Comment 0 for bug 1642515

We've faced a problem in our CI environments where OpenStack is deployed with self-signed SSL certs on public API, as IPA can not connect to those, both for lookup/heartbeat and for image download (pre-built upstream tinyipa deploy image was used).

It is proposed to add handling of an extra 'ipa-verify-ssl' kernel boot parameter (defaults to '1' or smth like that). Then test CI deployments similar to what described above can add 'ipa-verify-ssl=0' to their 'pxe_append_params' in ironic.conf on conductor hosts.

Alternatively we could just reuse current 'ipa-debug' flag but that would disallow a closer-to-production testing of IPA+SS with ipa-debug enabled.