff --git a/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml b/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml index 514a1a6eb7..3a9e65c6b2 100644 --- a/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml +++ b/magnum/drivers/mesos_ubuntu_v1/templates/mesoscluster.yaml @@ -207,6 +207,10 @@ parameters: be empty when doing a create. default: [] + verify_ca: + type: boolean + description: whether or not to validate certificate authority + resources: ###################################################################### @@ -458,6 +462,7 @@ resources: mesos_slave_image_providers: {get_param: mesos_slave_image_providers} mesos_slave_executor_env_variables: {get_param: mesos_slave_executor_env_variables} mesos_slave_wc_curl_cli: {get_attr: [slave_wait_handle, curl_cli]} + verify_ca: {get_param: verify_ca} outputs: diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml index 389a9855f5..aacafda325 100644 --- a/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml @@ -100,6 +100,10 @@ parameters: description: whether or not to enable TLS default: False + verify_ca: + type: boolean + description: whether or not to validate certificate authority + network_driver: type: string description: network driver to use for instantiating container networks @@ -374,6 +378,7 @@ resources: cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager} network_driver: {get_param: network_driver} flannel_network_cidr: {get_param: flannel_network_cidr} @@ -422,6 +427,7 @@ resources: cluster_uuid: {get_param: cluster_uuid} magnum_url: {get_param: magnum_url} tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} secgroup_swarm_node_id: {get_resource: secgroup_swarm_node} flannel_network_cidr: {get_param: flannel_network_cidr} network_driver: {get_param: network_driver} diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml index 541abe6cea..c535676e33 100644 --- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml @@ -90,6 +90,10 @@ parameters: type: boolean description: whether or not to enable TLS + verify_ca: + type: boolean + description: whether or not to validate certificate authority + network_driver: type: string description: network driver to use for instantiating container networks @@ -243,6 +247,7 @@ resources: "$CLUSTER_UUID": {get_param: cluster_uuid} "$MAGNUM_URL": {get_param: magnum_url} "$TLS_DISABLED": {get_param: tls_disabled} + "$VERIFY_CA": {get_param: verify_ca} "$NETWORK_DRIVER": {get_param: network_driver} "$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr} "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen} @@ -319,6 +324,7 @@ resources: params: "$SERVICE": swarm-manager "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]} + "$VERIFY_CA": {get_param: verify_ca} write_docker_socket: type: "OS::Heat::SoftwareConfig" @@ -341,6 +347,7 @@ resources: "$HTTPS_PROXY": {get_param: https_proxy} "$NO_PROXY": {get_attr: [no_proxy_extended, value]} "$TLS_DISABLED": {get_param: tls_disabled} + "$VERIFY_CA": {get_param: verify_ca} "$SWARM_VERSION": {get_param: swarm_version} "$SWARM_STRATEGY": {get_param: swarm_strategy} diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml index a93c0cd677..d4562e1746 100644 --- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml @@ -93,6 +93,10 @@ parameters: type: boolean description: whether or not to disable TLS + verify_ca: + type: boolean + description: whether or not to validate certificate authority + swarm_version: type: string description: version of swarm used for swarm cluster @@ -220,6 +224,7 @@ resources: "$CLUSTER_UUID": {get_param: cluster_uuid} "$MAGNUM_URL": {get_param: magnum_url} "$TLS_DISABLED": {get_param: tls_disabled} + "$VERIFY_CA": {get_param: verify_ca} "$NETWORK_DRIVER": {get_param: network_driver} "$ETCD_SERVER_IP": {get_param: etcd_server_ip} "$API_IP_ADDRESS": {get_param: api_ip_address} @@ -295,6 +300,7 @@ resources: params: "$SERVICE": swarm-agent "$WAIT_CURL": {get_attr: [node_wait_handle, curl_cli]} + "$VERIFY_CA": {get_param: verify_ca} write_swarm_agent_service: type: "OS::Heat::SoftwareConfig" diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml index f6f2d5f6d9..4f15412be1 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-heat-params-master.yaml @@ -26,3 +26,4 @@ write_files: AUTH_URL="$AUTH_URL" VOLUME_DRIVER="$VOLUME_DRIVER" REXRAY_PREEMPT="$REXRAY_PREEMPT" + VERIFY_CA="$VERIFY_CA" diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh index 2c978b41ee..a31bb3d489 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-master-service.sh @@ -4,6 +4,12 @@ set -x +if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" +else + VERIFY_CA="-k" +fi + if [ "${IS_PRIMARY_MASTER}" = "True" ]; then cat > /usr/local/bin/magnum-start-swarm-manager << START_SWARM_BIN #!