<div>
                    I think it’s better to use Barbican,
                </div><div>It provides CA function and also secure key storage.</div><div><br></div><div>magnum-conductor should store conductor’s client key to connect k8s api server.</div><div><br></div>
                <div><div><br></div><div>Thanks</div><div>-Yuanying</div><div><br></div></div>
                 
                <p style="color: #A0A0A8;">On Thursday, July 9, 2015 at 10:12, Madhuri wrote:</p>
                <blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
                    <span><div><div><div dir="ltr"><div>Hi All,<br>
<br>
Magnum as a CA mainly aims at how certificates and keys for both client(magnum-conductor)<br>
and server(kube-apiserver) will be generated and who will be the CA.<br>
<br>
Blueprint Link: <a href="https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca">https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca</a><br>
<br>
Currently we have 3 options to generate certificates.<br>
<br>
<b>1. Write our own tool.</b><br>
In this approach, we will have our own tool to generate certificate signed by CA.<br>
A review has been submitted for it:<br>
<a href="https://review.openstack.org/#/c/199493/">https://review.openstack.org/#/c/199493/</a><br>
<br>
<br>
<b>2. Using Anchor.</b><br>
Anchor is an stackforge project that automates the verification of CSRs and signs certificates for clients.<br>
<a href="https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=https%3a%2f%2fgithub.com%2fstackforge%2fanchor" target="_blank">https://github.com/stackforge/anchor</a><br>
<br>
Anchor can be used to generate signed certificate.<br>
<br>
<b>3. Using Barbican.<br>
</b>Barbican can also be used for generating certificate signed by some CA plugins.<br>
<a href="https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=http%3a%2f%2fdocs.openstack.org%2fdeveloper%2fbarbican%2fplugin%2fcertificate.html" target="_blank">http://docs.openstack.org/developer/barbican/plugin/certificate.html</a><br>
<br>
Moreover it can also be used to store certificates securely.<br>
<br>
Folks, please provide your views on which is the most suitable option for adding TLS support in Magnum.<br>
<br></div>Also, we will have a meeting on <b>#openstack-containers</b> at <b>23:30 UTC</b> to discuss the same. Request Barbican and Anchor developers also to join.<br><div>
<br>
<br>



<font face="Arial" color="000000" size="2">Regards<br>
Madhur<font color="000000">i</font><br></font></div></div>
</div><div><div>__________________________________________________________________________</div><div>OpenStack Development Mailing List (not for usage questions)</div><div>Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a></div><div><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></div></div></div></span>
                 
                 
                 
                 
                </blockquote>
                 
                <div>
                    <br>
                </div>