2016-11-17 09:05:21 |
Pavlo Shchelokovskyy |
bug |
|
|
added bug |
2016-11-17 09:06:19 |
Pavlo Shchelokovskyy |
description |
We've faced a problem in our CI environments where OpenStack is deployed with self-signed SSL certs on public API, as IPA can not connect to those, both for lookup/heartbeat and for image download (pre-built upstream tinyipa deploy image was used).
It is proposed to add handling of an extra 'ipa-verify-ssl' kernel boot parameter (defaults to '1' or smth like that). Then test CI deployments similar to what described above can add 'ipa-verify-ssl=0' to their 'pxe_append_params' in ironic.conf on conductor hosts.
Alternatively we could just reuse current 'ipa-debug' flag but that would disallow a closer-to-production testing of IPA+SS with ipa-debug enabled. |
We've faced a problem in our CI environments where OpenStack is deployed with self-signed SSL certs on public API, as IPA can not connect to those, both for lookup/heartbeat and for image download (pre-built upstream tinyipa deploy image was used).
It is proposed to add handling of an extra 'ipa-verify-ssl' kernel boot parameter (defaults to '1' or smth like that). Then test CI deployments similar to what described above can add 'ipa-verify-ssl=0' to their 'pxe_append_params' in ironic.conf on conductor hosts.
Alternatively we could just reuse current 'ipa-debug' flag but that would disallow a closer-to-production testing of IPA+SSL with ipa-debug enabled. |
|
2016-11-17 12:40:01 |
OpenStack Infra |
ironic-python-agent: status |
New |
In Progress |
|
2016-11-17 12:40:01 |
OpenStack Infra |
ironic-python-agent: assignee |
|
Pavlo Shchelokovskyy (pshchelo) |
|
2016-11-17 12:49:21 |
Pavlo Shchelokovskyy |
description |
We've faced a problem in our CI environments where OpenStack is deployed with self-signed SSL certs on public API, as IPA can not connect to those, both for lookup/heartbeat and for image download (pre-built upstream tinyipa deploy image was used).
It is proposed to add handling of an extra 'ipa-verify-ssl' kernel boot parameter (defaults to '1' or smth like that). Then test CI deployments similar to what described above can add 'ipa-verify-ssl=0' to their 'pxe_append_params' in ironic.conf on conductor hosts.
Alternatively we could just reuse current 'ipa-debug' flag but that would disallow a closer-to-production testing of IPA+SSL with ipa-debug enabled. |
We've faced a problem in our CI environments where OpenStack is deployed with self-signed SSL certs on public API, as IPA can not connect to those, both for lookup/heartbeat and for image download (pre-built upstream tinyipa deploy image was used).
It is proposed to add handling of an extra 'ipa-insecure' kernel boot parameter (defaults to '0' or smth like that). Then test CI deployments similar to what described above can add 'ipa-insecure=1' to their 'pxe_append_params' in ironic.conf on conductor hosts.
Alternatively we could just reuse current 'ipa-debug' flag but that would disallow a closer-to-production testing of IPA+SSL with ipa-debug enabled. |
|
2016-12-02 17:56:04 |
Jay Faulkner |
tags |
rfe |
rfe-approved |
|
2016-12-02 17:56:08 |
Jay Faulkner |
ironic-python-agent: importance |
Undecided |
Wishlist |
|
2017-02-07 09:57:57 |
OpenStack Infra |
ironic-python-agent: status |
In Progress |
Fix Released |
|