Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / heat / bd21eb4dfc97e1b53fbb32b777d924d07917b177^! / .
commitbd21eb4dfc97e1b53fbb32b777d924d07917b177[log] [tgz]
authorPavlo Shchelokovskyy <shchelokovskyy@gmail.com>Mon Jun 25 18:44:03 2018 +0300
committerPavlo Shchelokovskyy <shchelokovskyy@gmail.com>Tue Jun 26 11:39:32 2018 +0300
treef788c116bbb94c914291ad75d47a66cf6df5dc98
parentfcb536c07eac7bef3c6918b22de71fc02ca03008 [diff]
Allow to configure insecure in clients_heat section

Exaclty this value is also defining whether standard usage of
OS::Heat::WaitConditionHandle form inside the instance's user data
will verify Heat server certificates.

Setting this to 'True' will make it possible to use WaitCondition
resources when Heat API is using self-signed certificates which can not
be validated by default CA bundles baked into cloud images.
However this will also have a side-effect of OS::Heat::Stack resource
not validating the certificate of the remote Heat service (e.g. in
another region).

Change-Id: I4667ae6f7e26704c98480362f14fe74e23905fc3

diff --git a/heat/files/ocata/heat.conf.Debian b/heat/files/ocata/heat.conf.Debian
index 74f8fbf..d949481 100644
--- a/heat/files/ocata/heat.conf.Debian
+++ b/heat/files/ocata/heat.conf.Debian

@@ -1327,6 +1327,12 @@
 [clients_heat]
 endpoint_type = {{ server.identity.get('endpoint_type_heat',
                                        server.identity.get('endpoint_type_default', 'publicURL')) }}
+{%- if server.clients is defined %}
+{%- if server.clients.heat is defined %}
+insecure = {{ server.clients.heat.get('insecure', False) }}
+{%- endif %}
+{%- endif %}
+
 [clients_keystone]
 {%- if server.clients is defined %}
 {%- if server.clients.keystone is defined %}

diff --git a/heat/files/pike/heat.conf.Debian b/heat/files/pike/heat.conf.Debian
index 8132afa..d69231f 100644
--- a/heat/files/pike/heat.conf.Debian
+++ b/heat/files/pike/heat.conf.Debian

@@ -1327,6 +1327,12 @@
 [clients_heat]
 endpoint_type = {{ server.identity.get('endpoint_type_heat',
                                        server.identity.get('endpoint_type_default', 'publicURL')) }}
+{%- if server.clients is defined %}
+{%- if server.clients.heat is defined %}
+insecure = {{ server.clients.heat.get('insecure', False) }}
+{%- endif %}
+{%- endif %}
+
 [clients_keystone]
 {%- if server.clients is defined %}
 {%- if server.clients.keystone is defined %}

diff --git a/heat/files/queens/heat.conf.Debian b/heat/files/queens/heat.conf.Debian
index aec1427..8051e79 100644
--- a/heat/files/queens/heat.conf.Debian
+++ b/heat/files/queens/heat.conf.Debian

@@ -524,8 +524,11 @@
 # Optional PEM-formatted file that contains the private key. (string value)
 #key_file = <None>
 
-# If set, then the server's certificate will not be verified. (boolean value)
-#insecure = <None>
+{%- if server.clients is defined %}
+{%- if server.clients.heat is defined %}
+insecure = {{ server.clients.heat.get('insecure', False) }}
+{%- endif %}
+{%- endif %}
 
 # Optional heat url in format like http://0.0.0.0:8004/v1/%(tenant_id)s.
 # (string value)