[openstack-dev] [Magnum][Anchor][Barbican] Magnum as a CA

Madhuri madhuri.rai07 at gmail.com
Thu Jul 9 08:12:59 UTC 2015 

Hi,

On Thu, Jul 9, 2015 at 11:13 AM, OTSUKA, Motohiro <yuanying at oeilvert.org>
wrote:

>  I think it’s better to use Barbican,
> It provides CA function and also secure key storage.
>

Agree. Barbican is suitable for us in both the cases, for generating certs
and also its storage. But I am not sure whether Barbican can be made a hard
dependency in Magnum or not?


>
> magnum-conductor should store conductor’s client key to connect k8s api
> server.
>
>
> Thanks
> -Yuanying
>
> On Thursday, July 9, 2015 at 10:12, Madhuri wrote:
>
> Hi All,
>
> Magnum as a CA mainly aims at how certificates and keys for both
> client(magnum-conductor)
> and server(kube-apiserver) will be generated and who will be the CA.
>
> Blueprint Link:
> https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca
>
> Currently we have 3 options to generate certificates.
>
> *1. Write our own tool.*
> In this approach, we will have our own tool to generate certificate signed
> by CA.
> A review has been submitted for it:
> https://review.openstack.org/#/c/199493/
>
>
> *2. Using Anchor.*
> Anchor is an stackforge project that automates the verification of CSRs
> and signs certificates for clients.
> https://github.com/stackforge/anchor
> <https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=https%3a%2f%2fgithub.com%2fstackforge%2fanchor>
>
> Anchor can be used to generate signed certificate.
>
>
> *3. Using Barbican. *Barbican can also be used for generating certificate
> signed by some CA plugins.
> http://docs.openstack.org/developer/barbican/plugin/certificate.html
> <https://mail.nectechnologies.in/owa/redir.aspx?C=WbmDv-KJVUmq2sEu4MFC0e-k5uFujdIIs7jarFb-BEGxx7iEgSFPZtTZ41n6FXvt-LMt_E0Efho.&URL=http%3a%2f%2fdocs.openstack.org%2fdeveloper%2fbarbican%2fplugin%2fcertificate.html>
>
> Moreover it can also be used to store certificates securely.
>
> Folks, please provide your views on which is the most suitable option for
> adding TLS support in Magnum.
>
> Also, we will have a meeting on *#openstack-containers* at *23:30 UTC* to
> discuss the same. Request Barbican and Anchor developers also to join.
>
>
> Regards
> Madhuri
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> Regards,
Madhuri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150709/e26b2306/attachment.html>

More information about the OpenStack-dev mailing list