sw-manager remote CLI fails using a secure connection (https enabled)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Jorge Saffe |
Bug Description
sw-manager fails when it is used from a remote CLI through a secure connection to a STX cluster (https enabled).
Severity
---------
Major.
Steps to Reproduce
-------
Enable secure mode (https)
Log into horizon page, go to "Project -> "API Access", go to "Download OpenStack RC File" -> "OpenStack RC File" and then copy the downloaded file "admin-openrc.sh" locally.
Install remote CLI
Source the file "admin-openrc.sh" and execute "sw-manager patch-strategy show".
Expected Behavior
------------------
The command should have no error in the output. Example:
sysadmin@
No strategy available
Actual Behavior
---------------
One of the following errors occurs (the first when https is disabled, the second when https is enabled and the "/v3" fix is present):
sysadmin@
<urlopen error [SSL: CERTIFICATE_
Reproducibility
---------------
100% Reproducible.
System Configuration
-------
Tested in an AIO-SX, should happen in any environment type.
Changed in starlingx: | |
status: | New → In Progress |
Changed in starlingx: | |
importance: | Undecided → Medium |
tags: | added: stx.9.0 stx.clients stx.nfv |
Changed in starlingx: | |
assignee: | nobody → Jorge Saffe (jsaffe) |
Reviewed: https:/ /review. opendev. org/c/starlingx /nfv/+/ 892822 /opendev. org/starlingx/ nfv/commit/ 9feef4232d37815 1f52cc56f9d0fe2 711b745559
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 9feef4232d37815 1f52cc56f9d0fe2 711b745559
Author: Jorge Saffe <email address hidden>
Date: Fri Aug 25 17:21:02 2023 -0400
sw-manager fails with SSL and CA Cert provided.
When sw-manager is used through a secure connection (https
enabled) either with the remote CLI or within the cluster
via the public interface, the operation fails if the
Certificate Authority's cert is not included among the
system's trusted CAs.
The sw-manager client lacks implemented methods for
referencing a local Certificate Authority Cert during calls.
Therefore, if the CA is not among the system's trusted CAs,
all calls made by sw-manager's CLI will fail since
authentication in Keystone will also fail.
Other CLIs like fm or platform allow referencing a CA Cert CA_BUNDLE" environment variable. The fix
via the "REQUESTS_
involves loading, if defined, the CA Cert referenced by
such an environment variable, and adjusting SSL calls to
verify connections using the provided CA Cert.
Test Plan:
PASS Fresh Install SX Env
PASS Source openrc.sh file (internal interface).
PASS sw-manager patch-strategy show
PASS Enable secure mode (https)
PASS Download OpenStack RC File from Horizon.
PASS Source RC file inside cluster (public interface).
PASS Set REQUESTS_CA_BUNDLE with CA-Cert path.
PASS sw-manager patch-strategy show
PASS Enable secure mode (https)
PASS Download OpenStack RC File from Horizon.
PASS Install remote CLI (custom container with changes)
PASS Source downloaded RC file
PASS Set REQUESTS_CA_BUNDLE with CA-Cert path.
PASS sw-manager patch-strategy show
Closes-bug: 2033561
Change-Id: If5b70714cde09b d8c329b976a8148 daee9001415
Signed-off-by: Jorge Saffe <email address hidden>