Flexible SSL configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
New
|
Undecided
|
Unassigned |
Bug Description
Heat uses several openstack clients to communicate with different services.
For initialization Heat uses keystone session, which also read ssl related options:
https:/
It's ok, when SSL is enabled for all OS services and there is only one same certificate for all of them.
However it blocks operator to have deployment, where SSL enabled for all services except Keystone, because during session initialization it load options from keystone section.
Also it's not possible to specify different certificates for different services.
In the same time this behavior has dangerous misleading - heat config example has following options:
http://
For example I have deployment with disabled SSL for Keystone, but with enabled SSL for Nova.
When I try to create Flavor I get error:
skr@node1:~$ openstack stack create -t wc.yaml test
ERROR: HEAT-E99001 Service nova is not available for resource type OS::Nova::KeyPair, reason: SSL exception connecting to https:/
It happens, because novaclient use keystone session without ca_cert.
This is a snippet of my heat.conf:
[clients_nova]
ca_file = /etc/tls/ca.pem
[clients_neutron]
ca_file = /etc/tls/ca.pem
[clients_keystone]
auth_uri = http://
description: | updated |
Changed in heat: | |
milestone: | none → no-priority-tag-bugs |