Hi,
We definitely need a person who will help with design for the feature.
Here is the list of open questions:
1. UI design for certificates uploading
2. CLI
3. diagnostic snapshot sanitising
4. REST API/DB design
5. background tasks for nailgun (?)
6. do we need separate container to certificates signing? I don't think
that we need if it's
not separate service. If it command line tool, it can be installed in
nailgun container, in
case if we implement background tasks for nailgun, or in mcollective
container.
Thanks,
On Tue, Sep 9, 2014 at 2:09 PM, Guillaume Thouvenin thouv...@gmail.com
wrote:
I think that the management of certificates should be discussed in the
ca-deployment blueprint [3]
We had some discussions and it seems that one idea is to use a docker
container as the root authority. By doing this we should be able to sign
certificate from Nailgun and distribute the certificate to the
corresponding controllers. So one way to see this is:
1) a new environment is created
2) Nailgun generates a key pair that will be used for the new env.
3) Nailgun sends a CSR that contains the VIP used by the new environment
and signed by the newly created private key to the docker root CA.
4) the docker CA will send back a signed certificate.
5) Nailgun distribute this signed certificate and the env private key to
the corresponding controller through mcollective.
It's not clear to me how Nailgun will interact with docker CA and I aslo
have some concerns about the storage of different private key of
environments but it is the idea...
If needed I can start to fill the ca-deployment according to this scenario
but I guess that we need to approve the BP [3].
So I think that we need to start on [3]. As this is required for OSt
public endpoint SSL and also for Fuel SSL it can be quicker to make a first
stage where a self-signed certificate is managed from nailgun and a second
stage with the docker CA...
Best regards,
Guillaume
[3] https://blueprints.launchpad.net/fuel/+spec/ca-deployment
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev