Magnum

Connections to HTTPS publicURLs need CA cert

Bug #1580704 reported by Tom Cammann
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Magnum
Fix Released
Medium
Spyros Trigazis

Bug Description

Magnum requires that a bay connects to Magnum's public API, this public API may require an HTTPS connection. To verify this TLS connection a custom cert for this endpoint is needed.

We need to pass a CA cert into the bay and this cert needs to be used by bay to verify connections to publicURLs behind TLS.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/315178

Changed in magnum:
assignee: nobody → Tom Cammann (tom-cammann)
status: New → In Progress
hongbin (hongbin034)
Changed in magnum:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on magnum (master)

Change abandoned by Adrian Otto (<email address hidden>) on branch: master
Review: https://review.openstack.org/315178
Reason: Abandoning this patch because it is in merge conflict without a revision in one full week. You may un-abandon it, and post a revision at any time.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/460330

Changed in magnum:
assignee: Tom Cammann (tom-cammann) → Michael Tupitsyn (mikhail-tupitsyn)
OpenStack Infra (hudson-openstack)
Changed in magnum:
assignee: Michael Tupitsyn (mikhail-tupitsyn) → Spyros Trigazis (strigazi)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/525662
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=65dfb2009feb298d131a52e10c29c36c0eb668bd
Submitter: Zuul
Branch: master

commit 65dfb2009feb298d131a52e10c29c36c0eb668bd
Author: Spyros Trigazis <email address hidden>
Date: Tue Dec 5 15:19:01 2017 +0000

    Add openstack_ca_file configuration option

    In the drivers section of magnum.conf add openstack_ca_file.
    This file is expected to be a CA Certificate OR CA bundle
    which will be passed on every node and it will be installed
    on the host's CA bundle.

    Update devstack plugin to use the ssl bundle if tls-proxy is
    enabled.

    Install the CA for drivers:
    k8s_coreos_v1
    k8s_fedora_atomic_v1
    k8s_fedora_ironic_v1
    mesos_ubuntu_v1
    swarm_fedora_atomic_v1
    swarm_fedora_atomic_v2

    Add doc in troubleshooting-guide.

    Add release notes.

    Closes-Bug: #1580704
    Partially-Implements: blueprint heat-agent
    Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db

Changed in magnum:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/539535

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 6.0.0

This issue was fixed in the openstack/magnum 6.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (stable/pike)

Reviewed: https://review.openstack.org/539535
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=7167aff3c1f8d42f37f05d21d5d28ea39468dbff
Submitter: Zuul
Branch: stable/pike

commit 7167aff3c1f8d42f37f05d21d5d28ea39468dbff
Author: Spyros Trigazis <email address hidden>
Date: Tue Dec 5 15:19:01 2017 +0000

    Add openstack_ca_file configuration option

    In the drivers section of magnum.conf add openstack_ca_file.
    This file is expected to be a CA Certificate OR CA bundle
    which will be passed on every node and it will be installed
    on the host's CA bundle.

    Update devstack plugin to use the ssl bundle if tls-proxy is
    enabled.

    Install the CA for drivers:
    k8s_coreos_v1
    k8s_fedora_atomic_v1
    k8s_fedora_ironic_v1
    mesos_ubuntu_v1
    swarm_fedora_atomic_v1
    swarm_fedora_atomic_v2

    Add doc in troubleshooting-guide.

    Add release notes.

    Closes-Bug: #1580704
    Partially-Implements: blueprint heat-agent
    (cherry-picked from 65dfb2009feb298d131a52e10c29c36c0eb668bd)
    Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 5.0.2

This issue was fixed in the openstack/magnum 5.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on magnum (master)

Change abandoned by Feilong Wang (<email address hidden>) on branch: master
Review: https://review.opendev.org/460330
Reason: Hi, I'm going to abandon this by doing an overall project cleanup. Please feel free to reopen this. Thanks.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.