Re: [openstack-dev] [Fuel] SSL in Fuel

2014-09-11 Thread Evgeniy L 
Hi,

We definitely need a person who will help with design for the feature.

Here is the list of open questions:

1. UI design for certificates uploading
2. CLI
3. diagnostic snapshot sanitising
4. REST API/DB design
5. background tasks for nailgun (?)
6. do we need separate container to certificates signing? I don't think
that we need if it's
not separate service. If it command line tool, it can be installed in
nailgun container, in
case if we implement background tasks for nailgun, or in mcollective
container.

Thanks,

On Tue, Sep 9, 2014 at 2:09 PM, Guillaume Thouvenin thouv...@gmail.com
wrote:

 I think that the management of certificates should be discussed in the
 ca-deployment blueprint [3]

 We had some discussions and it seems that one idea is to use a docker
 container as the root authority. By doing this we should be able to sign
 certificate from Nailgun and distribute the certificate to the
 corresponding controllers. So one way to see this is:

 1) a new environment is created
 2) Nailgun generates a key pair that will be used for the new env.
 3) Nailgun sends a CSR that contains the VIP used by the new environment
 and signed by the newly created private key to the docker root CA.
 4) the docker CA will send back a signed certificate.
 5) Nailgun distribute this signed certificate and the env private key to
 the corresponding controller through mcollective.

 It's not clear to me how Nailgun will interact with docker CA and I aslo
 have some concerns about the storage of different private key of
 environments but it is the idea...
 If needed I can start to fill the ca-deployment according to this scenario
 but I guess that we need to approve the BP [3].

 So I think that we need to start on [3]. As this is required for OSt
 public endpoint SSL and also for Fuel SSL it can be quicker to make a first
 stage where a self-signed certificate is managed from nailgun and a second
 stage with the docker CA...

 Best regards,
 Guillaume

 [3] https://blueprints.launchpad.net/fuel/+spec/ca-deployment

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Fuel] SSL in Fuel

2014-09-08 Thread Sebastian Kalinowski 
Hi all,

As next step for improving Fuel security we are introducing SSL for both
Fuel [1] and OS API endpoints [2]. Both specs assume usage of self-signed
certificates generated by Fuel.
It also required to allow users to use their own certs to secure their
deployments
(two blueprints that touch that part are [3] and [4])

We would like to start a discussion to see what opinions (and maybe ideas)
you
have for that feature.

Best,
Sebastian

[1] https://review.openstack.org/#/c/119330
[2] https://review.openstack.org/#/c/102273
[3] https://blueprints.launchpad.net/fuel/+spec/ca-deployment
[4] https://blueprints.launchpad.net/fuel/+spec/manage-ssl-certificate
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Fuel] SSL in Fuel

2014-09-08 Thread Adam Lawson 
blueprints for non-self-signed certs/PKI for starters.


*Adam Lawson*
*CEO, Principal Architect*

AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (844) 4-AQORN-NOW ext. 101
International: +1 302-387-4660
Direct: +1 916-246-2072



On Mon, Sep 8, 2014 at 2:49 AM, Sebastian Kalinowski 
skalinow...@mirantis.com wrote:

 Hi all,

 As next step for improving Fuel security we are introducing SSL for both
 Fuel [1] and OS API endpoints [2]. Both specs assume usage of self-signed
 certificates generated by Fuel.
 It also required to allow users to use their own certs to secure their
 deployments
 (two blueprints that touch that part are [3] and [4])

 We would like to start a discussion to see what opinions (and maybe ideas)
 you
 have for that feature.

 Best,
 Sebastian

 [1] https://review.openstack.org/#/c/119330
 [2] https://review.openstack.org/#/c/102273
 [3] https://blueprints.launchpad.net/fuel/+spec/ca-deployment
 [4] https://blueprints.launchpad.net/fuel/+spec/manage-ssl-certificate

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev