Certificate Validation

Registered by Dane Fichter

OpenStack now supports signature verification for signed images. However, it does not support strong certificate validation for certificates used to generate image signatures. Specifically, nova has no mechanism to identify trusted certificates. While nova verifies the signature of a signed image, there is no way to determine if the certificate used to generate and verify that signature is a certificate that is trusted by the user. This change will introduce an addition to the nova API allowing the user to specify a list of trusted certificates when creating or rebuilding a server. These trusted certificates will be used to conduct certificate validation in concert with signature verification, providing the user confidence in the integrity of the image being booted.

Etherpad with overview and instructions to test: https://etherpad.openstack.org/p/queens-nova-certificate-validation

Blueprint information

Jay Pipes
Peter Hamilton
Peter Hamilton
Series goal:
Accepted for rocky
Milestone target:
milestone icon rocky-3
Started by
Matt Riedemann
Completed by
Matt Riedemann

Related branches



This work previously fell under the following, more broadly scoped blueprint:

Accompanying spec: https://review.openstack.org/#/c/357151/

Gerrit topic: https://review.openstack.org/#q,topic:bp/nova-validate-certificates,n,z

Addressed by: https://review.openstack.org/357151
    Add support for certificate validation

Approved for Pike. -- mriedem 20170414

Addressed by: https://review.openstack.org/457678
    Add configuration options for certificate validation

Addressed by: https://review.openstack.org/457711
    Add trusted certificates to InstanceExtras

Addressed by: https://review.openstack.org/479949
    [WIP] Implement certificate_utils

Addressed by: https://review.openstack.org/486204
    WIP Add trusted_certificates to REST API

Marking this as blocked for Pike since the Nova changes depend on https://review.openstack.org/#/c/357202/ in the cursive library and the non-client library freeze for Pike was July 20, and we're past that point so this is going to have to be deferred to Queens. -- mriedem 20170726

We're past feature freeze for Pike so I'm deferring this to Queens. Please re-propose the spec for re-approval in Queens and make any adjustments to the spec as necessary if the design has changed. -- mriedem 20170728

Addressed by: https://review.openstack.org/488541
    Add support for certificate validation

Addressed by: https://review.openstack.org/489408
    Add trusted_certs to Instance object

Re-approved for Queens. -- mriedem 20171019

Gerrit topic: https://review.openstack.org/#q,topic:extra_attrs_func,n,z

Addressed by: https://review.openstack.org/537728
    Reduce complexity of _from_db_object

Addressed by: https://review.openstack.org/537897
    Add trusted_certs to instance_extra

We're now past feature freeze for Queens and there are still outstanding changes for this series, so this is being deferred to Rocky. Please re-propose the spec for Rocky and we'll try to get it merged early in the first milestone. -- mriedem 20180126

Addressed by: https://review.openstack.org/540879
    Add support for certificate validation

Re-approved for Rocky. -- mriedem 20180312

Addressed by: https://review.openstack.org/560158
    Add certificate validation docs

Addressed by: https://review.openstack.org/561262
    Plumb trusted_certs through libvirt driver image paths

Addressed by: https://review.openstack.org/563269
    Add notification support for trusted_certs

Addressed by: https://review.openstack.org/570381
    Add support for certificate validation

Addressed by: https://review.openstack.org/574890
    WIP: Add trusted certs to feature support matrix docs

Addressed by: https://review.openstack.org/574911
    Remove max_size parameter from fake_libvirt_utils.fetch_*image methods

Addressed by: https://review.openstack.org/575521
    Fix nits from trusted certs notification change

The nova server and python-novaclient changes are all merged for Rocky using the 2.63 compute REST API microversion. The python-openstackclient change is still open and needs work, but we can do that separate from this blueprint. -- mriedem 20180618


Work Items

This blueprint contains Public information 
Everyone can see this information.