Open Stack

Team,

We held the IRC discussion as scheduled today 2015-07-09 at 23:30 in #openstack-containers. We tried using Meetbot to log the meeting but that apparently failed because we crossed the date line to July 10th before we ended the meeting, so the transcript is available in two parts starting here:

http://eavesdrop.openstack.org/irclogs/%23openstack-containers/%23openstack-containers.2015-07-09.log.html#t2015-07-09T23:30:24

And ending here:

http://eavesdrop.openstack.org/irclogs/%23openstack-containers/%23openstack-containers.2015-07-10.log.html#t2015-07-10T00:05:29

High Level Summary:

Attendees:

adrian_otto
sdake
madhuri
yuanying
sicarie
redrobot

Key Decision:

#agreed Magnum will use Barbican for an initial implementation for certificate generation and secure storage/retrieval.  We will commit to a second phase of development to eliminating the hard requirement on Barbican with an alternate implementation that implements the functional equivalent implemented in Magnum, which may depend on libraries, but not Barbican.

We also received a statement of support from redrobot (Douglas Mendizabal, Barbican PTL) to assist Magnum devs to produce a successful integration with Barbican.

I will reference this decision in our upcoming team meeting on Tuesday 2015-07-14 at 2200 UTC in #openstack-meeting-alt.

Thanks everyone for your attention!

Regards,

Adrian

> On Jul 9, 2015, at 1:12 AM, Madhuri <madhuri.rai07 at gmail.com> wrote:
> 
> Hi,
> 
> On Thu, Jul 9, 2015 at 11:13 AM, OTSUKA, Motohiro <yuanying at oeilvert.org> wrote:
> I think it’s better to use Barbican,
> It provides CA function and also secure key storage.
> 
> Agree. Barbican is suitable for us in both the cases, for generating certs and also its storage. But I am not sure whether Barbican can be made a hard dependency in Magnum or not?
>   
> 
> magnum-conductor should store conductor’s client key to connect k8s api server.
> 
> 
> Thanks
> -Yuanying
> 
> On Thursday, July 9, 2015 at 10:12, Madhuri wrote:
> 
>> Hi All,
>> 
>> Magnum as a CA mainly aims at how certificates and keys for both client(magnum-conductor)
>> and server(kube-apiserver) will be generated and who will be the CA.
>> 
>> Blueprint Link: https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca
>> 
>> Currently we have 3 options to generate certificates.
>> 
>> 1. Write our own tool.
>> In this approach, we will have our own tool to generate certificate signed by CA.
>> A review has been submitted for it:
>> https://review.openstack.org/#/c/199493/
>> 
>> 
>> 2. Using Anchor.
>> Anchor is an stackforge project that automates the verification of CSRs and signs certificates for clients.
>> https://github.com/stackforge/anchor
>> 
>> Anchor can be used to generate signed certificate.
>> 
>> 3. Using Barbican.
>> Barbican can also be used for generating certificate signed by some CA plugins.
>> http://docs.openstack.org/developer/barbican/plugin/certificate.html
>> 
>> Moreover it can also be used to store certificates securely.
>> 
>> Folks, please provide your views on which is the most suitable option for adding TLS support in Magnum.
>> 
>> Also, we will have a meeting on #openstack-containers at 23:30 UTC to discuss the same. Request Barbican and Anchor developers also to join.
>> 
>> 
>> Regards
>> Madhuri
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> Regards,
> Madhuri
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev