[RFE] Add a field to accept the default verify_ca path
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Triaged
|
Wishlist
|
ZhouHao |
Bug Description
We have created an enhancement(https:/
This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes.
Below are our implementation details.
We can break down the implementation into two main steps:
1. Adding a new option default_
Adding a default_
2. Retrieving the path before node verification
Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation vary based on different vendors.
Changed in ironic: | |
assignee: | nobody → ZhouHao (zhouhao3) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
We discussed this RFE at the weekly Ironic meeting and are not ready to approve it at this time.
There are a few items we need clarity on:
- What is the use case for needing this value on a node level override?
- If this is scoped as a [conductor] level config, will it apply conductor-wide?
During the meeting, further security concerns came up
- How is the user expected to get the certificate onto the conductor securely?
For these reasons, we feel it's best you provide a spec. https:/ /opendev. org/openstack/ ironic- specs Please provide additional detail as well on use cases.
Thanks!
-Jay