Re: [openstack-dev] [Magnum] TLS Support in Magnum

Mon, 15 Jun 2015 08:51:47 -0700 

Please see https://review.openstack.org/#/c/186617 - Nova Instance Users and 
review.

We're working hard on trying to get heat -> nova -> instance -> barbican secret 
storage workflow working smoothly.

Also related are: https://review.openstack.org/#/c/190404/ - Barbican ACL's and 
https://review.openstack.org/#/c/190732/ - Unscoped Service Catalog.

Thanks,
Kevin
________________________________
From: Madhuri Rai [madhuri.ra...@gmail.com]
Sent: Sunday, June 14, 2015 10:30 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: [openstack-dev] [Magnum] TLS Support in Magnum

Hi All,

This is to bring the blueprint  
secure-kubernetes<https://blueprints.launchpad.net/magnum/+spec/secure-kubernetes>
 in discussion. I have been trying to figure out what could be the possible 
change area to support this feature in Magnum. Below is just a rough idea on 
how to proceed further on it.

This task can be further broken in smaller pieces.

1. Add support for TLS in python-k8sclient.
The current auto-generated code doesn't support TLS. So this work will be to 
add TLS support in kubernetes python APIs.

2. Add support for Barbican in Magnum.
Barbican will be used to store all the keys and certificates.

3. Add support of TLS in Magnum.
This work mainly involves supporting the use of key and certificates in magnum 
to support TLS.

The user generates the keys, certificates and store them in Barbican. Now there 
is two way to access these keys while creating a bay.

1. Heat will access Barbican directly.
While creating bay, the user will provide this key and heat templates will 
fetch this key from Barbican.


2. Magnum-conductor access Barbican.
While creating bay, the user will provide this key and then Magnum-conductor 
will fetch this key from Barbican and provide this key to heat.

Then heat will copy this files on kubernetes master node. Then bay will use 
this key to start a Kubernetes services signed with these keys.


After discussion when we all come to same point, I will create separate 
blueprints for each task.
I am currently working on configuring Kubernetes services with TLS keys.

Please provide your suggestions if any.


Regards,
Madhuri

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to