Default to using system certificate store.

projectcalico · Jul 7, 2016 · 8e92f68 · 8e92f68
1 parent f0986c6
commit 8e92f68
Show file tree

Hide file tree

Showing 4 changed files with 108 additions and 87 deletions.
diff --git a/calico/felix/config.py b/calico/felix/config.py
@@ -200,7 +200,8 @@ def __init__(self, config_path):
         self.add_parameter("EtcdCertFile", "Path to etcd certificate file",
                            "none", sources=[ENV, FILE])
         self.add_parameter("EtcdCaFile", "Path to etcd CA certificate file",
-                           "none", sources=[ENV, FILE])
+                           "/etc/ssl/certs/ca-certificates.crt",
+                           sources=[ENV, FILE])
         self.add_parameter("EtcdEndpoints", "Comma separated list of etcd "
                            "endpoints, of the form scheme://address:port.  "
                            "For example "

diff --git a/calico/felix/test/data/felix_none_ca.cfg b/calico/felix/test/data/felix_none_ca.cfg
@@ -0,0 +1,5 @@
+[global]
+EtcdScheme = https
+EtcdCertFile = /path/to/cert.crt
+EtcdKeyFile = /path/to/key.pem
+EtcdCaFile = none
diff --git a/calico/felix/test/test_config.py b/calico/felix/test/test_config.py
@@ -86,7 +86,8 @@ def test_default_config(self):
             self.assertEqual(config.ETCD_SCHEME, "http")
             self.assertEqual(config.ETCD_KEY_FILE, None)
             self.assertEqual(config.ETCD_CERT_FILE, None)
-            self.assertEqual(config.ETCD_CA_FILE, None)
+            self.assertEqual(config.ETCD_CA_FILE,
+                             "/etc/ssl/certs/ca-certificates.crt")
             self.assertEqual(config.HOSTNAME, socket.gethostname())
             self.assertEqual(config.IFACE_PREFIX, "blah")
             self.assertEqual(config.METADATA_PORT, 123)
@@ -198,6 +199,19 @@ def test_unreadable_etcd_ca(self):
                                          "Missing CA certificate"):
                 config = Config("calico/felix/test/data/felix_unreadable_ca.cfg")
 
+    def test_none_ca(self):
+        """
+        Test that the CA can be overriden to None.
+        """
+        with nested(mock.patch("os.path.isfile", autospec=True),
+                    mock.patch("os.access", autospec=True)) \
+             as (m_isfile, m_access):
+
+            m_isfile.return_value = True
+            m_access.return_value = True
+            config = load_config("felix_none_ca.cfg")
+            self.assertEqual(config.ETCD_CA_FILE, None)
+
     def test_no_logfile(self):
         # Logging to file can be excluded by explicitly saying "none" -
         # but if in etcd config the file is still created.