ts-openstack-deploy: set CURL_CA_BUNDLE

This overrides pip's attempt to specify a specific certificate bundle,
and is necessary if we have a MITM SSL proxy.

The security implications are not ideal, because the MITM proxy will
allow any X.509 cert from any CA, whereas pip would only allow an
expected cert.  But we got pip via plain https to start with...

CC: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

diff --git a/ts-openstack-deploy b/ts-openstack-deploy
index d4c041d4943b92e565f463c9824a1f7f7e1489b1..119958b0909112d4015484191c932fdaa9facffa 100755 (executable)
--- a/ts-openstack-deploy
+++ b/ts-openstack-deploy
@@ -138,7 +138,10 @@ END
 
 sub deploy() {
     my $httpproxy = http_proxy_envsettings($ho);
-
+    my $mitmcert = target_https_mitm_proxy_cert_path($ho);
+    $httpproxy .=
+        "\n        CURL_CA_BUNDLE=$mitmcert; export CURL_CA_BUNDLE"
+        if $mitmcert;
     target_cmd($ho, <<END, 1800);
         set -e
         $httpproxy