openstack
/
ironic-specs
Code Issues Proposed changes

Merge "Add field to accept the default verify_ca path"

This commit is contained in:
Zuul 2024-04-23 13:09:57 +00:00 committed by Gerrit Code Review
parent 888f8581d6 21a3aa613a
commit 3bd3fa371c
2 changed files with 243 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

242
specs/approved/add-default-verify-ca.rst Normal file
View File

@ -0,0 +1,242 @@
..
This work is licensed under a Creative Commons Attribution 3.0 Unported
License.
http://creativecommons.org/licenses/by/3.0/legalcode
================================================
Add a field to accept the default verify_ca path
================================================
https://bugs.launchpad.net/ironic/+bug/2040236
This spec adds an option for setting [driver]verify_ca for each driver.
This value would then be used by Ironic for certificate validation instead of
the default system CA bundle for that driver. Each driver may use a different
CA certificate for this purpose if desired.
Problem description
===================
Currently, Ironic utilizes a system-wide CA certificate bundle to validate
HTTPS connections. However, there are scenarios where this default behavior may
not align with the specific requirements or policies of an organization.
Particularly, when a user specifies that certificate validation is required,
administrators may prefer not to rely on the system's default certificate path
for authentication with BMCs. Instead, they might need to utilize custom CA
certificates, which are tailored to their organizational security policies or
specific use cases.
At present, if the operator desires to configure a custom CA certificate for
communications between Ironic and the BMCs of managed bare-metal servers,
they have the ability to configure the <driver>_verify_ca option on the node or
nodes in question.
This option can be configured to be either true, false, or set to a specific
certificate path. When '<driver>_verify-ca' is set to true, Ironic defaults to
using the system's CA bundle for certificate validation. Furthermore, in cases
where the operator desires to specify a CA certificate outside system CA
bundle, this approach has a serious shortcoming: it requires the operator to
know the exact location of the pre-existing CA certificate in the filesystem.
While this configuration option is set on per-node level through Ironic APIs,
there is no way for the operator to either upload the CA certificate through
those APIs or to determine the filesystem path of such certificate. This is not
a desirable situation. This option is also unsuitable for the use cases where
the operator is only able to interact with Ironic through writing configuration
file and making API calls (which is the case in metal3).
To overcome this limitation, we propose a new configuration option scoped on a
driver level (as opposed to the node level): [driver]verify_ca. This way the
required CA certificates can be deployed to known locations at the deploy time
and Ironic configuration for each driver can be written referencing those
paths.
Proposed change
===============
1. Adding a new option verify_ca for each driver
* Adding a verify_ca option to each driver's conf to accept the specified
value. Making this option configurable on a per-driver level is
consistent with existing configuration options (e.g. kernel_append_params).
It is also very clear what purpose this specific CA certificate serves.
2. Retrieving the path before node verification
* Before performing the node verification, retrieve the certificate path, and
pass it to verify_ca for validation. This implementation vary based on
different vendors.
Alternatives
------------
* Administrators may need to log in to the system where ironic is located and
manually add the desired certificate. Note: this requires modifications of
the trusted CA certificate collection on the machine running Ironic, which
may or may not be desired; there may be use cases where an operator wishes to
trust a certain CA for connections to BMC but not other encrypted
communications involving the server running Ironic.
* Instead of [driver]verify_ca, a global configuration option similar to
[conductor]verify_ca could be considered, however this could lead to
confusion about the impact of setting it (does it apply to all conductor
connections? BMC connections? else?) and would be inconsistent with other,
similar options (e.g. kernel_append_params).
* Using the existing <driver>_verify_ca setting is another alternative,
however it requires prior existence of the desired CA certificate in the
filesystem where Ironic is running as well as operators knowledge of the
exact path, which should not be relied upon and as such is not desired.
Data model impact
-----------------
None
State Machine Impact
--------------------
None
REST API impact
---------------
None
Client (CLI) impact
-------------------
None
RPC API impact
--------------
None
Driver API impact
-----------------
None
Nova driver impact
------------------
None
Ramdisk impact
--------------
None
Security impact
---------------
The introduction of the verify_ca configuration option in
Ironic's driver could have several security implications:
1. Handling of Sensitive Data:
* This change involves the path to CA certificates, which are critical for
secure communications. While the option itself doesn't handle sensitive
data like tokens or keys, it directs Ironic to the location of sensitive
cryptographic material. Proper management and permissions of this path
are essential to prevent unauthorized access.
2. Accessibility of Managed Hardware:
* By allowing a custom CA path, this change could affect the security of the
hardware managed by Ironic. If an incorrect or untrusted CA path is
specified, it could potentially compromise the integrity of the SSL/TLS
connections with the BMCs, impacting the secure management of the
hardware.
Other end user impact
---------------------
None
Scalability impact
------------------
None
Performance Impact
------------------
None
Other deployer impact
---------------------
* At deploy time, one or more custom CA certificates may be installed on the
machine running Ironic under a known path.
* Ironic configuration created at the deploy time will assign the custom
CA certificate to the driver(s) that are expected to be using it.
* Each driver can use a different CA certificate, or the same CA certificate
may be used by multiple drivers if desired.
* The default None value for verify_ca ensures backward
compatibility, using the system's default CA bundle unless overridden.
This approach maintains operational stability for existing deployments
while offering flexibility for custom configurations.
* Ironic will be enhanced to dynamically retrieve the value of
verify_ca for each hardware driver and pass it to the verify_ca
function. This mechanism ensures that SSL/TLS communications with BMCs
across different hardware types can leverage the specified custom CA
certificates.
* The feature requires explicit enablement by deployers. This change will not
automatically activate.
Developer impact
----------------
* Developers will need to ensure that their drivers correctly interpret and
utilize the specified CA path.
Implementation
==============
Assignee(s)
-----------
Primary assignee:
Zhou Hao <zhouhao@fujitsu.com>
Other contributors:
Zou Yu <zouy.fnst@fujitsu.com>
Feng GuangWen <fenggw-fnst@fujitsu.com>
Work Items
----------
* Implement option verify_ca for each vendor.
* Update documentation.
Dependencies
============
None
Testing
=======
* Test the driver to verify that the set path is used when performing
certificate validation.
Upgrades and Backwards Compatibility
====================================
None
Documentation Impact
====================
* The documentation should be updated for each hardware vendor as features are
implemented.
References
==========
None

1
specs/not-implemented/add-default-verify-ca.rst Symbolic link
View File

@ -0,0 +1 @@
../approved/add-default-verify-ca.rst