/bin/bash -xe @@ -16,7 +22,7 @@ else status="FAILURE" msg="Failed to init swarm." fi -sh -c "${WAIT_CURL} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'" +sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"\$status\", \"reason\": \"\$msg\"}'" START_SWARM_BIN else if [ "${TLS_DISABLED}" = 'False' ]; then @@ -37,7 +43,7 @@ do done if [[ -z \$token ]] ; then - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" fi i=0 @@ -48,9 +54,9 @@ do sleep 5 done if [[ \$i -ge 5 ]] ; then - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Manager failed to join swarm.\"}'" else - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Manager joined swarm.\"}'" fi START_SWARM_BIN fi diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh index 6bc8448c27..bc947a8a09 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/fragments/write-swarm-worker-service.sh @@ -4,6 +4,12 @@ set -x +if [ "$VERIFY_CA" == "True" ]; then + VERIFY_CA="" +else + VERIFY_CA="-k" +fi + if [ "${TLS_DISABLED}" = 'False' ]; then tls="--tlsverify" tls=$tls" --tlscacert=/etc/docker/ca.crt" @@ -22,7 +28,7 @@ do done if [[ -z \$token ]] ; then - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Failed to retrieve swarm join token.\"}'" fi i=0 @@ -33,9 +39,9 @@ do sleep 5 done if [[ \$i -ge 5 ]] ; then - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"FAILURE\", \"reason\": \"Node failed to join swarm.\"}'" else - sh -c "${WAIT_CURL} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'" + sh -c "${WAIT_CURL} ${VERIFY_CA} --data-binary '{\"status\": \"SUCCESS\", \"reason\": \"Node joined swarm.\"}'" fi START_SWARM_BIN diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml index 6af9ebe008..9687836754 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmcluster.yaml @@ -179,6 +179,9 @@ parameters: other hosts are using the volume default: "false" + verify_ca: + type: boolean + description: whether or not to validate certificate authority resources: @@ -301,6 +304,7 @@ resources: auth_url: {get_param: auth_url} volume_driver: {get_param: volume_driver} rexray_preempt: {get_param: rexray_preempt} + verify_ca: {get_param: verify_ca} swarm_secondary_masters: type: "OS::Heat::ResourceGroup" @@ -342,6 +346,7 @@ resources: auth_url: {get_param: auth_url} volume_driver: {get_param: volume_driver} rexray_preempt: {get_param: rexray_preempt} + verify_ca: {get_param: verify_ca} swarm_nodes: type: "OS::Heat::ResourceGroup" @@ -383,6 +388,7 @@ resources: auth_url: {get_param: auth_url} volume_driver: {get_param: volume_driver} rexray_preempt: {get_param: rexray_preempt} + verify_ca: {get_param: verify_ca} outputs: diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml index a9b0e542fb..8f8d6ffb4f 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmmaster.yaml @@ -135,6 +135,10 @@ parameters: description: whether this master is primary or not default: False + verify_ca: + type: boolean + description: whether or not to validate certificate authority + resources: master_wait_handle: @@ -195,6 +199,7 @@ resources: "$AUTH_URL": {get_param: auth_url} "$VOLUME_DRIVER": {get_param: volume_driver} "$REXRAY_PREEMPT": {get_param: rexray_preempt} + "$VERIFY_CA": {get_param: verify_ca} remove_docker_key: type: "OS::Heat::SoftwareConfig" diff --git a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml index 913f1eec7c..c0c362a7f5 100644 --- a/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v2/templates/swarmnode.yaml @@ -127,6 +127,10 @@ parameters: other hosts are using the volume default: "false" + verify_ca: + type: boolean + description: whether or not to validate certificate authority + resources: node_wait_handle: @@ -172,6 +176,7 @@ resources: "$AUTH_URL": {get_param: auth_url} "$VOLUME_DRIVER": {get_param: volume_driver} "$REXRAY_PREEMPT": {get_param: rexray_preempt} + "$VERIFY_CA": {get_param: verify_ca} remove_docker_key: type: "OS::Heat::SoftwareConfig" diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py index 2fc0725ecb..6cf4947c48 100644 --- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py @@ -225,6 +225,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'auth_url': 'http://192.168.10.10:5000/v3', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', + 'verify_ca': True, } if missing_attr is not None: expected.pop(mapping[missing_attr], None) @@ -319,6 +320,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'volume_driver': 'volume_driver', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', + 