[openstack-dev] [nova] Which SSL ca_file does a person use, really?

Matt Riedemann mriedem at linux.vnet.ibm.com
Fri Apr 1 16:09:22 UTC 2016



On 4/1/2016 11:07 AM, Matt Riedemann wrote:
> We have a lot of CA file options in nova:
>
> 1. DEFAULT.ca_file - this is used in nova.crypto
> 2. ssl.ca_file - this is used when constructing glanceclient
> 3. DEFAULT.ssl_ca_file - this is used in nova.wsgi
> 4. vmware.ca_file - for connecting to vcenter
> 5. neutron.cafile - for constructing neutronclient
> 6. cinder.cafile - for constructing cinderclient
> 7. keystone_authtoken.cafile - for constructing keystoneauth
> 8. barbican.cafile - for constructing barbicanclient
>
> As far as I can see none of these are deprecated. The keystone_auth one
> is probably coming from one of the keystone library options, so we can't
> do much about that.
>
> But it seems like the first three, and then the other ones for
> connecting to neutron/cinder/barbican clients could all be collapsed, or
> is that not the intent?
>
> I remember Matthew Gilliard working on something related to this at one
> point where we were going to use a DictOpt where the default value comes
> from ssl.ca_file (which is defined in oslo.service) but you could
> override that for specific functions, like if you want different files
> for connecting to the different clients.
>
> Is anyone else working on something like this because it's super
> confusing for deployers.
>

I found that old series if someone wants to work on this:

https://review.openstack.org/#/q/status:abandoned+project:openstack/nova+branch:master+topic:ssl-config-options

-- 

Thanks,

Matt Riedemann




More information about the OpenStack-dev mailing list