I think that the management of certificates should be discussed in the
ca-deployment blueprint [3]

We had some discussions and it seems that one idea is to use a docker
container as the root authority. By doing this we should be able to sign
certificate from Nailgun and distribute the certificate to the
corresponding controllers. So one way to see this is:

1) a new environment is created
2) Nailgun generates a key pair that will be used for the new env.
3) Nailgun sends a CSR that contains the VIP used by the new environment
and signed by the newly created private key to the docker "root CA".
4) the docker "CA" will send back a signed certificate.
5) Nailgun distribute this signed certificate and the env private key to
the corresponding controller through mcollective.

It's not clear to me how Nailgun will interact with docker CA and I aslo
have some concerns about the storage of different private key of
environments but it is the idea...
If needed I can start to fill the ca-deployment according to this scenario
but I guess that we need to approve the BP [3].

So I think that we need to start on [3]. As this is required for OSt public
endpoint SSL and also for Fuel SSL it can be quicker to make a first stage
where a self-signed certificate is managed from nailgun and a second stage
with the docker CA...

Best regards,

[3] https://blueprints.launchpad.net/fuel/+spec/ca-deployment
OpenStack-dev mailing list

Reply via email to