Hey Douglas, Thanks for the reply. Will look into barbican ACLs and test it out. Also, had 1 more follow up questionŠ 1) Currently the HAProxy LBaaS instance sits on the controller. The certificate download happens on the controller too. 2) Once we move to service-vm model, where service-vms could reside on compute hypervisors, where will the cert download happen? Still on controller in the flow?
Thanks, Varun On 9/18/15, 10:53 PM, "Douglas Mendizábal" <[email protected]> wrote: >* PGP Signed by an unknown key > >Hi Varun, > >I believe the expected workflow for this use case is: > >1. User uploads cert + key to Barbican >2. User grants lbass access to the barbican certificate container >using the ACL API [1] >3. User requests tls container by providing Barbican container reference > >Since the user grants the lbass user access in step 2, the token >generated using the conf file credentials will be accepted by Barbican >and the certificate will be made available to lbass. > >- Douglas Mendizábal > >[1] http://docs.openstack.org/developer/barbican/api/quickstart/acls.htm >l > >On 9/19/15 12:13 AM, Varun Lodaya wrote: >> Hi Guys, >> >> With lbaasv2, I noticed that when we try to associate tls >> containers with lbaas listeners, lbaas tries to validate the >> container and while doing so, tries to get keystone token based on >> tenant/user credentials in neutron.conf file. However, the barbican >> containers could belong to different users in different tenants, in >> that case, container look up would always fail? Am I missing >> something? >> >> Thanks, Varun >> >> >> ______________________________________________________________________ >____ >> >> >OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >* Unknown Key >* 0x2098B5FB(L) > >__________________________________________________________________________ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: [email protected]?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
