We definitely need a person who will help with design for the feature.

Here is the list of open questions:

1. UI design for certificates uploading
2. CLI
3. diagnostic snapshot sanitising
4. REST API/DB design
5. background tasks for nailgun (?)
6. do we need separate container to certificates signing? I don't think
that we need if it's
    not separate service. If it command line tool, it can be installed in
nailgun container, in
    case if we implement background tasks for nailgun, or in mcollective


On Tue, Sep 9, 2014 at 2:09 PM, Guillaume Thouvenin <thouv...@gmail.com>

> I think that the management of certificates should be discussed in the
> ca-deployment blueprint [3]
> We had some discussions and it seems that one idea is to use a docker
> container as the root authority. By doing this we should be able to sign
> certificate from Nailgun and distribute the certificate to the
> corresponding controllers. So one way to see this is:
> 1) a new environment is created
> 2) Nailgun generates a key pair that will be used for the new env.
> 3) Nailgun sends a CSR that contains the VIP used by the new environment
> and signed by the newly created private key to the docker "root CA".
> 4) the docker "CA" will send back a signed certificate.
> 5) Nailgun distribute this signed certificate and the env private key to
> the corresponding controller through mcollective.
> It's not clear to me how Nailgun will interact with docker CA and I aslo
> have some concerns about the storage of different private key of
> environments but it is the idea...
> If needed I can start to fill the ca-deployment according to this scenario
> but I guess that we need to approve the BP [3].
> So I think that we need to start on [3]. As this is required for OSt
> public endpoint SSL and also for Fuel SSL it can be quicker to make a first
> stage where a self-signed certificate is managed from nailgun and a second
> stage with the docker CA...
> Best regards,
> Guillaume
> [3] https://blueprints.launchpad.net/fuel/+spec/ca-deployment
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
OpenStack-dev mailing list

Reply via email to