Certificate Validation
OpenStack now supports signature verification for signed images. However, it does not support strong certificate validation for certificates used to generate image signatures. Specifically, nova has no mechanism to identify trusted certificates. While nova verifies the signature of a signed image, there is no way to determine if the certificate used to generate and verify that signature is a certificate that is trusted by the user. This change will introduce an addition to the nova API allowing the user to specify a list of trusted certificates when creating or rebuilding a server. These trusted certificates will be used to conduct certificate validation in concert with signature verification, providing the user confidence in the integrity of the image being booted.
Etherpad with overview and instructions to test: https:/
Blueprint information
- Status:
- Complete
- Approver:
- Jay Pipes
- Priority:
- Low
- Drafter:
- Peter Hamilton
- Direction:
- Approved
- Assignee:
- Peter Hamilton
- Definition:
- Approved
- Series goal:
- Accepted for rocky
- Implementation:
- Implemented
- Milestone target:
- rocky-3
- Started by
- Matt Riedemann
- Completed by
- Matt Riedemann
Related branches
Related bugs
Sprints
Whiteboard
This work previously fell under the following, more broadly scoped blueprint:
https:/
Accompanying spec: https:/
Gerrit topic: https:/
Addressed by: https:/
Add support for certificate validation
Approved for Pike. -- mriedem 20170414
Addressed by: https:/
Add configuration options for certificate validation
Addressed by: https:/
Add trusted certificates to InstanceExtras
Addressed by: https:/
[WIP] Implement certificate_utils
Addressed by: https:/
WIP Add trusted_
Marking this as blocked for Pike since the Nova changes depend on https:/
We're past feature freeze for Pike so I'm deferring this to Queens. Please re-propose the spec for re-approval in Queens and make any adjustments to the spec as necessary if the design has changed. -- mriedem 20170728
Addressed by: https:/
Add support for certificate validation
Addressed by: https:/
Add trusted_certs to Instance object
Re-approved for Queens. -- mriedem 20171019
Gerrit topic: https:/
Addressed by: https:/
Reduce complexity of _from_db_object
Addressed by: https:/
Add trusted_certs to instance_extra
We're now past feature freeze for Queens and there are still outstanding changes for this series, so this is being deferred to Rocky. Please re-propose the spec for Rocky and we'll try to get it merged early in the first milestone. -- mriedem 20180126
Addressed by: https:/
Add support for certificate validation
Re-approved for Rocky. -- mriedem 20180312
Addressed by: https:/
Add certificate validation docs
Addressed by: https:/
Plumb trusted_certs through libvirt driver image paths
Addressed by: https:/
Add notification support for trusted_certs
Addressed by: https:/
Add support for certificate validation
Addressed by: https:/
WIP: Add trusted certs to feature support matrix docs
Addressed by: https:/
Remove max_size parameter from fake_libvirt_
Addressed by: https:/
Fix nits from trusted certs notification change
The nova server and python-novaclient changes are all merged for Rocky using the 2.63 compute REST API microversion. The python-