From 8b7fc595e7b636b07b54fd9be07f9da9bb6e52d2 Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Fri, 12 May 2017 11:00:58 +0100 Subject: [PATCH] Support no validation of internal SSL endpoints If self-signed certificates are used for internal endpoints the current implementation will fail as there is no option to turn off the certificate validation. This patch implements a new variable to do so. Change-Id: I64a80716a8636ab978071e9e6c7aaa19962547ec --- defaults/main.yml | 3 +++ ...cure-cinder-endpoint-5cbbb4d8c647d521.yaml | 11 ++++++++++ tasks/cinder_backends.yml | 21 ++++++++++++------- tasks/cinder_qos.yml | 6 ++++++ 4 files changed, 34 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/support-insecure-cinder-endpoint-5cbbb4d8c647d521.yaml diff --git a/defaults/main.yml b/defaults/main.yml index cb72f4c6..40122835 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -91,6 +91,9 @@ cinder_enable_v1_api: true cinder_enable_v2_api: true cinder_enable_v3_api: true +## Cinder API check cert validation +cinder_service_internaluri_insecure: false + ## Cinder api service type and data cinder_service_name: cinder cinder_service_project_domain_id: default diff --git a/releasenotes/notes/support-insecure-cinder-endpoint-5cbbb4d8c647d521.yaml b/releasenotes/notes/support-insecure-cinder-endpoint-5cbbb4d8c647d521.yaml new file mode 100644 index 00000000..50e1d87c --- /dev/null +++ b/releasenotes/notes/support-insecure-cinder-endpoint-5cbbb4d8c647d521.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + The ability to disable the certificate validation when checking + and interacting with the internal cinder endpoint has been + implemented. In order to do so, set the following in + ``/etc/openstack_deploy/user_variables.yml``. + + .. code-block:: yaml + + cinder_service_internaluri_insecure: yes diff --git a/tasks/cinder_backends.yml b/tasks/cinder_backends.yml index a0088fd2..2551b9db 100644 --- a/tasks/cinder_backends.yml +++ b/tasks/cinder_backends.yml @@ -17,8 +17,9 @@ uri: url: "{{ cinder_service_internaluri }}" status_code: 200,300 + validate_certs: "{{ cinder_service_internaluri_insecure | bool }}" register: api_status - until: api_status |success + until: api_status | success retries: 10 delay: 10 @@ -30,22 +31,28 @@ - name: Add in cinder devices types shell: | . {{ ansible_env.HOME }}/openrc - if ! {{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-list | grep " {{ item.key }} "; then - {{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-create "{{ item.key }}" - {{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-key "{{ item.key }}" set volume_backend_name="{{ item.value.volume_backend_name }}" + CLI_OPTIONS="{{ ((keystone_service_adminuri_insecure | bool) or (cinder_service_internaluri_insecure | bool)) | ternary('--insecure','') }}" + if ! {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-list | grep " {{ item.key }} "; then + {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-create "{{ item.key }}" + {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-key "{{ item.key }}" set volume_backend_name="{{ item.value.volume_backend_name }}" fi + args: + executable: /bin/bash with_dict: "{{ _cinder_backends|default({}) }}" changed_when: false - name: Add extra cinder volume types shell: | . {{ ansible_env.HOME }}/openrc + CLI_OPTIONS="{{ ((keystone_service_adminuri_insecure | bool) or (cinder_service_internaluri_insecure | bool)) | ternary('--insecure','') }}" {% for evtype in item.value.extra_volume_types %} - if ! {{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-list | grep " {{ evtype }} "; then - {{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-create "{{ evtype }}" - {{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-key "{{ evtype }}" set volume_backend_name="{{ item.value.volume_backend_name }}" + if ! {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-list | grep " {{ evtype }} "; then + {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-create "{{ evtype }}" + {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-key "{{ evtype }}" set volume_backend_name="{{ item.value.volume_backend_name }}" fi {% endfor %} + args: + executable: /bin/bash with_dict: "{{ _cinder_backends|default({}) }}" when: item.value.extra_volume_types is defined diff --git a/tasks/cinder_qos.yml b/tasks/cinder_qos.yml index 2d3d31d0..1a4580fb 100644 --- a/tasks/cinder_qos.yml +++ b/tasks/cinder_qos.yml @@ -16,9 +16,12 @@ - name: Add in cinder qos types shell: | . {{ ansible_env.HOME }}/openrc + CLI_OPTIONS="{{ ((keystone_service_adminuri_insecure | bool) or (cinder_service_internaluri_insecure | bool)) | ternary('--insecure','') }}" {{ cinder_bin }}/cinder qos-list | grep {{ item.name }} || \ {{ cinder_bin }}/cinder qos-create {{ item.name }}\ {% for k,v in item.options.iteritems() %} {{ k }}={{ v }}{% endfor %} + args: + executable: /bin/bash with_items: "{{ cinder_qos_specs }}" changed_when: false tags: @@ -27,11 +30,14 @@ - name: Associate qos types to volume types shell: | . {{ ansible_env.HOME }}/openrc + CLI_OPTIONS="{{ ((keystone_service_adminuri_insecure | bool) or (cinder_service_internaluri_insecure | bool)) | ternary('--insecure','') }}" {% for vtype in item.cinder_volume_types %} {{ cinder_bin }}/cinder qos-associate \ $({{ cinder_bin }}/cinder qos-list | grep {{ item.name }} | grep -oE "{{ _UUID_regex }}") \ $({{ cinder_bin }}/cinder type-list | grep {{ vtype }} | grep -oE "{{ _UUID_regex }}") {% endfor %} + args: + executable: /bin/bash with_items: "{{ cinder_qos_specs }}" when: - item.cinder_volume_types is defined