What I’d like to see in this case is to use secure connections by default, and to make workarounds for self signed certificates or other optional workarounds for those who need them. I would have voted against patch set 383493. It’s also not linked to a bug ticket, which we normally require prior to merge. I’ll see if I can track down the author to see about fixing this properly, or if there is a volunteer to do this better, I’m open to that too.
Adrian > On Feb 10, 2017, at 2:05 AM, Kevin Lefevre <lefevre.ke...@gmail.com> wrote: > > Hi, > > This change (https://review.openstack.org/#/c/383493/) makes certificates > request to magnum_api insecure since is a common use case. > > In swarm drivers, the make-cert.py script is in python whereas in K8s for > CoreOS and Atomic, it is a shell script. > > I wanted to make the change (https://review.openstack.org/#/c/430755/) but it > gets flagged by bandit because of python requests pacakage insecure TLS. > > I know that we should supports Custom CA in the futur but if right now (and > according to the previous merged change) insecure request are by default, > what should we do ? > > Do we disable bandit for the the swarm drivers ? Or do you use the same > scripts (and keep it as simple as possible) for all the drivers, possibly > without python as it is not included in CoreOS. > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
