On 4/1/2016 11:07 AM, Matt Riedemann wrote:
We have a lot of CA file options in nova: 1. DEFAULT.ca_file - this is used in nova.crypto 2. ssl.ca_file - this is used when constructing glanceclient 3. DEFAULT.ssl_ca_file - this is used in nova.wsgi 4. vmware.ca_file - for connecting to vcenter 5. neutron.cafile - for constructing neutronclient 6. cinder.cafile - for constructing cinderclient 7. keystone_authtoken.cafile - for constructing keystoneauth 8. barbican.cafile - for constructing barbicanclient As far as I can see none of these are deprecated. The keystone_auth one is probably coming from one of the keystone library options, so we can't do much about that. But it seems like the first three, and then the other ones for connecting to neutron/cinder/barbican clients could all be collapsed, or is that not the intent? I remember Matthew Gilliard working on something related to this at one point where we were going to use a DictOpt where the default value comes from ssl.ca_file (which is defined in oslo.service) but you could override that for specific functions, like if you want different files for connecting to the different clients. Is anyone else working on something like this because it's super confusing for deployers.
I found that old series if someone wants to work on this: https://review.openstack.org/#/q/status:abandoned+project:openstack/nova+branch:master+topic:ssl-config-options -- Thanks, Matt Riedemann __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
