Add base support for SSL for Openstack services

- Update address function to use "tls" config option and set scheme to 'https'. Also we check, that service is in list of services, which support TLS. - Updated function for generation Environment, which will be used by openstackclient. Now 'https' scheme will be used if 'tls' is enabled. Also was added new variable for storing path for file with CA certificate. This file will be generated in /tmp for each new container by using content defined in config file. It was done in such way, because opnectackclient does not setting --insecure via Environment. - Implementation of httpGet was changed to support 'https' endpoints. Now requests.get method uses 'https' scheme with verify=False, if 'tls' is enabled. Change-Id: I88bc21571589dcd4c31bb5ce5015a75676ed2d85
2017-01-26 06:39:11 +00:00 · 2017-01-26 06:39:11 +00:00 · 70ae2bc84a
parent ff6efca2c8
commit 70ae2bc84a
1 changed files with 25 additions and 4 deletions
--- a/fuel_ccp_entrypoint/start_script.py
+++ b/fuel_ccp_entrypoint/start_script.py
@ -177,8 +177,18 @@ def openstackclient_preexec_fn():
        os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password']
        os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name']
        os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name']
-        os.environ["OS_AUTH_URL"] = 'http://%s/v3' % address(
-            'keystone', VARIABLES['keystone']['admin_port'])
+        scheme = 'http'
+        if VARIABLES['security']['tls']['enabled']:
+            scheme = 'https'
+            # Pass CA cert for using by client, because it's not possible to
+            # specify insecure via environment.
+            # (Alternative solution is to store all certs in the same place.)
+            path = '/tmp/ca.cert'
+            with open(path, 'w') as tmp_cert:
+                tmp_cert.write(VARIABLES['security']['tls']['ca_cert'])
+            os.environ["OS_CACERT"] = path
+        os.environ["OS_AUTH_URL"] = '%s://%s/v3' % (scheme, address(
+            'keystone', VARIABLES['keystone']['admin_port']))
    return result


@ -216,6 +226,10 @@ def get_ingress_host(ingress_name):
 def address(service, port=None, external=False, with_scheme=False):
    addr = None
    scheme = 'http'
+    TLS_SERVICES = "keystone,glance,glance,horizon,nova,neutron,cinder,heat"
+    if ((VARIABLES['security']['tls']['enabled'] and
+         service.split('-')[0] in TLS_SERVICES.split(','))):
+        scheme = 'https'
    if external:
        if not port:
            raise RuntimeError('Port config is required for external address')
@ -489,11 +503,18 @@ def run_probe(probe):
    if probe["type"] == "exec":
        run_cmd(probe["command"])
    elif probe["type"] == "httpGet":
-        url = "http://{}:{}{}".format(
+        scheme = 'http'
+        verify = True
+        if VARIABLES['security']['tls']['enabled']:
+            scheme = 'https'
+            # disable SSL check for probe request
+            verify = False
+        url = "{}://{}:{}{}".format(
+            scheme,
            VARIABLES["network_topology"]["private"]["address"],
            probe["port"],
            probe.get("path", "/"))
-        resp = requests.get(url)
+        resp = requests.get(url, verify=verify)
        resp.raise_for_status()