[openstack-dev] [FUEL] Re: SSL in Fuel.

Tomasz Napierala tnapierala at mirantis.com
Wed Sep 10 11:40:40 UTC 2014


On 10 Sep 2014, at 12:54, Simon Pasquier <spasquier at mirantis.com> wrote:

> Hello,
> 
> Lets back up a bit and list the different options for Fuel users:
> 0/ The user is happy with plain HTTP.
> => Already supported :)
> 1/ The user wants HTTPS but doesn't want the burden associated with certificate management.
> => Fuel creates and manages the SSL certificates, be them self-signed or signed by some internal CA.
> => Using an internal CA instead of multiple self-signed certificates is cleaner as you explained.
> 2/ The user wants HTTPS and wants to use certificates which are generated by an external source (either some internal corporate PKI or some public certificate authority)
> => Fuel supports certificate + key uploads
> => It should be possible to tell Fuel which entity (Fuel, OSt environment) uses which certificate
> 3/ The user wants HTTPS and agrees to let Fuel generating certificates on behalf of some corporate PKI.
> => Fuel supports CA + key uploads
> 
> I think that option 1 is the way to go for a first approach. Option 2 is definitely something that end-users would need at some point. I'm less convinced by option 3: if I were a PKI admin, I'll be reluctant to let Fuel generate certificates on its own. Also my gut feeling tells me that implementing 1 & 2 is already quite a lot of work.
> 
> I've also added some questions/comments inline.

Regarding 
After careful consideration, I think that for 6.0 we will only be able to implement [2] with limited functionality. In terms of certificate management, we could offer uploading customer generated cert (and maybe provide shot doc on how to spawn CA + sign certs) or if user does not want to do it, generate simple self signed cert and install it on Fuel http server and let user download it. 

After 6.0 we can concentrate on proper implementation of CA management, and then allow Fuel master node part to use it.

[1] https://blueprints.launchpad.net/fuel/+spec/ca-deployment
[2] https://blueprints.launchpad.net/fuel/+spec/fuel-ssl-endpoints
[3] https://blueprints.launchpad.net/fuel/+spec/ssl-endpoints
-- 
Tomasz 'Zen' Napierala
Sr. OpenStack Engineer
tnapierala at mirantis.com









More information about the OpenStack-dev mailing list