'verify_ca': True, } self.assertEqual(expected, definition) @@ -398,7 +400,8 @@ class TestClusterConductorWithK8s(base.TestCase): 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 'trustee_username': 'fake_trustee', - 'username': 'fake_user' + 'username': 'fake_user', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -475,6 +478,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'magnum_url': self.mock_osc.magnum_url.return_value, 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -546,6 +550,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'magnum_url': self.mock_osc.magnum_url.return_value, 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -731,6 +736,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'auth_url': 'http://192.168.10.10:5000/v3', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( diff --git a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py index 2ecb1b21d5..ed6edcbc2d 100644 --- a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py @@ -137,7 +137,8 @@ class TestClusterConductorWithMesos(base.TestCase): 'mesos_slave_executor_env_variables': '{}', 'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 'mesos_slave_work_dir': '/tmp/mesos/slave', - 'mesos_slave_image_providers': 'docker' + 'mesos_slave_image_providers': 'docker', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -192,6 +193,7 @@ class TestClusterConductorWithMesos(base.TestCase): 'mesos_slave_work_dir': '/tmp/mesos/slave', 'mesos_slave_image_providers': 'docker', 'master_flavor': 'master_flavor_id', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -248,7 +250,8 @@ class TestClusterConductorWithMesos(base.TestCase): 'mesos_slave_executor_env_variables': '{}', 'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 'mesos_slave_work_dir': '/tmp/mesos/slave', - 'mesos_slave_image_providers': 'docker' + 'mesos_slave_image_providers': 'docker', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -306,7 +309,8 @@ class TestClusterConductorWithMesos(base.TestCase): 'mesos_slave_executor_env_variables': '{}', 'mesos_slave_isolation': 'docker/runtime,filesystem/linux', 'mesos_slave_work_dir': '/tmp/mesos/slave', - 'mesos_slave_image_providers': 'docker' + 'mesos_slave_image_providers': 'docker', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( diff --git a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py index 0b2bcbecfa..315c1bdabd 100644 --- a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py @@ -160,7 +160,8 @@ class TestClusterConductorWithSwarm(base.TestCase): 'swarm_strategy': u'spread', 'volume_driver': 'rexray', 'rexray_preempt': 'False', - 'docker_volume_type': 'lvmdriver-1' + 'docker_volume_type': 'lvmdriver-1', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -236,7 +237,8 @@ class TestClusterConductorWithSwarm(base.TestCase): 'swarm_strategy': u'spread', 'volume_driver': 'rexray', 'rexray_preempt': 'False', - 'docker_volume_type': 'lvmdriver-1' + 'docker_volume_type': 'lvmdriver-1', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -306,6 +308,7 @@ class TestClusterConductorWithSwarm(base.TestCase): 'docker_volume_type': 'lvmdriver-1', 'docker_volume_size': 20, 'master_flavor': 'master_flavor_id', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -375,7 +378,8 @@ class TestClusterConductorWithSwarm(base.TestCase): 'swarm_strategy': u'spread', 'volume_driver': 'rexray', 'rexray_preempt': 'False', - 'docker_volume_type': 'lvmdriver-1' + 'docker_volume_type': 'lvmdriver-1', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( @@ -446,7 +450,8 @@ class TestClusterConductorWithSwarm(base.TestCase): 'swarm_strategy': u'spread', 'volume_driver': 'rexray', 'rexray_preempt': 'False', - 'docker_volume_type': 'lvmdriver-1' + 'docker_volume_type': 'lvmdriver-1', + 'verify_ca': True, } self.assertEqual(expected, definition) self.assertEqual( diff --git a/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml b/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml new file mode 100644 index 0000000000..67106fb82f --- /dev/null +++ b/releasenotes/notes/bug-1663757-198e1aa8fa810984.yaml @@ -0,0 +1,12 @@ +--- +fixes: + - | + [`bug 1663757 `_] + A configuration parameter, verify_ca, was added to magnum.conf + with a default value of True and passed to the heat templates to indicate + whether the cluster nodes validate the Certificate Authority when making + requests to the OpenStack APIs (Keystone, Magnum, Heat). This parameter + can be set to False to disable CA validation if you have self-signed + certificates for the OpenStack APIs or you have your own Certificate + Authority and you have not installed the Certificate Authority to all + nodes.