On 10 Sep 2014, at 12:54, Simon Pasquier <[email protected]> wrote:
> Hello, > > Lets back up a bit and list the different options for Fuel users: > 0/ The user is happy with plain HTTP. > => Already supported :) > 1/ The user wants HTTPS but doesn't want the burden associated with > certificate management. > => Fuel creates and manages the SSL certificates, be them self-signed or > signed by some internal CA. > => Using an internal CA instead of multiple self-signed certificates is > cleaner as you explained. > 2/ The user wants HTTPS and wants to use certificates which are generated by > an external source (either some internal corporate PKI or some public > certificate authority) > => Fuel supports certificate + key uploads > => It should be possible to tell Fuel which entity (Fuel, OSt environment) > uses which certificate > 3/ The user wants HTTPS and agrees to let Fuel generating certificates on > behalf of some corporate PKI. > => Fuel supports CA + key uploads > > I think that option 1 is the way to go for a first approach. Option 2 is > definitely something that end-users would need at some point. I'm less > convinced by option 3: if I were a PKI admin, I'll be reluctant to let Fuel > generate certificates on its own. Also my gut feeling tells me that > implementing 1 & 2 is already quite a lot of work. > > I've also added some questions/comments inline. Regarding After careful consideration, I think that for 6.0 we will only be able to implement [2] with limited functionality. In terms of certificate management, we could offer uploading customer generated cert (and maybe provide shot doc on how to spawn CA + sign certs) or if user does not want to do it, generate simple self signed cert and install it on Fuel http server and let user download it. After 6.0 we can concentrate on proper implementation of CA management, and then allow Fuel master node part to use it. [1] https://blueprints.launchpad.net/fuel/+spec/ca-deployment [2] https://blueprints.launchpad.net/fuel/+spec/fuel-ssl-endpoints [3] https://blueprints.launchpad.net/fuel/+spec/ssl-endpoints -- Tomasz 'Zen' Napierala Sr. OpenStack Engineer [email protected] _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
