Add configuration options for certificate validation

PeterHamilton · PeterHamilton · commit 05bf72694147 · 2017-05-30T09:40:15.000-04:00
This change adds two configuration options to support certificate
validation: (1) enable_certificate_validation, which enables the
checking of certificate validity during image signature
verification, and (2) default_trusted_certificate_ids, which
defines a deployment-wide default list of trusted certificates
that should be used for certificate validation if not overriden by
the user. Both options work with the verify_glance_signatures
options defined in the glance configuration group.

DocImpact

Change-Id: If7b6e76519b0e37115a35b180b11959fe8a24582
diff --git a/nova/conf/glance.py b/nova/conf/glance.py
@@ -83,6 +83,54 @@
 
 * The options in the `key_manager` group, as the key_manager is used
   for the signature validation.
+* Both enable_certificate_validation and default_trusted_certificate_ids
+  below depend on this option being enabled.
+"""),
+    cfg.BoolOpt('enable_certificate_validation',
+        default=False,
+        deprecated_for_removal=True,
+        deprecated_since='16.0.0',
+        deprecated_reason="""
+This option is intended to ease the transition for deployments leveraging
+image signature verification. The intended state long-term is for signature
+verification and certificate validation to always happen together.
+""",
+        help="""
+Enable certificate validation for image signature verification.
+
+During image signature verification nova will first verify the validity of the
+image's signing certificate using the set of trusted certificates associated
+with the instance. If certificate validation fails, signature verification
+will not be performed and the image will be placed into an error state. This
+provides end users with stronger assurances that the image data is unmodified
+and trustworthy. If left disabled, image signature verification can still
+occur but the end user will not have any assurance that the signing
+certificate used to generate the image signature is still trustworthy.
+
+Related options:
+
+* This option only takes effect if verify_glance_signatures is enabled.
+* The value of default_trusted_certificate_ids may be used when this option
+  is enabled.
+"""),
+    cfg.ListOpt('default_trusted_certificate_ids',
+        default=[],
+        help="""
+List of certificate IDs for certificates that should be trusted.
+
+May be used as a default list of trusted certificate IDs for certificate
+validation. The value of this option will be ignored if the user provides a
+list of trusted certificate IDs with an instance API request. The value of
+this option will be persisted with the instance data if signature verification
+and certificate validation are enabled and if the user did not provide an
+alternative list. If left empty when certificate validation is enabled the
+user must provide a list of trusted certificate IDs otherwise certificate
+validation will fail.
+
+Related options:
+
+* The value of this option may be used if both verify_glance_signatures and
+  enable_certificate_validation are enabled.
 """),
     cfg.BoolOpt('debug',
          default=False,
