Boto does not, by default, validate https ceritificates on endpoints. We
now provide a way to specify it in the heat configuration along side
is_secure. Heat deployers may also need to turn this off if boto ever
does make it default and they want to use self signed certs.
Fixes bug #
1130345
Change-Id: I09b684dd28a8a57c6ce514d1df1e699e7c8b182e
# to be configured correctly to support ssl connections
instance_connection_is_secure = 0
+# If is_secure is set to 1, certificate validation can
+# be enabled or disabled
+instance_connection_https_validate_certificates = 1
+
# URL for instances to connect for metadata
# ie the IP of the bridge device connecting the
# instances with the host and the bind_port of
cfg.StrOpt('instance_connection_is_secure',
default="0",
help='Instance connection to cfn/cw API via https'),
+ cfg.StrOpt('instance_connection_https_validate_certificates',
+ default="1",
+ help='Instance connection to cfn/cw API validate certs if ssl'),
cfg.StrOpt('heat_stack_user_role',
default="heat_stack_user",
help='Keystone role for heat template-defined users')]
cfn_url = urlparse(cfg.CONF.heat_metadata_server_url)
cw_url = urlparse(cfg.CONF.heat_watch_server_url)
is_secure = cfg.CONF.instance_connection_is_secure
+ vcerts = cfg.CONF.instance_connection_https_validate_certificates
boto_cfg = "\n".join(["[Boto]",
"debug = 0",
"is_secure = %s" % is_secure,
+ "https_validate_certificates = %s" % vcerts,
"cfn_region_name = heat",
"cfn_region_endpoint = %s" %
cfn_url.hostname,
Code Review / openstack-build / heat-build.git / commitdiff