1698957 – [RFE] Manage certmonger certificate via ansible instead of puppet

Bug 1698957 - [RFE] Manage certmonger certificate via ansible instead of puppet

Summary: [RFE] Manage certmonger certificate via ansible instead of puppet

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	16.0 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	beta
Target Release:	17.1
Assignee:	MilanaLevy
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:	2017849
Blocks:	1880142
TreeView+	depends on / blocked

Reported:	2019-04-11 13:39 UTC by Cédric Jeanneret
Modified:	2023-08-16 01:10 UTC (History)
CC List:	14 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-0.20211005003139.a489da0.el8ost
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-16 01:09:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	771832	None	MERGED	Generate certificates using ansible role	2021-03-17 14:07:39 UTC
Red Hat Issue Tracker	OSP-254	None	None	None	2021-11-19 12:39:52 UTC
Red Hat Product Errata	RHEA-2023:4577	None	None	None	2023-08-16 01:10:48 UTC

Description Cédric Jeanneret 2019-04-11 13:39:28 UTC

In order to get a more secure thing with TLS, we should stop creating one shared certificate across multiple containers/services.

In order to do so, we should move away from the puppet code and, instead, manage the certificate directly via ansible, using either a dedicated module or a reusable role, and calling this facility directly from within tripleo-heat-templates, in the right files.

The Spec has been approved:
http://specs.openstack.org/openstack/tripleo-specs/specs/train/certificate-management.html

The DFG:Security is all for that, especially if we can get proper, dedicated internal certificate for each service.

Comment 10 spower 2022-06-02 11:58:09 UTC

This RFE was not marked MVP for OSP 17.0, it will be moved to 17.1. If Tech Preview is required for OSP 17.0 please clone issue and follow procedure, contact the TRAC team.

Comment 26 errata-xmlrpc 2023-08-16 01:09:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577

Note You need to log in before you can comment on or make changes to this bug.