IPA fails ironic devstack jobs when tls-proxy is enabled in devstack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
High
|
Ramamani Yeleswarapu | ||
Ironic Inspector |
Incomplete
|
High
|
Ramamani Yeleswarapu |
Bug Description
Little background on this is I have slowly been trying to get various jobs that use devstack to pass with tls-proxy enabled with the eventual goal being that tls-proxy is just enabled in devstack by default.
One class of jobs that fail are those that use IPA and devstack together because the fake baremetal nodes fail to talk to the glance api when it has a cert signed by the temporary devstack CA in front of it.
There are two ways we can address this. The first is get the image to trust the devstack CA. This is problematic bceause this CA is different for every job run so we will need to modify the IPA image somehow in every test to update the trusted certs there to include the devstack CA. The second is to just not verify tls cert authenticity. This is definitely more straightforward but likely less than ideal if anyone is using the images we run in test in production too.
For test log details you can look at the jobs run against https:/
Changed in ironic-inspector: | |
assignee: | nobody → Ramamani Yeleswarapu (ramamani-yeleswarapu) |
Changed in ironic: | |
assignee: | Dmitry Tantsur (divius) → Ramamani Yeleswarapu (ramamani-yeleswarapu) |
Changed in ironic: | |
assignee: | Ramamani Yeleswarapu (ramamani-yeleswarapu) → John L. Villalovos (happycamp) |
Changed in ironic: | |
assignee: | John L. Villalovos (happycamp) → Ramamani Yeleswarapu (ramamani-yeleswarapu) |
Moved to ironic, as I think it should be fixed in the devstack plugin.