On 10/26/2015 02:38 PM, Major Hayden wrote:
Hello there,
I've been researching some additional ways to secure openstack-ansible
deployments and I backed myself into a corner with secure log transport. The
rsyslog client requires a trusted CA certificate to be able to send encrypted
logs to rsyslog servers. That's not a problem if users bring their own
certificates, but it does become a problem if we use the self-signed
certificates that we're creating within the various roles.
I'm wondering if we could create a role that creates a CA on the deployment
host and then uses that CA to issue certificates for various services *if* a
user doesn't specify that they want to bring their own certificates. We could
build the CA very early in the installation process and then use it to sign
certificates for each individual service. That would allow to have some
additional trust in environments where deployers don't choose to bring their
own certificates.
Does this approach make sense?
--
Major Hayden
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
FreeIPA has a Dogtag server that can be your full CA. I would recommend
not rolling our own.
We have a playbook that does this here:
https://github.com/admiyo/rippowam specifically in the
https://github.com/admiyo/rippowam/tree/master/roles/ipaserver role
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
