<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/15/2015 08:45 PM, Madhuri wrote:<br>
</div>
<blockquote
cite="mid:CAHKoAgqxdXH_p34j-dcB_2MAj5CUAHJ6+skaVOYTKpZhiqMJ9Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>+1 Kevin. We will make Barbican a dependency to make it
the default option to secure keys.<br>
<br>
</div>
Regards,<br>
</div>
Madhuri<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jun 16, 2015 at 12:48 AM, Fox,
Kevin M <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:Kevin.Fox@pnnl.gov" target="_blank">Kevin.Fox@pnnl.gov</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div
style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">If
your asking the cloud provider to go through the effort
to install Magnum, its not that much extra effort to
install Barbican at the same time. Making it a
dependency isn't too bad then IMHO.<br>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
Please use Certmonger on the the Magnum side, with an understanding
that the Barbican team is writing a Certmonger plugin. <br>
<br>
Certmonger can do self signed, and can talk to Dogtag if you need a
real CA. If we need to talk to other CAs, you write a helper script
that Certmonger calls to post the CSR and fetch the signed Cert,
but certmonger does the openssl/NSS work to properly mange the
signing requests.<br>
<br>
<blockquote
cite="mid:CAHKoAgqxdXH_p34j-dcB_2MAj5CUAHJ6+skaVOYTKpZhiqMJ9Q@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div
style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">
<br>
Thanks,<br>
Kevin<br>
<div style="font-family:Times New
Roman;color:#000000;font-size:16px">
<hr>
<div style="direction:ltr"><font color="#000000"
face="Tahoma" size="2"><b>From:</b> Adrian Otto [<a
moz-do-not-send="true"
href="mailto:adrian.otto@rackspace.com"
target="_blank">adrian.otto@rackspace.com</a>]<br>
<b>Sent:</b> Sunday, June 14, 2015 11:09 PM<br>
<b>To:</b> OpenStack Development Mailing List (not
for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [Magnum] TLS
Support in Magnum<br>
</font><br>
</div>
<div>
<div class="h5">
<div>Madhuri,
<div><br>
<div>
<blockquote type="cite">
<div>On Jun 14, 2015, at 10:30 PM, Madhuri
Rai <<a moz-do-not-send="true"
href="mailto:madhuri.rai07@gmail.com"
target="_blank">madhuri.rai07@gmail.com</a>>
wrote:</div>
<br>
<div>
<div dir="ltr">
<div>
<div>
<div>
<div><font color="003366"
size="2">Hi All,<br>
<br>
<font color="003366">This is
to bring the blueprint </font><a
moz-do-not-send="true"
href="https://blueprints.launchpad.net/magnum/+spec/secure-kubernetes"
target="_blank">secure-kubernetes</a><font
color="003366"> in di<font
color="003366">scussion.
I have <font
color="003366">been
trying to figure out <font
color="003366">
what could be the
possible change <font
color="003366">area
to support this
feature in Magnum.</font></font></font></font></font></font>
Below is just a rough idea on
ho<font color="003366">w to
proceed further on it.</font><br>
<br>
<font color="003366">Th<font
color="003366">is task can
be further broken in
smaller
<font color="003366">pieces.</font></font></font><br>
<br>
<b>1. Add support for TLS in
python-k8sclient.</b><br>
<div style="margin-left:40px"><font
color="003366" size="2">The
current auto-generated
code doesn't support TLS.
