[openstack-dev] [nova] Which SSL ca_file does a person use, really?

Matt Riedemann mriedem at linux.vnet.ibm.com
Fri Apr 1 16:07:40 UTC 2016

We have a lot of CA file options in nova:

1. DEFAULT.ca_file - this is used in nova.crypto
2. ssl.ca_file - this is used when constructing glanceclient
3. DEFAULT.ssl_ca_file - this is used in nova.wsgi
4. vmware.ca_file - for connecting to vcenter
5. neutron.cafile - for constructing neutronclient
6. cinder.cafile - for constructing cinderclient
7. keystone_authtoken.cafile - for constructing keystoneauth
8. barbican.cafile - for constructing barbicanclient

As far as I can see none of these are deprecated. The keystone_auth one 
is probably coming from one of the keystone library options, so we can't 
do much about that.

But it seems like the first three, and then the other ones for 
connecting to neutron/cinder/barbican clients could all be collapsed, or 
is that not the intent?

I remember Matthew Gilliard working on something related to this at one 
point where we were going to use a DictOpt where the default value comes 
from ssl.ca_file (which is defined in oslo.service) but you could 
override that for specific functions, like if you want different files 
for connecting to the different clients.

Is anyone else working on something like this because it's super 
confusing for deployers.



Matt Riedemann

More information about the OpenStack-dev mailing list