Hello all,
I have recently started exploring Openstack with the goal of using it to replace my current private cloud infrastructure.
I have been reading the docs about security and I noticed that there isn't really a (straight forward) way of securing Openstack services communication with user provided, trusted, SSL certificates.
I believe this should not be the case.
My current infrastructure uses a privately hosted CA, that supports the ACME protocol. All my hosts submit CSRs to it, and respond to the ACME challenges in order to get it signed. All certificates are short-lived (1h), but never expire thanks to the ACME automation.
I have achieved this through an open source project called Smallstep Step CA and Smallstep Step CLI tools. It is dead easy to set up. All of the tools needed to achieve this can also be containerized, for simplicity.
Thus, I propose the following solution (keep in mind I am not an Openstack developer):
Addition of an ACME client, with a configurable ACME URL, to all (or as many as possible) Openstack services, that can submit CSRs to an ACME server (basically almost identical to the already implemented Openstack Let's Encrypt functionality for public endpoints).
Also, optionally, the creation of a new Openstack service, using the Smallstep Step CA, which can sign the CSRs, and thus eliminate the need for a manual setup of a separate Smallstep CA host.
I am providing some links to the Smallstep repositories and documentation for easier access:
Thank you for your time and consideration.
Kind regards,
Stanislav