From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Tue, 25 Apr 2017 18:04:55 +0000 (+0000)
Subject: ts-openstack-deploy: set CURL_CA_BUNDLE
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=refs%2Fheads%2Fwip.openstack;p=people%2Fiwj%2Fosstest.git

ts-openstack-deploy: set CURL_CA_BUNDLE

This overrides pip's attempt to specify a specific certificate bundle,
and is necessary if we have a MITM SSL proxy.

The security implications are not ideal, because the MITM proxy will
allow any X.509 cert from any CA, whereas pip would only allow an
expected cert.  But we got pip via plain https to start with...

CC: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---

diff --git a/ts-openstack-deploy b/ts-openstack-deploy
index d4c041d4..119958b0 100755
--- a/ts-openstack-deploy
+++ b/ts-openstack-deploy
@@ -138,7 +138,10 @@ END
 
 sub deploy() {
     my $httpproxy = http_proxy_envsettings($ho);
-
+    my $mitmcert = target_https_mitm_proxy_cert_path($ho);
+    $httpproxy .=
+        "\n        CURL_CA_BUNDLE=$mitmcert; export CURL_CA_BUNDLE"
+        if $mitmcert;
     target_cmd($ho, <<END, 1800);
         set -e
         $httpproxy