From b118662e7c4a151575d988452cda4f3a4903a524 Mon Sep 17 00:00:00 2001 From: "jose.lausuch" Date: Fri, 18 Mar 2016 12:25:33 +0100 Subject: Fix support for CACERT and set OS_INSECURE=true JIRA: FUNCTEST-145 Change-Id: If8fce037117d7c7d16d08a558d0675cbfe5f9836 Signed-off-by: jose.lausuch --- docker/prepare_env.sh | 15 ++++++++++++--- docs/configguide/configguide.rst | 16 ++++++++++++---- testcases/functest_utils.py | 13 ++++++++----- 3 files changed, 32 insertions(+), 12 deletions(-) diff --git a/docker/prepare_env.sh b/docker/prepare_env.sh index 542df0e72..58fa514ec 100755 --- a/docker/prepare_env.sh +++ b/docker/prepare_env.sh @@ -210,8 +210,10 @@ mkdir -p ${FUNCTEST_RESULTS_DIR}/ODL # Create Openstack credentials file -if [ ! -f ${FUNCTEST_CONF_DIR}/openstack.creds ]; then - ${REPOS_DIR}/releng/utils/fetch_os_creds.sh -d ${FUNCTEST_CONF_DIR}/openstack.creds \ +# $creds is an env varialbe in the docker container pointing to +# /home/opnfv/functest/conf/openstack.creds +if [ ! -f ${creds} ]; then + ${REPOS_DIR}/releng/utils/fetch_os_creds.sh -d ${creds} \ -i ${INSTALLER_TYPE} -a ${INSTALLER_IP} retval=$? if [ $retval != 0 ]; then @@ -221,8 +223,15 @@ if [ ! -f ${FUNCTEST_CONF_DIR}/openstack.creds ]; then else info "OpenStack credentials file given to the docker and stored in ${FUNCTEST_CONF_DIR}/openstack.creds." fi + +# If we use SSL, by default use option OS_INSECURE=true which means that +# the cacert will be self-signed +if grep -Fq "OS_CACERT" ${creds}; then + echo "OS_INSECURE=true">>${creds}; +fi + # Source credentials -source ${FUNCTEST_CONF_DIR}/openstack.creds +source ${creds} # Check OpenStack info "Checking that the basic OpenStack services are functional..." diff --git a/docs/configguide/configguide.rst b/docs/configguide/configguide.rst index b7a25c7d5..120951c4d 100644 --- a/docs/configguide/configguide.rst +++ b/docs/configguide/configguide.rst @@ -234,10 +234,10 @@ environment variable. Check the deployment settings. SSL Support ----------- -If the OpenStack deployment is defined to use HTTPS endpoints, a certificate -will be needed in the container in order to launch any command. - -The OS variable will point to that file. For example:: +If you need to connect to a server that is TLS-enabled (the auth URL begins with ‘https’) +and it uses a certificate from a private CA or a self-signed certificate you will +need to specify the path to an appropriate CA certificate to use to validate the +server certificate with the environment variable OS_CACERT:: echo $OS_CACERT /etc/ssl/certs/ca.crt @@ -252,7 +252,15 @@ be copied manually from the OpenStack deployment. This can be done in 2 ways: -v :/etc/ssl/certs/ca.cert +You might need to export OS_CACERT environment variable inside the container:: + + export OS_CACERT=/etc/ssl/certs/ca.crt + + +Certificate verification can be turned off using OS_INSECURE=true. +For example, Fuel uses self-signed cacerts by default, so an pre step would be:: + export OS_INSECURE=true Additional Options diff --git a/testcases/functest_utils.py b/testcases/functest_utils.py index 9a8e602ac..9534cf49b 100644 --- a/testcases/functest_utils.py +++ b/testcases/functest_utils.py @@ -67,12 +67,15 @@ def get_credentials(service): "http://192.168.20.71:5000/v2.0"), tenant: os.environ.get("OS_TENANT_NAME", "admin"), }) - ssl = os.environ.get("OS_CACERT") - if ssl != None: - creds.update({"ca_cert":ssl}) - if not os.path.isfile(ssl): + cacert = os.environ.get("OS_CACERT") + if cacert != None: + # each openstack client uses differnt kwargs for this + creds.update({"cacert":cacert,"ca_cert":cacert,"https_ca_cert":cacert, \ + "https_cacert":cacert,"ca_file":cacert}) + creds.update({"insecure":"True","https_insecure":"True"}) + if not os.path.isfile(cacert): print "WARNING: The 'OS_CACERT' environment variable is set to %s "\ - "but the file does not exist." % ssl + "but the file does not exist." % cacert return creds -- cgit 1.2.3-korg