[openstack-dev] [Magnum][Anchor][Barbican] Magnum as a CA

OTSUKA, Motohiro yuanying at oeilvert.org
Thu Jul 9 02:13:11 UTC 2015

I think it’s better to use Barbican,  
It provides CA function and also secure key storage.

magnum-conductor should store conductor’s client key to connect k8s api server.


On Thursday, July 9, 2015 at 10:12, Madhuri wrote:

> Hi All,
> Magnum as a CA mainly aims at how certificates and keys for both client(magnum-conductor)
> and server(kube-apiserver) will be generated and who will be the CA.
> Blueprint Link: https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca
> Currently we have 3 options to generate certificates.
> 1. Write our own tool.
> In this approach, we will have our own tool to generate certificate signed by CA.
> A review has been submitted for it:
> https://review.openstack.org/#/c/199493/
> 2. Using Anchor.
> Anchor is an stackforge project that automates the verification of CSRs and signs certificates for clients.
> https://github.com/stackforge/anchor (https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=https%3a%2f%2fgithub.com%2fstackforge%2fanchor)
> Anchor can be used to generate signed certificate.
> 3. Using Barbican.
> Barbican can also be used for generating certificate signed by some CA plugins.
> http://docs.openstack.org/developer/barbican/plugin/certificate.html (https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=http%3a%2f%2fdocs.openstack.org%2fdeveloper%2fbarbican%2fplugin%2fcertificate.html)
> Moreover it can also be used to store certificates securely.
> Folks, please provide your views on which is the most suitable option for adding TLS support in Magnum.
> Also, we will have a meeting on #openstack-containers at 23:30 UTC to discuss the same. Request Barbican and Anchor developers also to join.
> Regards
> Madhuri
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe (mailto:OpenStack-dev-request at lists.openstack.org?subject:unsubscribe)
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150709/57ba6f6c/attachment.html>

More information about the OpenStack-dev mailing list