Re: [openstack-dev] [barbican] How to update cert in the secret

[Andrey Grebennikov]

Hi Michael,
Thanks for that, it is right that it is supposed to be Neutron's
responsibility. Moreover, I just found out that I can actually use Neutron
CLI for the update too - I just have to specify
"--default-tls-container_ref" option with the new container (it looks kind
of weird but it didn't complaint), and it makes the magic.

I really appreciate your help, thank you!

On Tue, Apr 4, 2017 at 3:10 PM, Michael Johnson  wrote:

> Hi Andrey,
>
>
>
> As we discussed on IRC, the listeners in LBaaS v2 allow you to update the
> barbican container IDs.  This will start the certificate update process on
> the load balancers with the new content from barbican.
>
>
>
> The neutron client, as you noted, does not appear to have this capability,
> but the API supports this as the primary means to update certificate
> content for LBaaS.  This will be included in the octavia OpenStack client.
>
>
>
> Michael
>
>
>
> *From:* Andrey Grebennikov [mailto:agrebenni...@mirantis.com]
> *Sent:* Monday, April 3, 2017 12:14 PM
> *To:* OpenStack Development Mailing List (not for usage questions) <
> openstack-dev@lists.openstack.org>
> *Subject:* [openstack-dev] [barbican] How to update cert in the secret
>
>
>
> Hey Barbican folks, I have a question regarding the functionality of the
> secrets containers please.
>
>
>
> If I got my secret created is there a way to update it down the road with
> another cert?
>
> The usecase is pretty common - using barbican with neutron lbaas.
>
> When the load balance from the lbaas backend gets the cert from barbican
> there is no way to update the neutron load balancer with the new secret
> seems so.
>
> The only way to update the cert within the balancer is to update the
> barbican secret and trigger the balancer to re-request the cert (while
> adding the pool member for example).
>
>
>
> Any help is greatly appreciated!
>
>
>
> --
>
> Andrey Grebennikov
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Andrey Grebennikov
Principal Deployment Engineer
Mirantis Inc, Austin TX
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [barbican] How to update cert in the secret

[Michael Johnson]

Hi Andrey,

 

As we discussed on IRC, the listeners in LBaaS v2 allow you to update the 
barbican container IDs.  This will start the certificate update process on the 
load balancers with the new content from barbican.

 

The neutron client, as you noted, does not appear to have this capability, but 
the API supports this as the primary means to update certificate content for 
LBaaS.  This will be included in the octavia OpenStack client.

 

Michael

 

From: Andrey Grebennikov [mailto:agrebenni...@mirantis.com] 
Sent: Monday, April 3, 2017 12:14 PM
To: OpenStack Development Mailing List (not for usage questions) 

Subject: [openstack-dev] [barbican] How to update cert in the secret

 

Hey Barbican folks, I have a question regarding the functionality of the 
secrets containers please.

 

If I got my secret created is there a way to update it down the road with 
another cert?

The usecase is pretty common - using barbican with neutron lbaas.

When the load balance from the lbaas backend gets the cert from barbican there 
is no way to update the neutron load balancer with the new secret seems so.

The only way to update the cert within the balancer is to update the barbican 
secret and trigger the balancer to re-request the cert (while adding the pool 
member for example).

 

Any help is greatly appreciated!

 

-- 

Andrey Grebennikov

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev