Closed orviz closed 4 years ago
We simplified the CA management to just rely on requests and system defaults in 0.11.4 (before for GOCDB the CA path was hardcoded). This change implies that IGTF CAs should be included in the requests bundle. If we really want to allow CAs configuration we should review all code and not just the gocdb.py module.
Not sure how to better approach this :(
This is documented on https://github.com/EGI-Foundation/cloud-info-provider#cas For me it's fine to leave it like this, but maybe you have another alternative to propose @orviz ?
But we could also depend on the CA RPM/deb metapackages from UMD and use/hardcode the related specific path.
The current approach is the less intrusive, but in practice (since it is primarily used in EGI Fedcloud) having it hardcoded would prevent from recurring questions from users that do not read the documentation (just like me :P).
If you ask me I prefer the current one, I can update the ansible role accordingly, and the release notes should state this clearly.
So it's part of a previous release: https://github.com/EGI-Foundation/cloud-info-provider/releases/tag/0.11.5. We can clarify those release notes, but not sure we should include it in the current/new one.
So do we all agree that we keep things like this in this repo and that you update the ansible role?
thanks @gwarf the ansible role tackles now these steps.
The last CMD validation job has been successfully executed so we can close the issue.
Thanks!
Short Description of the issue
While validating 0.12.0 release for CMD, the provider execution failed to verify GOCDB endpoint when
--insecure
option is not used (see detailed deployment in [1]).I could not find out a way to pass the CA path with the certificates to trust.
[1] https://jenkins.egi.ifca.es/job/QualityCriteriaValidation/job/cloud-info-provider/93
Environment
Steps to reproduce
Executing the provider without the
insecure
flag. Tried with no luck to use--ca-cert
option pointing to/etc/grid-security/certificates
.Logs, stacktrace, or other symptoms
Summary of proposed changes
The
verify = not insecure
line only allows boolean values to be passed to therequests.get
method:https://github.com/EGI-Foundation/cloud-info-provider/blob/5c97e11716f6c9195a034c3fc6f438dd5bce84b5/cloud_info_provider/providers/gocdb.py#L55-L59
The code should allow to set
verify
as a valid path for the CAs.