Added ssl verify flag to the gitfs backend.

2025-04-17 10:10:20 +00:00 · 2013-12-03 09:54:47 +02:00 · 2013-12-03 09:54:47 +02:00 · 25573412d4
commit 25573412d4
parent ddf4c6dbe2
3 changed files with 22 additions and 8 deletions
--- a/conf/master
+++ b/conf/master
@ -356,6 +356,13 @@
 #  - git://github.com/saltstack/salt-states.git
 #  - file:///var/git/saltmaster
 #
+# The gitfs_ssl_verify option specifies whether to ignore ssl certificate
+# errors when contacting the gitfs backend. You might want to set this to
+# false if you're using a git backend that uses a self-signed certificate but
+# keep in mind that setting this flag to anything other than the default of True
+# is a security concern, you may want to try using the ssh transport.
+#gitfs_ssl_verify: True
+#
 # The repos will be searched in order to find the file requested by a client
 # and the first repo to have the file will return it.
 # When using the git backend branches and tags are translated into salt
@ -389,7 +396,7 @@
 # errors when contacting the pillar gitfs backend. You might want to set this to
 # false if you're using a git backend that uses a self-signed certificate but
 # keep in mind that setting this flag to anything other than the default of True
-# is a security concern.
+# is a security concern, you may want to try using the ssh transport.
 #pillar_gitfs_ssl_verify: True

 # The pillar_opts option adds the master configuration file data to a dict in
--- a/salt/fileserver/gitfs.py
+++ b/salt/fileserver/gitfs.py
@ -131,6 +131,11 @@ def init():
        if not repo.remotes:
            try:
                repo.create_remote('origin', opt)
+                # ignore git ssl verification if requested
+                if __opts__.get('gitfs_ssl_verify', True):
+                    repo.git.config('http.sslVerify', 'true')
+                else:
+                    repo.git.config('http.sslVerify', 'false')
            except Exception:
                # This exception occurs when two processes are trying to write
                # to the git config at once, go ahead and pass over it since
--- a/salt/pillar/git_pillar.py
+++ b/salt/pillar/git_pillar.py
@ -115,15 +115,17 @@ def init(branch, repo_location):
    if not repo.remotes:
        try:
            repo.create_remote('origin', repo_location)
+            # ignore git ssl verification if requested
+            if __opts__.get('pillar_gitfs_ssl_verify', True):
+                repo.git.config('http.sslVerify', 'true')
+            else:
+                repo.git.config('http.sslVerify', 'false')
        except Exception:
+            # This exception occurs when two processes are trying to write
+            # to the git config at once, go ahead and pass over it since
+            # this is the only write
+            # This should place a lock down
            pass
-
-    # ignore git ssl verification if requested
-    if __opts__.get('pillar_gitfs_ssl_verify', True):
-        repo.git.config('http.sslVerify', 'true')
-    else:
-        repo.git.config('http.sslVerify', 'false')
-
    repo.git.fetch()
    return repo