Fuel for OpenStack

wishlist: Add variable OS_CACERT to /root/openrc on env with https

Bug #1512709 reported by Oleksiy Butenko on 2015-11-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Won't Fix	Wishlist	Oleksiy Molchanov	Fuel for OpenStack 9.0
	8.0.x	Won't Fix	Wishlist	Unassigned	Fuel for OpenStack 8.0-updates

Bug Description

Add variable OS_CACERT to /root/openrc on env with https.

Tags:

Dmitry Pyzhov (dpyzhov) on 2015-11-05

tags:

added: area-library

Revision history for this message

Ivan Kolodyazhny (e0ne) wrote on 2015-11-05:

It will be useful for several use-cases:
1. Users will be able to run custom/upstream python-cinderclient with SSL out-of-the-box
2. Run cinderclient integration tests

Changed in fuel:
status:	New → Confirmed

Revision history for this message

Dmitry Klenov (dklenov) wrote on 2015-11-05:

Oleksiy, please put more details about use case you want to cover. current description does not give the vision.

Changed in fuel:
assignee:	nobody → Fuel Library Team (fuel-library)
status:	Confirmed → Incomplete

Revision history for this message

Ivan Kolodyazhny (e0ne) wrote on 2015-11-05:

@Dmitry, did you se my comment with use cases?

Ivan Kolodyazhny (e0ne) on 2015-11-05

Changed in fuel:
status:	Incomplete → New

Revision history for this message

Dmitry Klenov (dklenov) wrote on 2015-11-06:

@Ivan, thank you for putting the details!

Changed in fuel:
status:	New → Confirmed

Bartłomiej Piotrowski (bpiotrowski) on 2015-11-06

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Bartłomiej Piotrowski (bpiotrowski)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-09: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/243107

Changed in fuel:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-17: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/243107
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=ce2ac8ed8e41c3174f21e34aa446a65f4737e67e
Submitter: Jenkins
Branch: master

commit ce2ac8ed8e41c3174f21e34aa446a65f4737e67e
Author: Bartłomiej Piotrowski <email address hidden>
Date: Mon Nov 9 14:36:00 2015 +0100

Add OS_CACERT to openrc if SSL is enabled

Change-Id: Ie38dc225d1aa2104ef7959644c4e16a2923fa15e
Closes-bug: 1512709

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

Oleksiy Butenko (obutenko) wrote on 2015-12-03:

root@node-1:~# cat openrc |grep OS_CACERT
export OS_CACERT='/etc/pki/tls/certs/public_haproxy.pem'
root@node-1:~#

verified on MOS ISO 240

Changed in fuel:
status:	Fix Committed → Fix Released

Revision history for this message

Oleksiy Butenko (obutenko) wrote on 2016-01-26:

http://paste.openstack.org/show/484964/
reproduced again on ISO 478 - Env with https.
[root@nailgun ~]# cat /etc/fuel/8.0/version.yaml
VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "8.0"
  api: "1.0"
  build_number: "478"
  build_id: "478"
  fuel-nailgun_sha: "ae949905142507f2cb446071783731468f34a572"
  python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
  fuel-agent_sha: "481ed135de2cb5060cac3795428625befdd1d814"
  fuel-nailgun-agent_sha: "b2bb466fd5bd92da614cdbd819d6999c510ebfb1"
  astute_sha: "b81577a5b7857c4be8748492bae1dec2fa89b446"
  fuel-library_sha: "420c6fa5f8cb51f3322d95113f783967bde9836e"
  fuel-ostf_sha: "ab5fd151fc6c1aa0b35bc2023631b1f4836ecd61"
  fuel-mirror_sha: "b62f3cce5321fd570c6589bc2684eab994c3f3f2"
  fuelmenu_sha: "fac143f4dfa75785758e72afbdc029693e94ff2b"
  shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
  network-checker_sha: "9f0ba4577915ce1e77f5dc9c639a5ef66ca45896"
  fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
  fuelmain_sha: "6c6b088a3d52dd0eaf43d59f3a3a149c93a07e7e"

Changed in fuel:
status:	Fix Released → Confirmed
no longer affects:	fuel/mitaka
Changed in fuel:
status:	Confirmed → Won't Fix

Dmitry Pyzhov (dpyzhov) on 2016-02-26

Changed in fuel:
milestone:	8.0 → 9.0
status:	Won't Fix → Confirmed
no longer affects:	fuel/future
Changed in fuel:
assignee:	Bartłomiej Piotrowski (bpiotrowski) → Fuel Library Team (fuel-library)

Oleksiy Butenko (obutenko) on 2016-03-10

Changed in fuel:
status:	Confirmed → New
assignee:	Fuel Library Team (fuel-library) → Oleksiy Butenko (obutenko)

Oleksiy Molchanov (omolchanov) on 2016-03-10

Changed in fuel:
assignee:	Oleksiy Butenko (obutenko) → Oleksiy Molchanov (omolchanov)
status:	New → Confirmed

Revision history for this message

Stanislaw Bogatkin (sbogatkin) wrote on 2016-03-14:

We removed cacert declaration from openrc because we don't have a contract to have CA at all. You can have one self-signed cert for endpoints (it is how we used TLS in Fuel for public endpoints by default), but there is such opportunity as selective TLS - and you can have different cert per endpoint type per service (about 30+ certs by default) and all those certs can be self-signed or they can be signed independently by separate CA. In this case we won't have one CA certificate.

There is a workaround - we could merge all given certificates to one and give it as CA bunch, but currently this approach is not automated in Fuel and it actually should be a little bit more complicated as I said (ideally, we should compute which certificates _really_ needed in that CA bundle).

So, as a result, openrc should not have cacert directive while we have current approach to deploy.

Oleksiy Molchanov (omolchanov) on 2016-03-14

Changed in fuel:
status:	Confirmed → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.