<div dir="ltr">Hi,<br><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 9, 2015 at 11:13 AM, OTSUKA, Motohiro <span dir="ltr"><<a href="mailto:yuanying@oeilvert.org" target="_blank">yuanying@oeilvert.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                <div>
                    I think it’s better to use Barbican,
                </div><div>It provides CA function and also secure key storage.</div></blockquote><div><br></div><div>Agree. Barbican is suitable for us in both the cases, for generating certs and also its storage. But I am not sure whether Barbican can be made a hard dependency in Magnum or not?<br>  <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><br></div><div>magnum-conductor should store conductor’s client key to connect k8s api server.</div><div><br></div>
                <div><div><br></div><div>Thanks</div><div>-Yuanying</div><div><br></div></div><div><div class="h5">
                 
                <p style="color:#a0a0a8">On Thursday, July 9, 2015 at 10:12, Madhuri wrote:</p>
                </div></div><blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px">
                    <span><div><div><div class="h5"><div><div dir="ltr"><div>Hi All,<br>
<br>
Magnum as a CA mainly aims at how certificates and keys for both client(magnum-conductor)<br>
and server(kube-apiserver) will be generated and who will be the CA.<br>
<br>
Blueprint Link: <a href="https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca" target="_blank">https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca</a><br>
<br>
Currently we have 3 options to generate certificates.<br>
<br>
<b>1. Write our own tool.</b><br>
In this approach, we will have our own tool to generate certificate signed by CA.<br>
A review has been submitted for it:<br>
<a href="https://review.openstack.org/#/c/199493/" target="_blank">https://review.openstack.org/#/c/199493/</a><br>
<br>
<br>
<b>2. Using Anchor.</b><br>
Anchor is an stackforge project that automates the verification of CSRs and signs certificates for clients.<br>
<a href="https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=https%3a%2f%2fgithub.com%2fstackforge%2fanchor" target="_blank">https://github.com/stackforge/anchor</a><br>
<br>
Anchor can be used to generate signed certificate.<br>
<br>
<b>3. Using Barbican.<br>
</b>Barbican can also be used for generating certificate signed by some CA plugins.<br>
<a href="https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=http%3a%2f%2fdocs.openstack.org%2fdeveloper%2fbarbican%2fplugin%2fcertificate.html" target="_blank">http://docs.openstack.org/developer/barbican/plugin/certificate.html</a><br>
<br>
Moreover it can also be used to store certificates securely.<br>
<br>
Folks, please provide your views on which is the most suitable option for adding TLS support in Magnum.<br>
<br></div>Also, we will have a meeting on <b>#openstack-containers</b> at <b>23:30 UTC</b> to discuss the same. Request Barbican and Anchor developers also to join.<br><div>
<br>
<br>



<font face="Arial" color="000000" size="2">Regards<br>
Madhur<font color="000000">i</font><br></font></div></div>
</div></div></div><div><div>__________________________________________________________________________</div><span class=""><div>OpenStack Development Mailing List (not for usage questions)</div></span><div>Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a></div><div><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></div></div></div></span>
                 
                 
                 
                 
                </blockquote>
                 
                <div>
                    <br>
                </div>
            <br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div>Regards,<br></div><div class="gmail_extra">Madhuri<br></div></div></div>