Support no validation of internal SSL endpoints

If self-signed certificates are used for internal endpoints
the current implementation will fail as there is no option
to turn off the certificate validation.

This patch implements a new variable to do so.

Change-Id: I64a80716a8636ab978071e9e6c7aaa19962547ec
This commit is contained in:
Jesse Pretorius 2017-05-12 11:00:58 +01:00 committed by Jesse Pretorius (odyssey4me)
parent 918331e28f
commit 8b7fc595e7
4 changed files with 34 additions and 7 deletions

View File

@ -91,6 +91,9 @@ cinder_enable_v1_api: true
cinder_enable_v2_api: true cinder_enable_v2_api: true
cinder_enable_v3_api: true cinder_enable_v3_api: true
## Cinder API check cert validation
cinder_service_internaluri_insecure: false
## Cinder api service type and data ## Cinder api service type and data
cinder_service_name: cinder cinder_service_name: cinder
cinder_service_project_domain_id: default cinder_service_project_domain_id: default

View File

@ -0,0 +1,11 @@
---
features:
- |
The ability to disable the certificate validation when checking
and interacting with the internal cinder endpoint has been
implemented. In order to do so, set the following in
``/etc/openstack_deploy/user_variables.yml``.
.. code-block:: yaml
cinder_service_internaluri_insecure: yes

View File

@ -17,6 +17,7 @@
uri: uri:
url: "{{ cinder_service_internaluri }}" url: "{{ cinder_service_internaluri }}"
status_code: 200,300 status_code: 200,300
validate_certs: "{{ cinder_service_internaluri_insecure | bool }}"
register: api_status register: api_status
until: api_status | success until: api_status | success
retries: 10 retries: 10
@ -30,22 +31,28 @@
- name: Add in cinder devices types - name: Add in cinder devices types
shell: | shell: |
. {{ ansible_env.HOME }}/openrc . {{ ansible_env.HOME }}/openrc
if ! {{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-list | grep " {{ item.key }} "; then CLI_OPTIONS="{{ ((keystone_service_adminuri_insecure | bool) or (cinder_service_internaluri_insecure | bool)) | ternary('--insecure','') }}"
{{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-create "{{ item.key }}" if ! {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-list | grep " {{ item.key }} "; then
{{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-key "{{ item.key }}" set volume_backend_name="{{ item.value.volume_backend_name }}" {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-create "{{ item.key }}"
{{ cinder_bin }}/cinder ${CLI_OPTIONS} type-key "{{ item.key }}" set volume_backend_name="{{ item.value.volume_backend_name }}"
fi fi
args:
executable: /bin/bash
with_dict: "{{ _cinder_backends|default({}) }}" with_dict: "{{ _cinder_backends|default({}) }}"
changed_when: false changed_when: false
- name: Add extra cinder volume types - name: Add extra cinder volume types
shell: | shell: |
. {{ ansible_env.HOME }}/openrc . {{ ansible_env.HOME }}/openrc
CLI_OPTIONS="{{ ((keystone_service_adminuri_insecure | bool) or (cinder_service_internaluri_insecure | bool)) | ternary('--insecure','') }}"
{% for evtype in item.value.extra_volume_types %} {% for evtype in item.value.extra_volume_types %}
if ! {{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-list | grep " {{ evtype }} "; then if ! {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-list | grep " {{ evtype }} "; then
{{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-create "{{ evtype }}" {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-create "{{ evtype }}"
{{ cinder_bin }}/cinder {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }} type-key "{{ evtype }}" set volume_backend_name="{{ item.value.volume_backend_name }}" {{ cinder_bin }}/cinder ${CLI_OPTIONS} type-key "{{ evtype }}" set volume_backend_name="{{ item.value.volume_backend_name }}"
fi fi
{% endfor %} {% endfor %}
args:
executable: /bin/bash
with_dict: "{{ _cinder_backends|default({}) }}" with_dict: "{{ _cinder_backends|default({}) }}"
when: item.value.extra_volume_types is defined when: item.value.extra_volume_types is defined

View File

@ -16,9 +16,12 @@
- name: Add in cinder qos types - name: Add in cinder qos types
shell: | shell: |
. {{ ansible_env.HOME }}/openrc . {{ ansible_env.HOME }}/openrc
CLI_OPTIONS="{{ ((keystone_service_adminuri_insecure | bool) or (cinder_service_internaluri_insecure | bool)) | ternary('--insecure','') }}"
{{ cinder_bin }}/cinder qos-list | grep {{ item.name }} || \ {{ cinder_bin }}/cinder qos-list | grep {{ item.name }} || \
{{ cinder_bin }}/cinder qos-create {{ item.name }}\ {{ cinder_bin }}/cinder qos-create {{ item.name }}\
{% for k,v in item.options.iteritems() %} {{ k }}={{ v }}{% endfor %} {% for k,v in item.options.iteritems() %} {{ k }}={{ v }}{% endfor %}
args:
executable: /bin/bash
with_items: "{{ cinder_qos_specs }}" with_items: "{{ cinder_qos_specs }}"
changed_when: false changed_when: false
tags: tags:
@ -27,11 +30,14 @@
- name: Associate qos types to volume types - name: Associate qos types to volume types
shell: | shell: |
. {{ ansible_env.HOME }}/openrc . {{ ansible_env.HOME }}/openrc
CLI_OPTIONS="{{ ((keystone_service_adminuri_insecure | bool) or (cinder_service_internaluri_insecure | bool)) | ternary('--insecure','') }}"
{% for vtype in item.cinder_volume_types %} {% for vtype in item.cinder_volume_types %}
{{ cinder_bin }}/cinder qos-associate \ {{ cinder_bin }}/cinder qos-associate \
$({{ cinder_bin }}/cinder qos-list | grep {{ item.name }} | grep -oE "{{ _UUID_regex }}") \ $({{ cinder_bin }}/cinder qos-list | grep {{ item.name }} | grep -oE "{{ _UUID_regex }}") \
$({{ cinder_bin }}/cinder type-list | grep {{ vtype }} | grep -oE "{{ _UUID_regex }}") $({{ cinder_bin }}/cinder type-list | grep {{ vtype }} | grep -oE "{{ _UUID_regex }}")
{% endfor %} {% endfor %}
args:
executable: /bin/bash
with_items: "{{ cinder_qos_specs }}" with_items: "{{ cinder_qos_specs }}"
when: when:
- item.cinder_volume_types is defined - item.cinder_volume_types is defined