[RFE] complete SSL support for https image references
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ironic |
Confirmed
|
Wishlist
|
Pavlo Shchelokovskyy | ||
Bug Description
Currently when using https:// image references (and HttpImageService class) for images that ironic-conductor must download and cache locally (like deploy kernel/ramdisk, user image kernel/ramdisk for netbooted nodes or user image itself for 'iscsi' deploy interface) there is no possibility to either provide a client keys for client SSL authorization nor to provide a custom CA bundle if the image store uses a self-signed certificate (that can not be validated by system CAs) or skip validation of such server certificate.
Possible solutions:
- reuse corresponding options from other config section (glance? swift?)
- these are 'insecure', 'cafile', 'certfile', 'keyfile', exported by keystoneauth for its Session
- add same options to another config section (deploy?) - would need an RFE (spec?)
| Changed in ironic: | |
| status: | New → Confirmed |
| importance: | Undecided → Wishlist |
| summary: |
- complete SSL support for https image references + [RFE] complete SSL support for https image references |
| tags: | added: conductor rfe |
| Changed in ironic: | |
| assignee: | nobody → Pavlo Shchelokovskyy (pshchelo) |
| Ruby Loo (rloo) wrote | #1 |
We started to discuss this in today's ironic meeting [1] but ran out of time. The discussion continued between Dmitry and Pavlo in irc [2].
I feel like a short spec would be useful to describe the possible alternatives, and why we chose a new set of configs (I'm guessing that's what we'll end up doing), but I guess as long as the information is captured here in this 'bug', we will be happy.
[1] http://
[2] http://