From: Clint Byrum <clint@fewbar.com>
Date: Tue, 19 Feb 2013 20:21:07 +0000 (-0800)
Subject: Add config for boto https_validate_certificates
X-Git-Tag: 2014.1~882^2
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=14358bb9e1bdeb2a1deb3311cd0232ba41f69685;p=openstack-build%2Fheat-build.git

Add config for boto https_validate_certificates

Boto does not, by default, validate https ceritificates on endpoints. We
now provide a way to specify it in the heat configuration along side
is_secure. Heat deployers may also need to turn this off if boto ever
does make it default and they want to use self signed certs.

Fixes bug #1130345

Change-Id: I09b684dd28a8a57c6ce514d1df1e699e7c8b182e
---

diff --git a/etc/heat/heat-engine.conf b/etc/heat/heat-engine.conf
index 8d97de5c..cc10966c 100644
--- a/etc/heat/heat-engine.conf
+++ b/etc/heat/heat-engine.conf
@@ -19,6 +19,10 @@ heat_stack_user_role = heat_stack_user
 # to be configured correctly to support ssl connections
 instance_connection_is_secure = 0
 
+# If is_secure is set to 1, certificate validation can
+# be enabled or disabled
+instance_connection_https_validate_certificates = 1
+
 # URL for instances to connect for metadata
 # ie the IP of the bridge device connecting the
 # instances with the host and the bind_port of
diff --git a/heat/common/config.py b/heat/common/config.py
index cc054fe0..2618eb91 100644
--- a/heat/common/config.py
+++ b/heat/common/config.py
@@ -79,6 +79,9 @@ service_opts = [
     cfg.StrOpt('instance_connection_is_secure',
                default="0",
                help='Instance connection to cfn/cw API via https'),
+    cfg.StrOpt('instance_connection_https_validate_certificates',
+               default="1",
+               help='Instance connection to cfn/cw API validate certs if ssl'),
     cfg.StrOpt('heat_stack_user_role',
                default="heat_stack_user",
                help='Keystone role for heat template-defined users')]
diff --git a/heat/engine/resources/instance.py b/heat/engine/resources/instance.py
index 1b626bcb..f5c1b9fa 100644
--- a/heat/engine/resources/instance.py
+++ b/heat/engine/resources/instance.py
@@ -195,9 +195,11 @@ class Instance(resource.Resource):
             cfn_url = urlparse(cfg.CONF.heat_metadata_server_url)
             cw_url = urlparse(cfg.CONF.heat_watch_server_url)
             is_secure = cfg.CONF.instance_connection_is_secure
+            vcerts = cfg.CONF.instance_connection_https_validate_certificates
             boto_cfg = "\n".join(["[Boto]",
                                   "debug = 0",
                                   "is_secure = %s" % is_secure,
+                                  "https_validate_certificates = %s" % vcerts,
                                   "cfn_region_name = heat",
                                   "cfn_region_endpoint = %s" %
                                   cfn_url.hostname,