Add base support for SSL for Openstack services

- Signature of "address" fucntion was changed to use "tls" paramater, which forces to use 'https' scheme for returned url if 'tls' is enabled. - Updated function for generation Environment, which will be used by openstackclient. Now 'https' scheme will be used if 'tls' is enabled. Also was added new variable for storing path for file with CA certificate. This file will be generated in /tmp for each new container by using content defined in config file. It was done in such way, because opnectackclient does not setting --insecure via Environment. - Implementation of httpGet was changed to support 'https' endpoints. Now requests.get method uses 'https' scheme with verify=False, if 'tls' is enabled. Change-Id: I88bc21571589dcd4c31bb5ce5015a75676ed2d85
2017-01-26 06:39:11 +00:00 · 2017-01-26 06:39:11 +00:00 · 9dce294d25
parent ff6efca2c8
commit 9dce294d25
1 changed files with 25 additions and 5 deletions
--- a/fuel_ccp_entrypoint/start_script.py
+++ b/fuel_ccp_entrypoint/start_script.py
@ -177,8 +177,18 @@ def openstackclient_preexec_fn():
        os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password']
        os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name']
        os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name']
-        os.environ["OS_AUTH_URL"] = 'http://%s/v3' % address(
-            'keystone', VARIABLES['keystone']['admin_port'])
+        scheme = 'http'
+        if VARIABLES['security']['tls']['enabled']:
+            scheme = 'https'
+            # Pass CA cert for using by client, because it's not possible to
+            # specify insecure via environment.
+            # (Alternative solution is to store all certs in the same place.)
+            path = '/tmp/ca.cert'
+            with open(path, 'w') as tmp_cert:
+                tmp_cert.write(VARIABLES['security']['tls']['ca_cert'])
+            os.environ["OS_CACERT"] = path
+        os.environ["OS_AUTH_URL"] = '%s://%s/v3' % (scheme, address(
+            'keystone', VARIABLES['keystone']['admin_port']))
    return result


@ -213,9 +223,12 @@ def get_ingress_host(ingress_name):
        ingress_name, VARIABLES['namespace'], VARIABLES['ingress']['domain']))


-def address(service, port=None, external=False, with_scheme=False):
+def address(service, port=None, external=False, with_scheme=False, tls=False):
    addr = None
    scheme = 'http'
+    if tls:
+        if VARIABLES['security']['tls']['enabled']:
+            scheme = 'https'
    if external:
        if not port:
            raise RuntimeError('Port config is required for external address')
@ -489,11 +502,18 @@ def run_probe(probe):
    if probe["type"] == "exec":
        run_cmd(probe["command"])
    elif probe["type"] == "httpGet":
-        url = "http://{}:{}{}".format(
+        scheme = 'http'
+        verify = True
+        if VARIABLES['security']['tls']['enabled']:
+            scheme = 'https'
+            # disable SSL check for probe request
+            verify = False
+        url = "{}://{}:{}{}".format(
+            scheme,
            VARIABLES["network_topology"]["private"]["address"],
            probe["port"],
            probe.get("path", "/"))
-        resp = requests.get(url)
+        resp = requests.get(url, verify=verify)
        resp.raise_for_status()