[tc][all] Test support for TLS default

Rico Lin ricolin at ricolky.com
Thu Jun 10 17:35:09 UTC 2021 

Dear all

In short,
can you help to enable tls-proxy for your test jobs and fix/report the
issue in [4]? Or it makes no sense for you?
Here's all repositories contains jobs with tls-proxy disabled:

   - neutron
   - neutron-tempest-plugin
   - cinder-tempest-plugin
   - cyborg-tempest-plugin
   - ec2api-tempest-plugin
   - freezer-tempest-plugin
   - grenade
   - heat
   - js-openstack-lib
   - keystone
   - kuryr-kubernetes
   - masakari
   - murano
   - networking-odl
   - networking-sfc
   - python-brick-cinderclient-ext
   - python-neutronclient
   - python-zaqarclient
   - sahara
   - sahara-dashboard
   - sahara-tests
   - solum
   - tacker
   - telemetry-tempest-plugin
   - trove
   - trove-tempest-plugin
   - vitrage-tempest-plugin
   - watcher

As I'm looking for y-cycle potential goals, I found the tls-proxy support
is not actually ready OpenStack wide (you can find some discussion in [3]).
We have multiple projects that disable tls-proxy in test jobs [1] (and stay
that way for a long time).
For security concerns, I'm currently collecting the missing part for this.
And try to figure out if there is any infra issue for current jobs.
After I attempt to enable tls-proxy for some projects to check the status.
And from the test result shows ([2]), We might have bugs/test infra issues
in projects.
So I invite projects who still have not switched to TLS default. Please do,
and help to fix/report the issue you're facing.
As we definitely need some more help on figuring out the actual situation
on each project.
So I created an etherpad [4] to track actions or related information.

Meanwhile, I will attempt to enable tls-proxy on more test jobs (and you
will be able to find it in [2]). Which gives us a good chance to review the
logs and see how we might get chances to fix it and enable TLS by default.


[1]
https://codesearch.opendev.org/?q=tls-proxy%3A%20false&i=nope&files=&excludeFiles=&repos=
[2]
https://review.opendev.org/q/topic:%22exame-tls-proxy%22+(status:open%20OR%20status:merged)
[3] https://etherpad.opendev.org/p/community-goals
[4] https://etherpad.opendev.org/p/support-tls-default

*Rico Lin*
OIF Board director, OpenStack TC, Multi-arch SIG chair, Heat PTL,
Senior Software Engineer at EasyStack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210611/3458e6b3/attachment-0001.html>

More information about the openstack-discuss mailing list