ssl_ca not supported

As customer wanted to use juju on top of stack and simplestreams created on cloud so it is blocked currently so marking as field critical

Missing features don't qualify under the Field SLA, removing ~field-*

@narindergupta, please could you elaborate on what which bit(s) are missing an SSL option that you need to implement in the customer environment?

Do you mean:

1. SSL between gss and the other OpenStack services within the cloud
2. SSL as part of the syncing process as part of simplestreams? (e.g. specifying the cert chain for an https endpoint).
3. Something else?

Thanks

Alex hats a starting point I can see. AS this cloud has keystone V3 with
ssl enabled and certs were required to access openstack cloud.

Thanks and Regards,
Narinder Gupta
Canonical, Ltd.
+1.281.736.5150

Ubuntu- Linux for human beings | www.ubuntu.com | www.canonical.com

On Thu, Nov 29, 2018 at 9:26 AM Alex Kavanagh <email address hidden>
wrote:

> @narindergupta, please could you elaborate on what which bit(s) are
> missing an SSL option that you need to implement in the customer
> environment?
>
> Do you mean:
>
> 1. SSL between gss and the other OpenStack services within the cloud
> 2. SSL as part of the syncing process as part of simplestreams? (e.g.
> specifying the cert chain for an https endpoint).
> 3. Something else?
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1802407
>
> Title:
> ssl_ca not supported
>
> Status in OpenStack glance-simplestreams-sync charm:
> Confirmed
>
> Bug description:
> Glance simplestream sync charm does not support ssl_ca option. which
> causes failed to connect to openstack api for image sync.
>
> This bug has been created to add an option ssl_ca so that rest of
> openstack operation can be completed.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/charm-glance-simplestreams-sync/+bug/1802407/+subscriptions
>

So having done some preliminary work around adding ssl_ca functionality to the charm, the following areas need to be covered:

1. Adding the ssl_* options to the glance-simple-streams charm
2. Modifying the gss charm to actually use the values
3. Adding tests to the gss charm to ensure that the contract around ssl_* options is maintained over time.
4. Changing simplestreams python package to use SSL endpoints; at present it is unaware of certs, etc.

Thus to provide this feature, both simplestreams and the gss charm need to be modified.

Fix proposed to branch: master
Review: https://review.openstack.org/623488

Status: so I've submitted my changes to g-s-s charm and to simplestreams module (on LP). Now just need to get those reviewed, and probably raise an SRU to get simplestreams changes backported to bionic.

This bug is fixed with commit 99ba3f21 to simplestreams on branch master.
To view that commit see the following URL:
https://git.launchpad.net/simplestreams/commit/?id=99ba3f21

This bug was fixed in the package simplestreams - 0.1.0-22-g409fdc15-0ubuntu1

---------------
simplestreams (0.1.0-22-g409fdc15-0ubuntu1) disco; urgency=medium

  * debian/README.source: update to refer to upstream packaging
    ubuntu/devel branch.
  * debian/new-upstream-snapshot: remove obsolete bzr tool.
  * New upstream snapshot.
    - tools: rename export-tarball to make-tarball.
    - Do not run flake8 during 'make test', remove 'trusty-flake8' tox env.
    - Add SSL support to simplestreams/openstack.py
      [Alex Kavanagh] (LP: #1802407)
    - Add 'ubuntu' alias to CURRENT_LTS. [Daniel Watkins]
    - tenv: Put topdir/bin before topdir/tools in PATH [Daniel Watkins]

 -- Scott Moser <email address hidden> Mon, 07 Jan 2019 15:38:04 -0500

Reviewed: https://review.openstack.org/623488
Committed: https://git.openstack.org/cgit/openstack/charm-glance-simplestreams-sync/commit/?id=ac1d2b5dda9cbbe56a6657971f5f7c01d5cb9ac9
Submitter: Zuul
Branch: master

commit ac1d2b5dda9cbbe56a6657971f5f7c01d5cb9ac9
Author: Alex Kavanagh <email address hidden>
Date: Fri Dec 7 13:07:31 2018 +0000

    Add ssl_ca option to enable to gss

    This patch enables SSL to be used with glance-simplestreams-sync.
    The ssl_ca option allows a base64 encoded PEM CA certificate to be
    used with g-s-s such that the keystone and glance HTTPS sessions are
    verified using that certificate.

    A new basic_deployment_ssl.py is introduced that just verifies that the
    gss charm can get gss to perform a sync; this verifies that gss can
    communicate with https versions of keystone and glance.

    Note that the simplestreams package also requires a change for SSL to
    function properly. As simplestreams doesn't seem to use PyPi, the
    version from the git master will need to be used.

    Change-Id: Idcdcb2c933a92a558e729aeb718b58d4077621a7
    Closes-Bug: #1802407

Narinder: So now the charm and gss should support ssl (at least in my tests!) Please could you test them and comment back here the results. Thanks, Alex.

Hi Alex

Can we get this fix backported to Bionic ?

I have UAI customer that is affected by this bug.

I've tested provided patch on Bionic and it fixes this issue.

Thanks

Hi Mateusz

> Can we get this fix backported to Bionic ?

Not sure, as it is a new feature rather than a bug fix. However, it is 'bug' like in that one would expect it to work; I can ask, though.