So this work will be to
add TLS support in
kubernetes python APIs.</font><br>
</div>
<font color="003366" size="2"><br>
<b>2. Add support for
Barbican in Magnum.</b><br>
</font>
<div style="margin-left:40px"><font
color="003366" size="2">Barbican
will be used to store all
the keys and certificates.</font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
Keep in mind that not all clouds will
support Barbican yet, so this approach could
impair adoption of Magnum until Barbican is
universally supported. It might be worth
considering a solution that would generate
all keys on the client, and copy them to the
Bay master for communication with other Bay
nodes. This is less secure than using
Barbican, but would allow for use of Magnum
before Barbican is adopted.</div>
<div><br>
</div>
<div>If both methods were supported, the
Barbican method should be the default, and
we should put warning messages in the config
file so that when the administrator relaxes
the setting to use the non-Barbican
configuration he/she is made aware that it
requires a less secure mode of operation.</div>
<div><br>
</div>
<div>My suggestion is to completely implement
the Barbican support first, and follow up
that implementation with a non-Barbican
option as a second iteration for the
feature.</div>
<div><br>
</div>
<div>Another possibility would be for Magnum
to use its own private installation of
Barbican in cases where it is not available
in the service catalog. I dislike this
option because it creates an operational
burden for maintaining the private Barbican
service, and additional complexities with
securing it.</div>
<div><br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div>
<div>
<div><font color="003366"
size="2"><b>3. Add support
of TLS in Magnum.</b><br>
</font>
<div style="margin-left:40px"><font
color="003366" size="2">This
work mainly involves
supporting the use of key
and certificates in magnum
to support TLS.</font><br>
<br>
<font color="003366"
size="2">The user
generates the keys,
certificates and store
them in Barbican. Now
there is two way to access
these keys while creating
a bay.</font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
Rather than "the user generates the keys…",
perhaps it might be better to word that as
"the magnum client library code generates
the keys for the user…”.</div>
<div><br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>
<div style="margin-left:40px"><font
color="003366" size="2">1.
Heat will access Barbican
directly.</font><br>
<font color="003366"
size="2">While creating
bay, the user will provide
this key and heat
templates will fetch this
key from Barbican.</font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
I think you mean that Heat will use the
Barbican key to fetch the TLS key for
accessing the native API service running on
the Bay.</div>
<div><br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>
<div style="margin-left:40px"><font
color="003366" size="2">2.
Magnum-conductor access
Barbican.</font><br>
<font color="003366"
size="2">While creating
bay, the user will provide
this key and then
Magnum-conductor will
fetch this key from
Barbican and provide this
key to heat.</font><br>
<br>
<font color="003366"
size="2">Then heat will
copy this files on
kubernetes master node.
Then bay will use this key
to start a Kubernetes
services signed with these
keys.</font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
Make sure that the Barbican keys used by
Heat and magnum-conductor to store the
various TLS certificates/keys are unique per
tenant and per bay, and are not shared among
multiple tenants. We don’t want it to ever
be possible to trick Magnum into revealing
secrets belonging to other tenants.</div>
<div><br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div>
<div>
<font color="003366" size="2"><font
color="003366"><font
color="003366"><font
color="003366"><font
color="003366"><font
color="003366">After
<font color="003366">discussion
when we all come
to same point, I
will create
<font
color="003366">separate</font>
blueprint<font
color="003366">s
for each task.
<br>
</font></font>I am
currently working on
configuring
Kubernetes <font
color="003366">
services with TLS
<font
color="003366">keys.<br>
<br>
</font></font></font></font></font></font></font></font></div>
<font color="003366" size="2"><font
color="003366">Please provide
your suggest<font
color="003366">ions if any.</font></font><br>
</font></div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
Thanks for kicking off this discussion.</div>
<div><br>
</div>
<div>Regards,</div>
<div><br>
</div>
<div>Adrian</div>
<div><br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div><font color="003366" size="2"><br>
<br>
</font></div>
<font color="003366" size="2"><font
color="003366"><font
color="003366"><font
color="003366"><font
color="003366"><font
color="003366"><font
color="003366"><font
color="003366"><font
color="003366">Reg<font
color="003366">ar<font
color="003366">ds,<br>
</font></font></font></font></font></font></font></font></font></font></font></div>
<font color="003366" size="2"><font
color="003366">Madhuri</font><br>
</font></div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not
for usage questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="mailto:OpenStack-dev-request@lists.openstack.org" target="_blank">
OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>