Hi, There are certain gaps in SSL(https mainly) support in software configuration and I would like to discuss it. This is in addition to what is described in bug #1482510 [1]. I am not sure if all of this is already thought by folks, if so do let me know.
Tools for software configuration should work by default if the Nova instance has CA certificates installed in it at default location. Also, there should be a way to specify the location of CA file in Nova instance, so that the location can be passed to os-collect-config using metadata. Since this location can be different for each VM instance, it needs to be specified from template or env file etc. (we need to decide) I am of the opinion that Heat should not get into installing CA certificates or private keys. We should assume that the image has the proper certificates and private keys baked into it, or installed by some other means. The tools used for software configuration must be able to communicate with heat even before the actual user-defined software configuration kicks in. Software configurations to set up a applications like web server may install their own certificate as part of deployment, and that is a different case, which I don't want to cover. Following is my assessment of tools used to notify/poll heat. We also need to support insecure option to make it easier to test without having valid certificates or in deployments where there could be certificates missing. heat-cfntools - Uses curl, so IMO, ca certs in default location is taken care. - Insecure option is already added - Need to add an option for CA cert (--cacert) if not in default location. E.g. /opt/aws/bin/cfn-signal --cacert <file> And we pass that down to curl command. os-collect-config - Uses requests lib, system dependent default location is not searched - Insecure is being added [2] - cafile location needs to be specified from template? Each server can have their own custom location of ca files, so there needs a way to specify that from template. Could this be a property of nova server? When we are preparing metadata, we can use this property to configure ca_file. heat-config-notify added cafile and insecure option [3] Additionally, heat can use the insecure config option from heat_clients section and use it while creating OSC's config. This setting is overridden when template includes cafile location of server being configured. We can have SSL gate job with devstack running with SSL enabled and the test image having valid CA certificates in it. Let me know your opinion! -- Anant [1] https://bugs.launchpad.net/heat/+bug/1482510 [2] https://review.openstack.org/#/c/284725/ [3] https://review.openstack.org/#/c/285157/ __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev