Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / horizon / 250e9b36c1efe720016037cd8ce525442ebf0676^! / .
commit250e9b36c1efe720016037cd8ce525442ebf0676[log] [tgz]
authorAdam Tengler <atengler@mirantis.com>Tue Jun 26 14:39:31 2018 +0000
committerAdam Tengler <atengler@mirantis.com>Wed Jun 27 13:16:56 2018 +0000
tree80b1d23645b4a0ea63300a28be1e5b0c70b1b18f
parentb2134ce059d38c9d204157540f5995b20cd7333e [diff]
Parametrize OPENSTACK_SSL_NO_VERIFY configuration option

Issue: PROD-20715

Change-Id: Ic7153af27c549dddbcaec22028f9d843069df8d8

diff --git a/README.rst b/README.rst
index 1f90438..71fa431 100644
--- a/README.rst
+++ b/README.rst

@@ -105,7 +105,9 @@
         secure: True
 
 
-Horizon package setup with SSL
+Horizon package setup with SSL.
+
+Important: for the sake of backwards compatibility `ssl_no_verify` attribute defaults to True when horizon:server:identity:encryption is set to 'ssl'.
 
 .. code-block:: yaml
 
@@ -114,6 +116,7 @@
         enabled: true
         secret_key: MEGASECRET
         version: juno
+        ssl_no_verify: false
         ssl:
           enabled: true
           authority: CA_Authority

diff --git a/horizon/files/horizon_settings/_keystone_settings.py b/horizon/files/horizon_settings/_keystone_settings.py
index 299cef8..c31f721 100644
--- a/horizon/files/horizon_settings/_keystone_settings.py
+++ b/horizon/files/horizon_settings/_keystone_settings.py

@@ -55,8 +55,15 @@
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member"
 
 # Disable SSL certificate checks (useful for self-signed certificates):
+{#- NO_VERIFY is set to True if identity.encryption == 'ssl', unless explicitly set in the pillar for the sake of backwards compatibility #}
 {%- if app.identity.encryption == 'ssl' %}
-OPENSTACK_SSL_NO_VERIFY = True
+{%- set _no_verify = True %}
+{%- endif %}
+{%- if app.ssl_no_verify is defined %}
+{%- set _no_verify = app.ssl_no_verify %}
+{%- endif %}
+{%- if _no_verify is defined %}
+OPENSTACK_SSL_NO_VERIFY = {{ _no_verify }}
 {%- endif %}
 
 # The CA certificate to use to verify SSL connections

diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index 83c34ca..3e43ab8 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls

@@ -4,6 +4,7 @@
     version: liberty
     secret_key: secret
     session_timeout: 43200
+    ssl_no_verify: false
     wsgi:
       processes: 3
       threads: 10

diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index 5b8f20b..a364e2e 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls

@@ -4,6 +4,7 @@
     version: liberty
     secret_key: secret
     session_timeout: 43200
+    ssl_no_verify: false
     bind:
       address: 127.0.0.1
       port: 80