There is a compute REST API change proposed [1] which will allow users
to pass trusted certificate IDs to be used with validation of images
when creating or rebuilding a server. The trusted cert IDs are based on
certificates stored in some key manager, e.g. Barbican.
The full nova spec is here [2].
The main concern I have is that trusted certs will not be supported for
volume-backed instances, and some clouds only support volume-backed
instances. The way the patch is written is that if the user attempts to
boot from volume with trusted certs, it will fail.
In thinking about a semi-discoverable/configurable solution, I'm
thinking we should add a policy rule around trusted certs to indicate if
they can be used or not. Beyond the boot from volume issue, the only
virt driver that supports trusted cert image validation is the libvirt
driver, so any cloud that's not using the libvirt driver simply cannot
support this feature, regardless of boot from volume. We have added
similar policy rules in the past for backend-dependent features like
volume extend and volume multi-attach, so I don't think this is a new issue.
Alternatively we can block the change in nova until it supports boot
from volume, but that would mean needing to add trusted cert image
validation support into cinder along with API changes, effectively
killing the chance of this getting done in nova in Rocky, and this
blueprint has been around since at least Ocata so it would be good to
make progress if possible.
[1] https://review.openstack.org/#/c/486204/
[2]
https://specs.openstack.org/openstack/nova-specs/specs/rocky/approved/nova-validate-certificates.html
--
Thanks,
Matt
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
