[openstack-dev] [Magnum][Anchor][Barbican] Magnum as a CA

Madhuri madhuri.rai07 at gmail.com
Thu Jul 9 01:12:01 UTC 2015


Hi All,

Magnum as a CA mainly aims at how certificates and keys for both
client(magnum-conductor)
and server(kube-apiserver) will be generated and who will be the CA.

Blueprint Link: https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca

Currently we have 3 options to generate certificates.

*1. Write our own tool.*
In this approach, we will have our own tool to generate certificate signed
by CA.
A review has been submitted for it:
https://review.openstack.org/#/c/199493/


*2. Using Anchor.*
Anchor is an stackforge project that automates the verification of CSRs and
signs certificates for clients.
https://github.com/stackforge/anchor
<https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=https%3a%2f%2fgithub.com%2fstackforge%2fanchor>

Anchor can be used to generate signed certificate.


*3. Using Barbican. *Barbican can also be used for generating certificate
signed by some CA plugins.
http://docs.openstack.org/developer/barbican/plugin/certificate.html
<https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=http%3a%2f%2fdocs.openstack.org%2fdeveloper%2fbarbican%2fplugin%2fcertificate.html>

Moreover it can also be used to store certificates securely.

Folks, please provide your views on which is the most suitable option for
adding TLS support in Magnum.

Also, we will have a meeting on *#openstack-containers* at *23:30 UTC* to
discuss the same. Request Barbican and Anchor developers also to join.


Regards
Madhuri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150709/d28755d6/attachment.html>


More information about the OpenStack-dev mailing list