Enable certificate check for glance_store+swift
Disable insecure option for glance_store with
swift backend when tls is enabled.
Specify swift_store_cacert option.
Change-Id: Ia1e8f596c95dd7b6e63cb21a94c8316dc71bf945
diff --git a/lib/glance b/lib/glance
index 9398bd2..3f72c0b 100644
--- a/lib/glance
+++ b/lib/glance
@@ -212,25 +212,19 @@
if is_service_enabled s-proxy; then
iniset $GLANCE_API_CONF glance_store default_store swift
iniset $GLANCE_API_CONF glance_store swift_store_create_container_on_put True
- if python3_enabled; then
- iniset $GLANCE_API_CONF glance_store swift_store_auth_insecure True
- fi
iniset $GLANCE_API_CONF glance_store swift_store_config_file $GLANCE_SWIFT_STORE_CONF
iniset $GLANCE_API_CONF glance_store default_swift_reference ref1
iniset $GLANCE_API_CONF glance_store stores "file, http, swift"
+ if is_service_enabled tls-proxy; then
+ iniset $GLANCE_API_CONF glance_store swift_store_cacert $SSL_BUNDLE_FILE
+ fi
iniset $GLANCE_API_CONF DEFAULT graceful_shutdown_timeout "$SERVICE_GRACEFUL_SHUTDOWN_TIMEOUT"
iniset $GLANCE_SWIFT_STORE_CONF ref1 user $SERVICE_PROJECT_NAME:glance-swift
iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD
- if python3_enabled; then
- # NOTE(dims): Currently the glance_store+swift does not support either an insecure flag
- # or ability to specify the CACERT. So fallback to http:// url
- iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address ${KEYSTONE_SERVICE_URI/https/http}/v3
- else
- iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
- fi
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3
fi