ironic-python-agent

[RFE] Allow IPA to skip SSL certs validation

Bug #1642515 reported by Pavlo Shchelokovskyy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ironic-python-agent
Fix Released
Wishlist
Pavlo Shchelokovskyy

Bug Description

We've faced a problem in our CI environments where OpenStack is deployed with self-signed SSL certs on public API, as IPA can not connect to those, both for lookup/heartbeat and for image download (pre-built upstream tinyipa deploy image was used).

It is proposed to add handling of an extra 'ipa-insecure' kernel boot parameter (defaults to '0' or smth like that). Then test CI deployments similar to what described above can add 'ipa-insecure=1' to their 'pxe_append_params' in ironic.conf on conductor hosts.

Alternatively we could just reuse current 'ipa-debug' flag but that would disallow a closer-to-production testing of IPA+SSL with ipa-debug enabled.

See original description
Tags: rfe-approved
Pavlo Shchelokovskyy (pshchelo)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic-python-agent (master)

Fix proposed to branch: master
Review: https://review.openstack.org/398992

Changed in ironic-python-agent:
assignee: nobody → Pavlo Shchelokovskyy (pshchelo)
status: New → In Progress
Pavlo Shchelokovskyy (pshchelo)
description: updated
Revision history for this message
Jay Faulkner (jason-oldos) wrote :

Julia and I are both +2 to approving RFE, marking as approved.

tags: added: rfe-approved
removed: rfe
Changed in ironic-python-agent:
importance: Undecided → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic-python-agent (master)

Reviewed: https://review.openstack.org/398992
Committed: https://git.openstack.org/cgit/openstack/ironic-python-agent/commit/?id=fdd11b54a5e3d7a9ee89628baba2990e4e00abdd
Submitter: Jenkins
Branch: master

commit fdd11b54a5e3d7a9ee89628baba2990e4e00abdd
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Thu Nov 17 13:26:28 2016 +0200

    Configure and use SSL-related requests options

    This patch adds standard SSL options to IPA config and makes use of them
    when making HTTP requests.

    For now, a single set of certificates is used when needed.
    In the future configuration can be expanded to allow per-service
    certificates.

    Besides, the 'insecure' option (defaults to False) can be overridden
    through kernel command line parameter 'ipa-insecure'.
    This will allow running IPA in CI-like environments with self-signed SSL
    certificates.

    Change-Id: I259d9b3caa9ba1dc3d7382f375b8e086a5348d80
    Closes-Bug: #1642515

Changed in ironic-python-agent:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic-python-agent 2.0.0

This issue was fixed in the openstack/ironic-python-agent 2.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic-python-agent (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/473677

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on ironic-python-agent (stable/newton)

Change abandoned by Michael Still (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/473677

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.