OpenStack Manila NetApp Charm

add https support with port and cert

Bug #1983988 reported by Narinder Gupta on 2022-08-08

12

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Manila NetApp Charm	Triaged	High	Unassigned

Bug Description

It seems that default NetApp uses HTTP, but it supports HTTPS protocol as well. This request is to provide the SSL cert, HTTPS port, and port number as part of config options.

Created the following config and certs in the manila-netapp charm to support TLS

transport-type
netapp-server-port

Yes, Manually place the provided certs in /usr/local/share/ca-certficated/ and run update-ca-certificated call to add the cert. Add the Name entry into the MAAS dns as corporate DNS provides FQDN only, and Netapp does not understand the FQDN.

Alex Kavanagh (ajkavanagh) on 2022-08-08

Changed in charm-manila-netapp:
importance:	Undecided → Wishlist
status:	New → Triaged

Revision history for this message

Narinder Gupta (narindergupta) wrote on 2022-09-09:

#1

diff --git a/config.yaml b/config.yaml
index d34d87b..9cf81c8 100644
--- a/config.yaml
+++ b/config.yaml
+ transport-type:
+ type: string
+ description: |
+ Transport protocol for communicating with the storage system or proxy
+ server. Valid options include http and https.
+ default: http
+ netapp-server-port:
+ type: string
+ description: |
+ The TCP port to use for communication with the storage system or proxy
+ server. If not specified, ONTAP drivers will use 80 for HTTP and 443 for HTTPS.
+ default: ''

diff --git a/templates/queens/manila.conf b/templates/queens/manila.conf
index 0475d67..2438051 100644
--- a/templates/queens/manila.conf
+++ b/templates/queens/manila.conf

netapp_storage_family = ontap_cluster
netapp_server_hostname = {{ options.management_address }}
netapp_login = {{ options.admin_name }}
netapp_password = {{ options.admin_password }}
+netapp_transport_type = {{ options.transport_type }}
+netapp_server_port = {{ options.netapp_server_port }}

Revision history for this message

Vern Hart (vern) wrote on 2022-12-01:

#2

This feels like more than a wishlist. Not supporting https is a security risk. I'd argue that https should be the default.

I've hit this at a customer deployment and had to fork the charm with a patch similar to Narinder's to enable https.

Revision history for this message

Alex Kavanagh (ajkavanagh) wrote on 2022-12-01:

#3

> This feels like more than a wishlist. Not supporting https is a security risk. I'd argue that https should be the default.

In this case I meant 'wishlist' as in, not a bug, but a feature request. I didn't mean to imply that it was not important. If you do have a working patch, please do submit it as a patch to the charm. We can then work with it to get it into the stable charms. Alternatively, add the patch here and we can take it forward.

Revision history for this message

Vern Hart (vern) wrote on 2022-12-01:

#4

I need to suss out the cert implications first and then I'll submit a patch -- maybe even with tests, but that might be a stretch. :)

Revision history for this message

Alex Kavanagh (ajkavanagh) wrote on 2022-12-02:

#5

On reflection, I think my categorisation of wishlist for this one was wrong, and you (Vern) were correct in your comment. I've changed it to high to reflect that. Thanks very much for your work on this!

Changed in charm-manila-netapp:
importance:	Wishlist → High

Revision history for this message

Billy Olsen (billy-olsen) wrote on 2023-04-12:

#6

Note that part of this config option (netapp-transport-type, netapp-server-port) is provided in this fix https://review.opendev.org/c/openstack/charm-manila-netapp/+/863151.

The ca-cert is not added as part of that patch set, so leaving this bug open.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.