Red Hat Bugzilla – Bug 1462670
Octavia TripleO support: Generate certificates using TLS everywhere
Last modified: 2017-07-14 16:16:27 EDT
Description of problem:
Octavia provides a script for generating certificates, as mentioned here, but I'm not sure this is what we expect our customers to do.
Moreover, we currently exclude this script from our packaging, so we don't even currently ship it.
The end result we aim to achieve here is to have a tripleO doc (which is WIP) that guides the operator on how exactly he/she should deploy Octavia. As currently some steps are executed manually.
The certificates part is currently expected to be executed before the deployment even starts, yet it is not clear how/what we expect the operator to do and what is the best practice for secure certificate configuration.
To the best of my knowledge, we have two alternatives here:
1. Use the solution mentioned in https://docs.openstack.org/developer/tripleo-docs/advanced_deployment/tls_everywhere.html
2. Use and ship the Octavia certificates creation script: https://github.com/openstack/octavia/blob/master/bin/create_certificates.sh