[openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?
Adam Young
ayoung at redhat.com
Mon Nov 2 20:54:22 UTC 2015
On 10/26/2015 02:38 PM, Major Hayden wrote:
> Hello there,
>
> I've been researching some additional ways to secure openstack-ansible deployments and I backed myself into a corner with secure log transport. The rsyslog client requires a trusted CA certificate to be able to send encrypted logs to rsyslog servers. That's not a problem if users bring their own certificates, but it does become a problem if we use the self-signed certificates that we're creating within the various roles.
>
> I'm wondering if we could create a role that creates a CA on the deployment host and then uses that CA to issue certificates for various services *if* a user doesn't specify that they want to bring their own certificates. We could build the CA very early in the installation process and then use it to sign certificates for each individual service. That would allow to have some additional trust in environments where deployers don't choose to bring their own certificates.
>
> Does this approach make sense?
>
> --
> Major Hayden
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
FreeIPA has a Dogtag server that can be your full CA. I would recommend
not rolling our own.
We have a playbook that does this here:
https://github.com/admiyo/rippowam specifically in the
https://github.com/admiyo/rippowam/tree/master/roles/ipaserver role
More information about the OpenStack-dev
mailing list