Open Stack

There is a compute REST API change proposed [1] which will allow users 
to pass trusted certificate IDs to be used with validation of images 
when creating or rebuilding a server. The trusted cert IDs are based on 
certificates stored in some key manager, e.g. Barbican.

The full nova spec is here [2].

The main concern I have is that trusted certs will not be supported for 
volume-backed instances, and some clouds only support volume-backed 
instances. The way the patch is written is that if the user attempts to 
boot from volume with trusted certs, it will fail.

In thinking about a semi-discoverable/configurable solution, I'm 
thinking we should add a policy rule around trusted certs to indicate if 
they can be used or not. Beyond the boot from volume issue, the only 
virt driver that supports trusted cert image validation is the libvirt 
driver, so any cloud that's not using the libvirt driver simply cannot 
support this feature, regardless of boot from volume. We have added 
similar policy rules in the past for backend-dependent features like 
volume extend and volume multi-attach, so I don't think this is a new issue.

Alternatively we can block the change in nova until it supports boot 
from volume, but that would mean needing to add trusted cert image 
validation support into cinder along with API changes, effectively 
killing the chance of this getting done in nova in Rocky, and this 
blueprint has been around since at least Ocata so it would be good to 
make progress if possible.

[1] https://review.openstack.org/#/c/486204/
[2] 
https://specs.openstack.org/openstack/nova-specs/specs/rocky/approved/nova-validate-certificates.html

-- 

Thanks,

Matt