Hi, On Thu, Jul 9, 2015 at 11:13 AM, OTSUKA, Motohiro <[email protected]> wrote:
> I think it’s better to use Barbican, > It provides CA function and also secure key storage. > Agree. Barbican is suitable for us in both the cases, for generating certs and also its storage. But I am not sure whether Barbican can be made a hard dependency in Magnum or not? > > magnum-conductor should store conductor’s client key to connect k8s api > server. > > > Thanks > -Yuanying > > On Thursday, July 9, 2015 at 10:12, Madhuri wrote: > > Hi All, > > Magnum as a CA mainly aims at how certificates and keys for both > client(magnum-conductor) > and server(kube-apiserver) will be generated and who will be the CA. > > Blueprint Link: > https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca > > Currently we have 3 options to generate certificates. > > *1. Write our own tool.* > In this approach, we will have our own tool to generate certificate signed > by CA. > A review has been submitted for it: > https://review.openstack.org/#/c/199493/ > > > *2. Using Anchor.* > Anchor is an stackforge project that automates the verification of CSRs > and signs certificates for clients. > https://github.com/stackforge/anchor > <https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=https%3a%2f%2fgithub.com%2fstackforge%2fanchor> > > Anchor can be used to generate signed certificate. > > > *3. Using Barbican. *Barbican can also be used for generating certificate > signed by some CA plugins. > http://docs.openstack.org/developer/barbican/plugin/certificate.html > <https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=http%3a%2f%2fdocs.openstack.org%2fdeveloper%2fbarbican%2fplugin%2fcertificate.html> > > Moreover it can also be used to store certificates securely. > > Folks, please provide your views on which is the most suitable option for > adding TLS support in Magnum. > > Also, we will have a meeting on *#openstack-containers* at *23:30 UTC* to > discuss the same. Request Barbican and Anchor developers also to join. > > > Regards > Madhuri > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > Regards, Madhuri
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
