[RFE] complete SSL support for https image references

Bug #1719582 reported by Pavlo Shchelokovskyy on 2017-09-26
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Pavlo Shchelokovskyy

Bug Description

Currently when using https:// image references (and HttpImageService class) for images that ironic-conductor must download and cache locally (like deploy kernel/ramdisk, user image kernel/ramdisk for netbooted nodes or user image itself for 'iscsi' deploy interface) there is no possibility to either provide a client keys for client SSL authorization nor to provide a custom CA bundle if the image store uses a self-signed certificate (that can not be validated by system CAs) or skip validation of such server certificate.

Possible solutions:
- reuse corresponding options from other config section (glance? swift?)
  - these are 'insecure', 'cafile', 'certfile', 'keyfile', exported by keystoneauth for its Session
- add same options to another config section (deploy?) - would need an RFE (spec?)

Dmitry Tantsur (divius) on 2017-09-26
Changed in ironic:
status: New → Confirmed
importance: Undecided → Wishlist
summary: - complete SSL support for https image references
+ [RFE] complete SSL support for https image references
tags: added: conductor rfe
Changed in ironic:
assignee: nobody → Pavlo Shchelokovskyy (pshchelo)
Ruby Loo (rloo) wrote :

We started to discuss this in today's ironic meeting [1] but ran out of time. The discussion continued between Dmitry and Pavlo in irc [2].

I feel like a short spec would be useful to describe the possible alternatives, and why we chose a new set of configs (I'm guessing that's what we'll end up doing), but I guess as long as the information is captured here in this 'bug', we will be happy.

[1] http://eavesdrop.openstack.org/meetings/ironic/2017/ironic.2017-12-04-17.00.log.html#l-303
[2] http://eavesdrop.openstack.org/irclogs/%23openstack-ironic/%23openstack-ironic.2017-12-04.log.html#t2017-12-04T18:00:50

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers