[RFE] complete SSL support for https image references
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Confirmed
|
Wishlist
|
Pavlo Shchelokovskyy |
Bug Description
Currently when using https:// image references (and HttpImageService class) for images that ironic-conductor must download and cache locally (like deploy kernel/ramdisk, user image kernel/ramdisk for netbooted nodes or user image itself for 'iscsi' deploy interface) there is no possibility to either provide a client keys for client SSL authorization nor to provide a custom CA bundle if the image store uses a self-signed certificate (that can not be validated by system CAs) or skip validation of such server certificate.
Possible solutions:
- reuse corresponding options from other config section (glance? swift?)
- these are 'insecure', 'cafile', 'certfile', 'keyfile', exported by keystoneauth for its Session
- add same options to another config section (deploy?) - would need an RFE (spec?)
Changed in ironic: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
summary: |
- complete SSL support for https image references + [RFE] complete SSL support for https image references |
tags: | added: conductor rfe |
Changed in ironic: | |
assignee: | nobody → Pavlo Shchelokovskyy (pshchelo) |
We started to discuss this in today's ironic meeting [1] but ran out of time. The discussion continued between Dmitry and Pavlo in irc [2].
I feel like a short spec would be useful to describe the possible alternatives, and why we chose a new set of configs (I'm guessing that's what we'll end up doing), but I guess as long as the information is captured here in this 'bug', we will be happy.
[1] http:// eavesdrop. openstack. org/meetings/ ironic/ 2017/ironic. 2017-12- 04-17.00. log.html# l-303 eavesdrop. openstack. org/irclogs/ %23openstack- ironic/ %23openstack- ironic. 2017-12- 04.log. html#t2017- 12-04T18: 00:50
[2] http://