Bug 1698957

Summary: [RFE] Manage certmonger certificate via ansible instead of puppet
Product: Red Hat OpenStack Reporter: Cédric Jeanneret <cjeanner>
Component: openstack-tripleo-heat-templatesAssignee: MilanaLevy <millevy>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: medium Docs Contact:
Priority: high    
Version: 16.0 (Train)CC: afariasa, alee, augol, dcaspin, fpantano, gfidente, ggrasza, hrybacki, mariel, mburns, millevy, nlevinki, scohen, spower
Target Milestone: betaKeywords: FutureFeature, Triaged
Target Release: 17.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-14.3.1-0.20211005003139.a489da0.el8ost Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-16 01:09:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2017849    
Bug Blocks: 1880142    

Description Cédric Jeanneret 2019-04-11 13:39:28 UTC 
In order to get a more secure thing with TLS, we should stop creating one shared certificate across multiple containers/services.

In order to do so, we should move away from the puppet code and, instead, manage the certificate directly via ansible, using either a dedicated module or a reusable role, and calling this facility directly from within tripleo-heat-templates, in the right files.

The Spec has been approved:
http://specs.openstack.org/openstack/tripleo-specs/specs/train/certificate-management.html

The DFG:Security is all for that, especially if we can get proper, dedicated internal certificate for each service.
Comment 10 spower 2022-06-02 11:58:09 UTC 
This RFE was not marked MVP for OSP 17.0, it will be moved to 17.1. If Tech Preview is required for OSP 17.0 please clone issue and follow procedure, contact the TRAC team.
Comment 26 errata-xmlrpc 2023-08-16 01:09:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577