I think it’s better to use Barbican, It provides CA function and also secure key storage.
magnum-conductor should store conductor’s client key to connect k8s api server. Thanks -Yuanying On Thursday, July 9, 2015 at 10:12, Madhuri wrote: > Hi All, > > Magnum as a CA mainly aims at how certificates and keys for both > client(magnum-conductor) > and server(kube-apiserver) will be generated and who will be the CA. > > Blueprint Link: https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca > > Currently we have 3 options to generate certificates. > > 1. Write our own tool. > In this approach, we will have our own tool to generate certificate signed by > CA. > A review has been submitted for it: > https://review.openstack.org/#/c/199493/ > > > 2. Using Anchor. > Anchor is an stackforge project that automates the verification of CSRs and > signs certificates for clients. > https://github.com/stackforge/anchor > (https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=https%3a%2f%2fgithub.com%2fstackforge%2fanchor) > > Anchor can be used to generate signed certificate. > > 3. Using Barbican. > Barbican can also be used for generating certificate signed by some CA > plugins. > http://docs.openstack.org/developer/barbican/plugin/certificate.html > (https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=http%3a%2f%2fdocs.openstack.org%2fdeveloper%2fbarbican%2fplugin%2fcertificate.html) > > Moreover it can also be used to store certificates securely. > > Folks, please provide your views on which is the most suitable option for > adding TLS support in Magnum. > > Also, we will have a meeting on #openstack-containers at 23:30 UTC to discuss > the same. Request Barbican and Anchor developers also to join. > > > Regards > Madhuri > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > (mailto:[email protected]?subject:unsubscribe) > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
