Open Stack

Hi,

There are certain gaps in SSL(https mainly) support in software
configuration and I would like to discuss it. This is in addition to
what is described in bug #1482510 [1]. I am not sure if all of this is
already thought by folks, if so do let me know.

Tools for software configuration should work by default if the Nova
instance has CA certificates installed in it at default location. Also,
there should be a way to specify the location of CA file in Nova
instance, so that the location can be passed to os-collect-config using
metadata. Since this location can be different for each VM instance, it
needs to be specified from template or env file etc. (we need to decide)

I am of the opinion that Heat should not get into installing CA
certificates or private keys. We should assume that the image has the
proper certificates and private keys baked into it, or installed by some
other means. The tools used for software configuration must be able to
communicate with heat even before the actual user-defined software
configuration kicks in. Software configurations to set up a applications
like web server may install their own certificate as part of deployment,
and that is a different case, which I don't want to cover.

Following is my assessment of tools used to notify/poll heat. We also
need to support insecure option to make it easier to test without having
valid certificates or in deployments where there could be certificates
missing.

heat-cfntools
  - Uses curl, so IMO, ca certs in default location is taken care.
  - Insecure option is already added
  - Need to add an option for CA cert (--cacert) if not in default
    location. E.g. /opt/aws/bin/cfn-signal --cacert <file>
    And we pass that down to curl command.

os-collect-config
  - Uses requests lib, system dependent default location is not searched
  - Insecure is being added [2]
  - cafile location needs to be specified from template? Each server
    can have their own custom location of ca files, so there needs a way
    to specify that from template. Could this be a property of nova
    server? When we are preparing metadata, we can use this property to
    configure ca_file.

heat-config-notify
  added cafile and insecure option [3]

Additionally, heat can use the insecure config option from heat_clients
section and use it while creating OSC's config. This setting is
overridden when template includes cafile location of server being
configured.

We can have SSL gate job with devstack running with SSL enabled and the
test image having valid CA certificates in it.

Let me know your opinion!

-- Anant

[1] https://bugs.launchpad.net/heat/+bug/1482510
[2] https://review.openstack.org/#/c/284725/
[3] https://review.openstack.org/#/c/285157/