[openstack-dev] [Magnum][Anchor][Barbican] Magnum as a CA

Adrian Otto adrian.otto at rackspace.com
Thu Jul 9 01:28:32 UTC 2015


To be clear the IRC discussion is for Thursday 2015-07-09 at 23:30 UTC.

-------- Original message --------
From: Madhuri <madhuri.rai07 at gmail.com>
Date: 07/08/2015 6:18 PM (GMT-08:00)
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
Subject: [openstack-dev] [Magnum][Anchor][Barbican] Magnum as a CA

Hi All,

Magnum as a CA mainly aims at how certificates and keys for both client(magnum-conductor)
and server(kube-apiserver) will be generated and who will be the CA.

Blueprint Link: https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca

Currently we have 3 options to generate certificates.

1. Write our own tool.
In this approach, we will have our own tool to generate certificate signed by CA.
A review has been submitted for it:
https://review.openstack.org/#/c/199493/


2. Using Anchor.
Anchor is an stackforge project that automates the verification of CSRs and signs certificates for clients.
https://github.com/stackforge/anchor<https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=https%3a%2f%2fgithub.com%2fstackforge%2fanchor>

Anchor can be used to generate signed certificate.

3. Using Barbican.
Barbican can also be used for generating certificate signed by some CA plugins.
http://docs.openstack.org/developer/barbican/plugin/certificate.html<https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=http%3a%2f%2fdocs.openstack.org%2fdeveloper%2fbarbican%2fplugin%2fcertificate.html>

Moreover it can also be used to store certificates securely.

Folks, please provide your views on which is the most suitable option for adding TLS support in Magnum.

Also, we will have a meeting on #openstack-containers at 23:30 UTC to discuss the same. Request Barbican and Anchor developers also to join.


Regards
Madhuri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150709/6e5ddc4f/attachment.html>


More information about the OpenStack-dev mailing list