[RFE] Configuration of shared IPMI credentials
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ironic |
Confirmed
|
Wishlist
|
Unassigned | ||
Bug Description
Ironic reference driver uses an out of band management channel for power management, node restart and later for low level node monitoring purposes. For channel establishment, Ironic conductor shall pass IPMI authentication procedure using a pre-shared secret. Currently, security credentials used for authentication are configured in Ironic Database via the RESTful API, and activation of the credentials on the BMC side shall be performed via an external manner.
This blueprint suggests a method to generate, share and configure BMC secret without manual intervention in the following scenarios:
1 Generation and sharing a secret on automatic node discovery
2 Generation and sharing a secret on explicit REST API requests
3 Extension of the procedures above when using an external secret store e.g. Barbican is used
For this purpose:
- Ironic Agent is to be extended with a new API and new service to update BMC user credentials via in-band method, not requiring authentication
- Ironic API is extended with a new vendor passthrough method for setting new BMC password
- IPMI/PXE driver is updated to generate and store secret on node discovery and on explicit API, and to send it to the Ironic Agent
- IPMI/PXE driver is updated to optionally use an external secret storage (Barbican)
| Changed in ironic: | |
| status: | New → Confirmed |
| importance: | Undecided → Wishlist |
| tags: | added: rfe |
| Jim Rollenhagen (jim-rollenhagen) wrote | #1 |
| tags: | added: needs-spec |
This will need a spec.