[Openstack-operators] OpenStack services and ca certificate config entries
Sean Dague
sean at dague.net
Thu Mar 26 10:20:04 UTC 2015
FYI -
http://lists.openstack.org/pipermail/openstack-dev/2014-June/037238.html
happened over the summer, which at least normalizes the names. I felt
like bits of this conversation were familiar. That's all in projects in
Kilo.
I do agree that single CA seems like a more sensible default than
currently needing multiple sections in the nova.conf (as an example).
That's basically a raw export of the complexity of the underlying code
and should be addressed.
On 03/26/2015 12:52 AM, Mike Dorman wrote:
> I have struggled with this stuff in the past, too. And have had
> situations where certs come from different CAs, so I can see some value
> in an ability to override the global defaults for specific services.
>
> However, for the small fraction of use cases that would cover, I think
> the cert concatenation solution/work-around is sufficient. I can’t
> really think of why one couldn’t/wouldn’t do that.
>
> But definitely +1 on consistent config option naming, at a minimum.
>
> Mike
>
>
> From: Erik McCormick
> Date: Wednesday, March 25, 2015 at 9:36 PM
> To: Michael Still
> Cc: Jesse Keating, OpenStack Operators
> Subject: Re: [Openstack-operators] OpenStack services and ca certificate
> config entries
>
> I'll start by saying I went the system bundle route also and have thus
> far had no issues with it. I'll also say that I'm using RDO packages
> still and not doing anything with venvs or pip installed stuff.
>
> On Wed, Mar 25, 2015 at 6:33 PM, Michael Still <mikal at stillhq.com
> <mailto:mikal at stillhq.com>> wrote:
>
> Thanks for starting this thread Jesse. I agree that heat looks like a
> good model for other projects to model themselves on here.
>
> Can anyone think of a use case for having a per client / driver CA
> file? I can't, but perhaps I'm missing something.
>
> There could potentially be instances where one service would be running
> certificates issued off of one internal CA and others on another, but
> really I don't see the point of splitting them out when you can
> concatenate the CA certificates together and feed it in as a bundle that
> covers everything. This one section from Heat would cover everything I
> would think.
>
> [clients]
> ca_file = <path>
>
>
> Michael
>
> On Thu, Mar 26, 2015 at 5:13 AM, Jesse Keating <jlk at bluebox.net
> <mailto:jlk at bluebox.net>> wrote:
> > We're facing a bit of a frustration. In some of our environments, we're
> > using a self-signed certificate for our ssl termination (haproxy). We have
> > our various services pointing at the haproxy for service cross-talk, such as
> > nova to neutron or nova to glance or nova to cinder or neutron to nova or
> > cinder to glance or all the things to keystone. When using a self-signed
> > certificate, these services have trouble validating the cert when they
> > attempt to talk to each other. This problem can be solved in a few ways,
> > such as adding the CA to the system bundle (of your platform has such a
> > thing), adding the CA to the bundle python requests uses (because
> > hilariously it doesn't always use the system bundle), or the more direct way
> > of telling nova, neutron, et al the direct path to the CA file.
> >
> > This last choice is the way we went forward, more explicit, and didn't
> > depend on knowledge if python-requests was using its own bundle or the
> > operating system's bundle. To configure this there are a few places that
> > need to be touched.
> >
> > nova.conf:
> > [keystone_authtoken]
> > cafile = <path>
> >
> > [neutron]
> > ca_certificates_file = <path>
> >
> > [cinder]
> > ca_certificates_file = <path>
> >
> > (nothing for glance hilariously)
> >
> >
> > neutron.conf
> > [DEFAULT]
> > nova_ca_certificates_file = <path>
> >
> > [keystone_authtoken]
> > cafile = <path>
> >
> > glance-api.conf and glance-registry.conf
> > [keystone_authtoken]
> > cafile = <path>
> >
> > cinder.conf
> > [DEFAULT]
> > glance_ca_certificates_file = <path>
> >
> > [keystone_authtoken]
> > cafile = <path>
> >
> > heat.conf
> > [clients]
> > ca_file = <path>
> >
> > [clients_<whatever>]
> > ca_file = <path>
> >
> >
> > As you can see, there are a lot of places where one would have to define the
> > path, and the frustrating part is that the config name and section varies
> > across the services. Does anybody think this is a good thing? Can anybody
> > think of a good way forward to come to some sort of agreement on config
> > names? It does seem like heat is a winner here, it has a default that can be
> > defined for all clients, and then each client could potentially point to a
> > different path, but every config entry is named the same. Can we do that
> > across all the other services?
> >
> > I chatted a bit on twitter last night with some nova folks, they suggested
> > starting a thread here on ops list and potentially turning it into a hallway
> > session or real session at the Vancouver design summit (which operators are
> > officially part of).
> >
> > - jlk
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> <mailto:OpenStack-operators at lists.openstack.org>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
>
>
>
> --
> Rackspace Australia
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> <mailto:OpenStack-operators at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
> -Erik
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
--
Sean Dague
http://dague.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150326/534352c1/attachment.pgp>
More information about the OpenStack-operators
mailing list