Need for documentation of required characteristics for user supplied CA certificates

When deploying with Vault the user may choose to supply their own intermediate CA certificate.

For successful operation certain characteristics about the certificate must be correct otherwise one may run into obscure failures further down the line.

In an OpenStack deployment certificates are used both for TLS Web Server Authentication as well as Client Authentication.

Client Authentication is used between OVN OVSDB Servers, between OVSDB Servers and control plane clients.

At present certificates for the private client-/server- communication between Octavia and its amphora is not automated with Vault, but if you choose to use a CA certificate that does not allow Client authentication in the certificate chain for the certs used between the Octavia worker and its Amphorae it will not work.

If the provided CA certificate does not allow for both server and client authentication the deployment will fail.

To demonstrate the issue you can modify the certificate generation in our test suite like this:
--- /home/frode/src/github.com/openstack-charmers/zaza-openstack-tests/zaza/openstack/utilities/cert.py 2021-01-18 21:21:51.129458513 +0100
+++ .tox/func-smoke/lib/python3.9/site-packages/zaza/openstack/utilities/cert.py2021-01-26 12:33:31.800475831 +0100
@@ -122,6 +122,11 @@
         cryptography.x509.BasicConstraints(ca=generate_ca, path_length=None),
         critical=True,
     )
+ builder = builder.add_extension(
+ cryptography.x509.ExtendedKeyUsage([
+ cryptography.x509.oid.ExtendedKeyUsageOID.SERVER_AUTH]),
+ critical=True,
+ )

     if signing_key:
         sign_key = _signing_key

Which will make the services that require client authentication fail.