Need for documentation of required characteristics for user supplied CA certificates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Charms Deployment Guide |
Fix Released
|
High
|
Tianqi Xiao |
Bug Description
When deploying with Vault the user may choose to supply their own intermediate CA certificate.
For successful operation certain characteristics about the certificate must be correct otherwise one may run into obscure failures further down the line.
In an OpenStack deployment certificates are used both for TLS Web Server Authentication as well as Client Authentication.
Client Authentication is used between OVN OVSDB Servers, between OVSDB Servers and control plane clients.
At present certificates for the private client-/server- communication between Octavia and its amphora is not automated with Vault, but if you choose to use a CA certificate that does not allow Client authentication in the certificate chain for the certs used between the Octavia worker and its Amphorae it will not work.
If the provided CA certificate does not allow for both server and client authentication the deployment will fail.
To demonstrate the issue you can modify the certificate generation in our test suite like this:
--- /home/frode/
+++ .tox/func-
@@ -122,6 +122,11 @@
)
+ builder = builder.
+ cryptography.
+ cryptography.
+ critical=True,
+ )
if signing_key:
sign_key = _signing_key
Which will make the services that require client authentication fail.
description: | updated |
description: | updated |
description: | updated |
Changed in charm-deployment-guide: | |
status: | New → In Progress |
Changed in charm-deployment-guide: | |
assignee: | nobody → Tianqi Xiao (txiao) |
Changed in charm-deployment-guide: | |
importance: | Undecided → High |
Would also be good to have a way for charms that require client certificate authentication to check whether the provided certificate allows for it.
As per the upstream documentation [0] the Vault secrets PKI engine allows a client to provide both a `server_flag` and a `client_flag` which would produce an immediate error if the properties of the CA does not allow for either.
However, this detail is hidden from the tls-certificates interface [1] and Vault charm [2].
So either we have to fix the interface and vault charm to be able to express this detail or we have to add a common function in some framework so that we can perform the check when required.
0: https:/ /www.vaultproje ct.io/api- docs/secret/ pki#create- update- role /github. com/juju- solutions/ interface- tls-certificate s /github. com/openstack/ charm-vault
1: https:/
2: https:/