使用 terraform 时的 tls 未签名证书
tls unsigned certificate when using terraform
microstack.openstack 项目最近 enabled/required tls 身份验证概述 here. I am working on deploying an openstack cluster to microstack using a terraform example here。由于更改,我在尝试创建 openstack 网络客户端数据源时收到未知的签名证书错误。
data "openstack_networking_network_v2" "terraform" {
name = "${var.pool}"
}
调用terraform plan时出现的错误:
Error: Error creating OpenStack networking client: Post "https://XXX.XXX.XXX.132:5000/v3/auth/tokens": OpenStack connection error, retries exhausted. Aborting. Last error was: x509: certificate signed by unknown authority
with data.openstack_networking_network_v2.terraform,
on datasources.tf line 1, in data "openstack_networking_network_v2" "terraform":
1: data "openstack_networking_network_v2" "terraform" {
有什么方法可以忽略证书错误,让我可以成功使用terraform创建openstack集群吗?我已经尝试更新 generate-self-signed 参数,但我没有看到任何行为变化:
sudo snap set microstack config.tls.generate-self-signed=false
我认为 insecure provider parameter 是您要找的:
(Optional) Trust self-signed SSL certificates. If omitted, the OS_INSECURE environment variable is used.
尝试:
provider "openstack" {
insecure = true
}
免责声明:我没试过。
问题是我没有获取从 horizon 网页下载的 admin-openrc.sh 文件:
$ source admin-openrc.sh
我遇到了同样的问题,如果有帮助的话,这是我的贡献:
sudo snap get microstack config.tls
Key Value
config.tls.cacert-path /var/snap/microstack/common/etc/ssl/certs/cacert.pem
config.tls.cert-path /var/snap/microstack/common/etc/ssl/certs/cert.pem
config.tls.compute {...}
config.tls.generate-self-signed true
config.tls.key-path /var/snap/microstack/common/etc/ssl/private/key.pem
在 terraform 目录中,执行:
cat /var/snap/microstack/common/etc/ssl/certs/cacert.pem : 复制粘贴 -> cacert.pem
cat /var/snap/microstack/common/etc/ssl/certs/cert.pem : copy/paste -> cert.pem
cat /var/snap/microstack/common/etc/ssl/private/key.pem : copy/past -> key.pem
并在您的 terraform 目录中创建一个文件 main.tf :
provider "openstack" {
user_name = "admin"
tenant_name = "admin"
password = "pass" (get with sudo snap get microstack config.credentials.keystone-password)
auth_url = "https://host_ip:5000/v3"
#insecure = true (uncomment & comment cacert_file + key line)
cacert_file = "/terraform_dir/cacert.pem"
#cert = "/terraform_dir/cert.pem" (if needed)
key = "/terraform_dir/private.pem"
region = "microstack" (or regionOne)
}
完成地形改造plan/apply
microstack.openstack 项目最近 enabled/required tls 身份验证概述 here. I am working on deploying an openstack cluster to microstack using a terraform example here。由于更改,我在尝试创建 openstack 网络客户端数据源时收到未知的签名证书错误。
data "openstack_networking_network_v2" "terraform" {
name = "${var.pool}"
}
调用terraform plan时出现的错误:
Error: Error creating OpenStack networking client: Post "https://XXX.XXX.XXX.132:5000/v3/auth/tokens": OpenStack connection error, retries exhausted. Aborting. Last error was: x509: certificate signed by unknown authority
with data.openstack_networking_network_v2.terraform,
on datasources.tf line 1, in data "openstack_networking_network_v2" "terraform":
1: data "openstack_networking_network_v2" "terraform" {
有什么方法可以忽略证书错误,让我可以成功使用terraform创建openstack集群吗?我已经尝试更新 generate-self-signed 参数,但我没有看到任何行为变化:
sudo snap set microstack config.tls.generate-self-signed=false
我认为 insecure provider parameter 是您要找的:
(Optional) Trust self-signed SSL certificates. If omitted, the OS_INSECURE environment variable is used.
尝试:
provider "openstack" {
insecure = true
}
免责声明:我没试过。
问题是我没有获取从 horizon 网页下载的 admin-openrc.sh 文件:
$ source admin-openrc.sh
我遇到了同样的问题,如果有帮助的话,这是我的贡献:
sudo snap get microstack config.tls
Key Value
config.tls.cacert-path /var/snap/microstack/common/etc/ssl/certs/cacert.pem
config.tls.cert-path /var/snap/microstack/common/etc/ssl/certs/cert.pem
config.tls.compute {...}
config.tls.generate-self-signed true
config.tls.key-path /var/snap/microstack/common/etc/ssl/private/key.pem
在 terraform 目录中,执行:
cat /var/snap/microstack/common/etc/ssl/certs/cacert.pem : 复制粘贴 -> cacert.pem
cat /var/snap/microstack/common/etc/ssl/certs/cert.pem : copy/paste -> cert.pem
cat /var/snap/microstack/common/etc/ssl/private/key.pem : copy/past -> key.pem
并在您的 terraform 目录中创建一个文件 main.tf :
provider "openstack" {
user_name = "admin"
tenant_name = "admin"
password = "pass" (get with sudo snap get microstack config.credentials.keystone-password)
auth_url = "https://host_ip:5000/v3"
#insecure = true (uncomment & comment cacert_file + key line)
cacert_file = "/terraform_dir/cacert.pem"
#cert = "/terraform_dir/cert.pem" (if needed)
key = "/terraform_dir/private.pem"
region = "microstack" (or regionOne)
}
完成地形改造plan/apply