This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1462670 - Octavia TripleO support: Generate certificates using TLS everywhere
Octavia TripleO support: Generate certificates using TLS everywhere
Status: ASSIGNED
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo (Show other bugs)
12.0 (Pike)
Unspecified Unspecified
high Severity high
: ---
: 12.0 (Pike)
Assigned To: Brent Eagles
Arik Chernetsky
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-19 04:49 EDT by Nir Magnezi
Modified: 2017-07-14 16:16 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 447496 None None None 2017-06-19 04:49 EDT

  None (edit)
Description Nir Magnezi 2017-06-19 04:49:53 EDT
Description of problem:
=======================
Octavia provides a script for generating certificates, as mentioned here[1], but I'm not sure this is what we expect our customers to do.
Moreover, we currently exclude[2] this script from our packaging, so we don't even currently ship it.

The end result we aim to achieve here is to have a tripleO doc (which is WIP[3]) that guides the operator on how exactly he/she should deploy Octavia. As currently some steps are executed manually.

The certificates part is currently expected to be executed before[3] the deployment even starts, yet it is not clear how/what we expect the operator to do and what is the best practice for secure certificate configuration.

To the best of my knowledge, we have two alternatives here:
1. Use the solution mentioned in https://docs.openstack.org/developer/tripleo-docs/advanced_deployment/tls_everywhere.html
2. Use and ship the Octavia certificates creation script: https://github.com/openstack/octavia/blob/master/bin/create_certificates.sh


[1] https://docs.openstack.org/developer/octavia/guides/dev-quick-start.html#create-octavia-keys-and-certificates
[2] https://github.com/rdo-packages/octavia-distgit/blob/rpm-master/openstack-octavia.spec#L336
[3] https://review.openstack.org/#/c/447496/20/doc/source/advanced_deployment/octavia-post-deploy.sh@263

Note You need to log in before you can comment on or make changes to this bug.