Fix support for CACERT and set OS_INSECURE=true

JIRA: FUNCTEST-145

Change-Id: If8fce037117d7c7d16d08a558d0675cbfe5f9836
Signed-off-by: jose.lausuch <jose.lausuch@ericsson.com>

diff --git a/docker/prepare_env.sh b/docker/prepare_env.sh
index 542df0e..58fa514 100755 (executable)
--- a/docker/prepare_env.sh
+++ b/docker/prepare_env.sh
@@ -210,8 +210,10 @@ mkdir -p ${FUNCTEST_RESULTS_DIR}/ODL
 
 
 # Create Openstack credentials file
-if [ ! -f ${FUNCTEST_CONF_DIR}/openstack.creds ]; then
-    ${REPOS_DIR}/releng/utils/fetch_os_creds.sh -d ${FUNCTEST_CONF_DIR}/openstack.creds \
+# $creds is an env varialbe in the docker container pointing to
+# /home/opnfv/functest/conf/openstack.creds
+if [ ! -f ${creds} ]; then
+    ${REPOS_DIR}/releng/utils/fetch_os_creds.sh -d ${creds} \
         -i ${INSTALLER_TYPE} -a ${INSTALLER_IP}
     retval=$?
     if [ $retval != 0 ]; then
@@ -221,8 +223,15 @@ if [ ! -f ${FUNCTEST_CONF_DIR}/openstack.creds ]; then
 else
     info "OpenStack credentials file given to the docker and stored in ${FUNCTEST_CONF_DIR}/openstack.creds."
 fi
+
+# If we use SSL, by default use option OS_INSECURE=true which means that
+# the cacert will be self-signed
+if grep -Fq "OS_CACERT" ${creds}; then
+    echo "OS_INSECURE=true">>${creds};
+fi
+
 # Source credentials
-source ${FUNCTEST_CONF_DIR}/openstack.creds
+source ${creds}
 
 # Check OpenStack
 info "Checking that the basic OpenStack services are functional..."

diff --git a/docs/configguide/configguide.rst b/docs/configguide/configguide.rst
index b7a25c7..120951c 100644 (file)
--- a/docs/configguide/configguide.rst
+++ b/docs/configguide/configguide.rst
@@ -234,10 +234,10 @@ environment variable. Check the deployment settings.
 SSL Support
 -----------
 
-If the OpenStack deployment is defined to use HTTPS endpoints, a certificate
-will be needed in the container in order to launch any command.
-
-The OS variable will point to that file. For example::
+If you need to connect to a server that is TLS-enabled (the auth URL begins with ‘https’)
+and it uses a certificate from a private CA or a self-signed certificate you will
+need to specify the path to an appropriate CA certificate to use to validate the
+server certificate with the environment variable OS_CACERT::
 
     echo $OS_CACERT
     /etc/ssl/certs/ca.crt
@@ -252,7 +252,15 @@ be copied manually from the OpenStack deployment. This can be done in 2 ways:
         -v <path_to_your_cert_file>:/etc/ssl/certs/ca.cert
 
 
+You might need to export OS_CACERT environment variable inside the container::
+
+    export OS_CACERT=/etc/ssl/certs/ca.crt
+
+
+Certificate verification can be turned off using OS_INSECURE=true.
+For example, Fuel uses self-signed cacerts by default, so an pre step would be::
 
+    export OS_INSECURE=true
 
 
 Additional Options

diff --git a/testcases/functest_utils.py b/testcases/functest_utils.py
index 9a5d718..5d380ab 100644 (file)
--- a/testcases/functest_utils.py
+++ b/testcases/functest_utils.py
@@ -67,12 +67,15 @@ def get_credentials(service):
                                    "http://192.168.20.71:5000/v2.0"),
         tenant: os.environ.get("OS_TENANT_NAME", "admin"),
     })
-    ssl = os.environ.get("OS_CACERT")
-    if ssl is not None:
-        creds.update({"ca_cert": ssl})
-        if not os.path.isfile(ssl):
+    cacert = os.environ.get("OS_CACERT")
+    if cacert != None:
+        # each openstack client uses differnt kwargs for this
+        creds.update({"cacert":cacert,"ca_cert":cacert,"https_ca_cert":cacert, \
+                      "https_cacert":cacert,"ca_file":cacert})
+        creds.update({"insecure":"True","https_insecure":"True"})
+        if not os.path.isfile(cacert):
             print "WARNING: The 'OS_CACERT' environment variable is set to %s "\
-                "but the file does not exist." % ssl
+                "but the file does not exist." % cacert
     return creds