[openstack-dev] [containers][magnum] Make certs insecure in magnum drivers

Adrian Otto adrian.otto at rackspace.com
Fri Feb 10 22:01:54 UTC 2017


I have opened the following bug ticket for this issue:

https://bugs.launchpad.net/magnum/+bug/1663757

Regards,

Adrian

On Feb 10, 2017, at 1:46 PM, Adrian Otto <adrian.otto at rackspace.com<mailto:adrian.otto at rackspace.com>> wrote:

What I’d like to see in this case is to use secure connections by default, and to make workarounds for self signed certificates or other optional workarounds for those who need them. I would have voted against patch set 383493. It’s also not linked to a bug ticket, which we normally require prior to merge. I’ll see if I can track down the author to see about fixing this properly, or if there is a volunteer to do this better, I’m open to that too.

Adrian

On Feb 10, 2017, at 2:05 AM, Kevin Lefevre <lefevre.kevin at gmail.com<mailto:lefevre.kevin at gmail.com>> wrote:

Hi,

This change (https://review.openstack.org/#/c/383493/) makes certificates request to magnum_api insecure since is a common use case.

In swarm drivers, the make-cert.py script is in python whereas in K8s for CoreOS and Atomic, it is a shell script.

I wanted to make the change (https://review.openstack.org/#/c/430755/) but it gets flagged by bandit because of python requests pacakage insecure TLS.

I know that we should supports Custom CA in the futur but if right now (and according to the previous merged change) insecure request are by default, what should we do ?

Do we disable bandit for the the swarm drivers ? Or do you use the same scripts (and keep it as simple as possible) for all the drivers, possibly without python as it is not included in CoreOS.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org<mailto:OpenStack-dev-request at lists.openstack.org>?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170210/047e3f3a/attachment.html>


More information about the OpenStack-dev mailing list