[openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

Adam Young ayoung at redhat.com
Mon Nov 2 20:54:22 UTC 2015


On 10/26/2015 02:38 PM, Major Hayden wrote:
> Hello there,
>
> I've been researching some additional ways to secure openstack-ansible deployments and I backed myself into a corner with secure log transport.  The rsyslog client requires a trusted CA certificate to be able to send encrypted logs to rsyslog servers.  That's not a problem if users bring their own certificates, but it does become a problem if we use the self-signed certificates that we're creating within the various roles.
>
> I'm wondering if we could create a role that creates a CA on the deployment host and then uses that CA to issue certificates for various services *if* a user doesn't specify that they want to bring their own certificates.  We could build the CA very early in the installation process and then use it to sign certificates for each individual service.  That would allow to have some additional trust in environments where deployers don't choose to bring their own certificates.
>
> Does this approach make sense?
>
> --
> Major Hayden
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

FreeIPA has a Dogtag server that can be your full CA.  I would recommend 
not rolling our own.

We have a playbook that does this here: 
https://github.com/admiyo/rippowam  specifically in the 
https://github.com/admiyo/rippowam/tree/master/roles/ipaserver  role



More information about the OpenStack-dev mailing list