Comment 1 for bug 1482510

Revision history for this message
Steve Baker (steve-stevebaker) wrote :

This likely requires some coordination between heat and os-collect-config.

The absolute bare minimum would be for os-collect-config.conf [cfn] and [heat] to gain an 'insecure' option, and for heat to populate that from its own /etc/heat/heat.conf [clients_heat] insecure.

Beyond that, /etc/heat/heat.conf [clients_heat] also has options ca_file, cert_file, key_file. We would need security expert input on whether it is appropriate to populate boot user_data with the contents of these files to allow similar options to be set in os-collec-config.conf.

If this is appropriate then the heat user_data cloud-init items can include the contents of ca_file, cert_file, key_file and heat can also populate os-collect-config.conf with the resulting paths.

If this is not appropriate then os-collect-config will need to check for cert paths by convention, and the image building process needs to copy in those cert files.