I'm developing a kubernetes operator for deploying 'ovn-central' (nb, sb, and northd). I'm trying to decide whether it's worth generating separate secret keys for each actor in a raft cluster, actors being:
* each individual server in the raft cluster * each individual client (e.g. ovn-controller/northd/neutron) My initial thought was yes, of course. However, it occurred to me that without CRL support in ovsdb-server it is impossible to revoke a compromised certificate without changing the CA. This in turn requires changing all certs, which seems functionally equivalent to all services using the same cert. Has anybody given this any thought? Are there any alternate authentication methods which might work better? Thanks, Matt -- Matthew Booth Red Hat OpenStack Engineer, Compute DFG Phone: +442070094448 (UK) _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
