openstack: pass through InsecureSkipVerify into openstack components

justinsb · justinsb · commit 955072d94430 · 2026-02-01T16:17:43.000Z
diff --git a/dnsprovider/pkg/dnsprovider/providers/openstack/designate/designate.go b/dnsprovider/pkg/dnsprovider/providers/openstack/designate/designate.go
@@ -63,7 +63,7 @@ func newDesignate(_ io.Reader) (*Interface, error) {
 	klog.V(4).Infof("Using user-agent %s", ua.Join())
 
 	tlsconfig := &tls.Config{}
-	tlsconfig.InsecureSkipVerify = true
+	tlsconfig.InsecureSkipVerify = oc.GetInsecureSkipVerify()
 	transport := &http.Transport{TLSClientConfig: tlsconfig}
 	provider.HTTPClient = http.Client{
 		Transport: transport,
diff --git a/nodeup/pkg/bootstrap/install.go b/nodeup/pkg/bootstrap/install.go
@@ -108,6 +108,7 @@ func (i *Installation) buildEnvFile() *nodetasks.InstallFile {
 			"OS_REGION_NAME",
 			"OS_APPLICATION_CREDENTIAL_ID",
 			"OS_APPLICATION_CREDENTIAL_SECRET",
+			"OS_CACERT_INSECURE",
 		} {
 			envVars[envVar] = os.Getenv(envVar)
 		}
diff --git a/nodeup/pkg/model/protokube.go b/nodeup/pkg/model/protokube.go
@@ -268,6 +268,7 @@ func (t *ProtokubeBuilder) buildEnvFile() (*nodetasks.File, error) {
 			"OS_REGION_NAME",
 			"OS_APPLICATION_CREDENTIAL_ID",
 			"OS_APPLICATION_CREDENTIAL_SECRET",
+			"OS_CACERT_INSECURE",
 		} {
 			envVars[envVar] = os.Getenv(envVar)
 		}
diff --git a/pkg/model/resources/nodeup.go b/pkg/model/resources/nodeup.go
@@ -385,6 +385,11 @@ func buildEnvironmentVariables(cluster *kops.Cluster, ig *kops.InstanceGroup) (m
 			)
 		}
 
+		// Map our Insecure Skip Verify setting
+		if cluster.Spec.CloudProvider.Openstack != nil && fi.ValueOf(cluster.Spec.CloudProvider.Openstack.InsecureSkipVerify) {
+			os.Setenv("OS_CACERT_INSECURE", "true")
+		}
+
 		// credentials needed always in control-plane and when using gossip also in nodes
 		passEnvs := false
 		if ig.IsControlPlane() || cluster.UsesLegacyGossip() {
diff --git a/util/pkg/env/standard.go b/util/pkg/env/standard.go
@@ -64,6 +64,11 @@ func BuildSystemComponentEnvVars(spec *kops.ClusterSpec) EnvVars {
 	vars.addEnvVariableIfExist("OS_APPLICATION_CREDENTIAL_ID")
 	vars.addEnvVariableIfExist("OS_APPLICATION_CREDENTIAL_SECRET")
 
+	// Map our Insecure Skip Verify setting
+	if spec.CloudProvider.Openstack != nil && fi.ValueOf(spec.CloudProvider.Openstack.InsecureSkipVerify) {
+		vars["OS_CACERT_INSECURE"] = "true"
+	}
+
 	// Digital Ocean related values.
 	vars.addEnvVariableIfExist("DIGITALOCEAN_ACCESS_TOKEN")
 
diff --git a/util/pkg/vfs/swiftfs.go b/util/pkg/vfs/swiftfs.go
@@ -62,7 +62,7 @@ func NewSwiftClient(ctx context.Context) (*gophercloud.ServiceClient, error) {
 	klog.V(4).Infof("Using user-agent %s", ua.Join())
 
 	tlsconfig := &tls.Config{}
-	tlsconfig.InsecureSkipVerify = true
+	tlsconfig.InsecureSkipVerify = config.GetInsecureSkipVerify()
 	transport := &http.Transport{TLSClientConfig: tlsconfig}
 	pc.HTTPClient = http.Client{
 		Transport: transport,
@@ -150,6 +150,14 @@ func (oc OpenstackConfig) GetCredential() (gophercloud.AuthOptions, error) {
 	return env, nil
 }
 
+func (oc OpenstackConfig) GetInsecureSkipVerify() bool {
+	s := os.Getenv("OS_CACERT_INSECURE")
+	if s == "true" || s == "1" {
+		return true
+	}
+	return false
+}
+
 func (oc OpenstackConfig) GetRegion() (string, error) {
 	var region string
 	if region = os.Getenv("OS_REGION_NAME"); region != "" {

Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,7 @@ func (i Installation) buildEnvFile() nodetasks.InstallFile {`
`108`	`108`	`"OS_REGION_NAME",`
`109`	`109`	`"OS_APPLICATION_CREDENTIAL_ID",`
`110`	`110`	`"OS_APPLICATION_CREDENTIAL_SECRET",`
	`111`	`+ "OS_CACERT_INSECURE",`
`111`	`112`	`} {`
`112`	`113`	`envVars[envVar] = os.Getenv(envVar)`
`113`	`114`	`}`
Original file line number	Diff line number	Diff line change
`@@ -268,6 +268,7 @@ func (t ProtokubeBuilder) buildEnvFile() (nodetasks.File, error) {`
`268`	`268`	`"OS_REGION_NAME",`
`269`	`269`	`"OS_APPLICATION_CREDENTIAL_ID",`
`270`	`270`	`"OS_APPLICATION_CREDENTIAL_SECRET",`
	`271`	`+ "OS_CACERT_INSECURE",`
`271`	`272`	`} {`
`272`	`273`	`envVars[envVar] = os.Getenv(envVar)`
`273`	`274`	`}`
Original file line number	Diff line number	Diff line change
`@@ -385,6 +385,11 @@ func buildEnvironmentVariables(cluster kops.Cluster, ig kops.InstanceGroup) (m`
`385`	`385`	`)`
`386`	`386`	`}`
`387`	`387`
	`388`	`+ // Map our Insecure Skip Verify setting`
	`389`	`+ if cluster.Spec.CloudProvider.Openstack != nil && fi.ValueOf(cluster.Spec.CloudProvider.Openstack.InsecureSkipVerify) {`
	`390`	`+ os.Setenv("OS_CACERT_INSECURE", "true")`
	`391`	`+ }`
	`392`	`+`
`388`	`393`	`// credentials needed always in control-plane and when using gossip also in nodes`
`389`	`394`	`passEnvs := false`
`390`	`395`	`if ig.IsControlPlane() \|\| cluster.UsesLegacyGossip() {`