Blame SOURCES/bz2029791-2-fence_openstack-cacert-default.patch

a6cf86
From b7032d16a07997ecab3b2c11a6436b3fa21f9043 Mon Sep 17 00:00:00 2001
a6cf86
From: "Fabio M. Di Nitto" <fdinitto@redhat.com>
a6cf86
Date: Thu, 6 Jan 2022 12:53:28 +0100
a6cf86
Subject: [PATCH] fence_openstack: relax ssl cacert default
a6cf86
a6cf86
allow the agent to use Base OS defaults vs forcing a specific file
a6cf86
to increase portability.
a6cf86
a6cf86
Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
a6cf86
---
a6cf86
 agents/openstack/fence_openstack.py     | 12 +++++++++---
a6cf86
 tests/data/metadata/fence_openstack.xml |  2 +-
a6cf86
 2 files changed, 10 insertions(+), 4 deletions(-)
a6cf86
a6cf86
diff --git a/agents/openstack/fence_openstack.py b/agents/openstack/fence_openstack.py
a6cf86
index c2d9df160..36b353b52 100755
a6cf86
--- a/agents/openstack/fence_openstack.py
a6cf86
+++ b/agents/openstack/fence_openstack.py
a6cf86
@@ -127,7 +127,13 @@ def nova_login(username, password, projectname, auth_url, user_domain_name,
a6cf86
             cacert=cacert,
a6cf86
         )
a6cf86
 
a6cf86
-    session = ksc_session.Session(auth=auth, verify=False if ssl_insecure else cacert, timeout=apitimeout)
a6cf86
+    caverify=True
a6cf86
+    if ssl_insecure:
a6cf86
+        caverify=False
a6cf86
+    elif cacert:
a6cf86
+        caverify=cacert
a6cf86
+
a6cf86
+    session = ksc_session.Session(auth=auth, verify=caverify, timeout=apitimeout)
a6cf86
     nova = client.Client("2", session=session, timeout=apitimeout)
a6cf86
     apiversion = None
a6cf86
     try:
a6cf86
@@ -189,10 +195,10 @@ def define_new_opts():
a6cf86
     all_opt["cacert"] = {
a6cf86
         "getopt": ":",
a6cf86
         "longopt": "cacert",
a6cf86
-        "help": "--cacert=[cacert]              Path to the PEM file with trusted authority certificates",
a6cf86
+        "help": "--cacert=[cacert]              Path to the PEM file with trusted authority certificates (override global CA trust)",
a6cf86
         "required": "0",
a6cf86
         "shortdesc": "SSL X.509 certificates file",
a6cf86
-        "default": "/etc/pki/tls/certs/ca-bundle.crt",
a6cf86
+        "default": "",
a6cf86
         "order": 7,
a6cf86
     }
a6cf86
     all_opt["apitimeout"] = {
a6cf86
diff --git a/tests/data/metadata/fence_openstack.xml b/tests/data/metadata/fence_openstack.xml
a6cf86
index 926d18c3d..c8dc2e60f 100644
a6cf86
--- a/tests/data/metadata/fence_openstack.xml
a6cf86
+++ b/tests/data/metadata/fence_openstack.xml
a6cf86
@@ -100,7 +100,7 @@
a6cf86
 	</parameter>
a6cf86
 	<parameter name="cacert" unique="0" required="0">
a6cf86
 		<getopt mixed="--cacert=[cacert]" />
a6cf86
-		<content type="string" default="/etc/pki/tls/certs/ca-bundle.crt"  />
a6cf86
+		<content type="string" default=""  />
a6cf86
 		<shortdesc lang="en">SSL X.509 certificates file</shortdesc>
a6cf86
 	</parameter>
a6cf86
 	<parameter name="apitimeout" unique="0" required="0">