[openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

Major Hayden major at mhtx.net
Fri Nov 6 21:41:05 UTC 2015


On 10/29/2015 08:42 AM, Clark, Robert Graham wrote:
> It sounds like what you probably need is a lightweight CA, without revocation, that gives you some basic constraints by which you can restrict certificate issuance to just your ansible tasks and that could potentially be thrown away when it’s no longer required. Particularly something light enough that it could live on any deployment/installer node.
> 
> This sounds like it _might_ be a good fit for Anchor[1], though possibly not if I’ve misunderstood your use-case.
> 
> [1] https://wiki.openstack.org/wiki/Security#Anchor_-_Ephemeral_PKI

Thanks, Robert.  After talking a bit in the last OpenStack Security IRC meeting and doing a deep dive into Anchor, I'm not sure I'm looking for a CA that issues ephemeral certificates.

For example, issuing ephemeral certificates for RabbitMQ or MySQL would involve frequent restarts of each service to apply new certificates on a regular basis (if I'm understanding Anchor correctly).  I could see how this wouldn't be a big issue on a web/API front-end, like horizon, but it would definitely cause some disruptions for services that are slower to start, like RabbitMQ and MySQL.

I found a CA role[1] for Ansible on Galaxy, but it appears to be GPLv3 code. :/

Another suggestion was to use Letsencrypt, but it's in a limited access period at the moment.  It also supplies ephemeral certs, as Anchor does.

The dogtag service looks interesting, but it has quite a few dependencies that may be a bit heavy resource-wise within the average openstack-ansible environment.

I'm still on the hunt for a good solution but I appreciate the input so far!

[1] https://github.com/debops/ansible-pki

--
Major Hayden



More information about the OpenStack-dev mailing list