[openstack-dev] [Neutron][LBaaS] Vote required for certificate as first-class citizen - SSL Termination (Revised)
Samuel Bercovici
SamuelB at Radware.com
Thu Dec 5 19:14:12 UTC 2013
Correct.
Evgeny will update the WIKI accordingly.
We will add a flag in the SSL Certificate to allow specifying that the private key can't be persisted. And in this case, the private key could be passed when associating the cert_id with the VIP.
Regards,
-Sam.
-----Original Message-----
From: Nachi Ueno [mailto:nachi at ntti3.com]
Sent: Thursday, December 05, 2013 8:21 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Neutron][LBaaS] Vote required for certificate as first-class citizen - SSL Termination (Revised)
Hi folks
OK, It looks like we get consensus on
separate resource" way.
Best
Nachi
2013/12/5 Eugene Nikanorov <enikanorov at mirantis.com>:
> Hi,
>
> My vote is for separate resource (e.g. 'New Model'). Also I'd like to
> see certificate handling as a separate extension/db mixing(in fact,
> persistence
> driver) similar to service_type extension.
>
> Thanks,
> Eugene.
>
>
> On Thu, Dec 5, 2013 at 2:13 PM, Stephen Gran
> <stephen.gran at theguardian.com>
> wrote:
>>
>> Hi,
>>
>> Right, sorry, I see that wasn't clear - I blame lack of coffee :)
>>
>> I would prefer the "Revised New Model". I much prefer the ability to
>> restore a loadbalancer from config in the event of node failure, and
>> the ability to do basic sharing of certificates between VIPs.
>>
>> I think that a longer term plan may involve putting the certificates
>> in a smarter system if we decide we want to do things like evaluate
>> trust models, but just storing them locally for now will do most of
>> what I think people want to do with SSL termination.
>>
>> Cheers,
>>
>>
>> On 05/12/13 09:57, Samuel Bercovici wrote:
>>>
>>> Hi Stephen,
>>>
>>> To make sure I understand, which model is fine "Basic/Simple" or "New".
>>>
>>> Thanks,
>>> -Sam.
>>>
>>>
>>> -----Original Message-----
>>> From: Stephen Gran [mailto:stephen.gran at theguardian.com]
>>> Sent: Thursday, December 05, 2013 8:22 AM
>>> To: openstack-dev at lists.openstack.org
>>> Subject: Re: [openstack-dev] [Neutron][LBaaS] Vote required for
>>> certificate as first-class citizen - SSL Termination (Revised)
>>>
>>> Hi,
>>>
>>> I would be happy with this model. Yes, longer term it might be nice
>>> to have an independent certificate store so that when you need to be
>>> able to validate ssl you can, but this is a good intermediate step.
>>>
>>> Cheers,
>>>
>>> On 02/12/13 09:16, Vijay Venkatachalam wrote:
>>>>
>>>>
>>>> LBaaS enthusiasts: Your vote on the revised model for SSL Termination?
>>>>
>>>> Here is a comparison between the original and revised model for SSL
>>>> Termination:
>>>>
>>>> ***************
>>>> Original Basic Model that was proposed in summit
>>>> ***************
>>>> * Certificate parameters introduced as part of VIP resource.
>>>> * This model is for basic config and there will be a model
>>>> introduced in future for detailed use case.
>>>> * Each certificate is created for one and only one VIP.
>>>> * Certificate params not stored in DB and sent directly to loadbalancer.
>>>> * In case of failures, there is no way to restart the operation
>>>> from details stored in DB.
>>>> ***************
>>>> Revised New Model
>>>> ***************
>>>> * Certificate parameters will be part of an independent certificate
>>>> resource. A first-class citizen handled by LBaaS plugin.
>>>> * It is a forwarding looking model and aligns with AWS for
>>>> uploading server certificates.
>>>> * A certificate can be reused in many VIPs.
>>>> * Certificate params stored in DB.
>>>> * In case of failures, parameters stored in DB will be used to
>>>> restore the system.
>>>>
>>>> A more detailed comparison can be viewed in the following link
>>>>
>>>> https://docs.google.com/document/d/1fFHbg3beRtmlyiryHiXlpWpRo1oWj8F
>>>> qVe
>>>> ZISh07iGs/edit?usp=sharing
>>
>>
>> --
>> Stephen Gran
>> Senior Systems Integrator - theguardian.com Please consider the
>> environment before printing this email.
>> ------------------------------------------------------------------
>> Visit theguardian.com
>> On your mobile, download the Guardian iPhone app theguardian.com/iphone
>> and our iPad edition theguardian.com/iPad Save up to 33% by subscribing to
>> the Guardian and Observer - choose the papers you want and get full
>> digital access.
>> Visit subscribe.theguardian.com
>>
>> This e-mail and all attachments are confidential and may also be
>> privileged. If you are not the named recipient, please notify the
>> sender and delete the e-mail and all attachments immediately.
>> Do not disclose the contents to another person. You may not use the
>> information for any purpose, or store, or copy, it in any way.
>>
>> Guardian News & Media Limited is not liable for any computer viruses
>> or other material transmitted with or as part of this e-mail. You
>> should employ virus checking software.
>>
>> Guardian News & Media Limited
>>
>> A member of Guardian Media Group plc
>> Registered Office
>> PO Box 68164
>> Kings Place
>> 90 York Way
>> London
>> N1P 2AP
>>
>> Registered in England Number 908396
>>
>> ---------------------------------------------------------------------
>> -----
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list