Missing Nova Config Option for Glance Client CA File
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Confirmed
|
Low
|
Unassigned |
Bug Description
Using OS Havana, nova 2013.2.2
There is currently no config option in nova.conf to use a CA cert file to verify glance connections. In order for nova to issue glance client requests to an HTTPS glance endpoint you must turn off certificate validation (glance_
Current config in nova.conf to use an HTTPS glance API endpoint:
root@osc:~# grep glance /etc/nova/nova.conf
glance_protocol = https
glance_api_servers = https:/
glance_api_insecure = True
image_service = nova.image.
What is missing is an option for the CA cert, which neutron and cinder do have:
root@osc:~# grep ca_certificate /etc/nova/nova.conf
neutron_
cinder_
Simple fix in /usr/lib/
1) In glance_opts, add the config option:
cfg.
2) In _create_
# https specific params
3) Now you can set the CA cert in nova.conf and remove the insecure option:
root@osc:~# grep glance /etc/nova/nova.conf
glance_protocol = https
glance_
glance_api_servers = https:/
image_service = nova.image.
information type: | Private Security → Public |
Changed in nova: | |
status: | New → Confirmed |
Changed in nova: | |
importance: | Undecided → Low |
assignee: | nobody → Tiago Rodrigues de Mello (timello) |
tags: | added: icehouse-backport-potential |
Changed in nova: | |
status: | In Progress → Confirmed |
assignee: | Tiago Rodrigues de Mello (timello) → nobody |
Fix proposed to branch: master /review. openstack. org/84522
Review: https:/