README: lb-mgmt-issuing-* configuration options fed the wrong certificates in example text

Please could you provide a link to the page. It's not clear where you saw this. thanks.

Sorry about that. I've updated the description to include a link to https://jaas.ai/octavia

I would disagree that the openssl commands to generate the issuing certs are extraneous, the bug here then is in the snippet where certs are configured through Juju.

The lb-mgmt-issuing-* should be fed the issuing certs and not the controller certs. The Octavia charm gate does this [0].

It of course works to use the same for both, but the upstream Octavia documentation [1] makes the case for why you should use two separate CAs.

0: https://github.com/openstack-charmers/zaza-openstack-tests/blob/632218d0984eda5cf522cd86e34c2ec73e63df4d/zaza/openstack/charm_tests/octavia/setup.py#L83-L109
1: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

Triaged: Yes, there's something odd going on there. The issuing_ca.pem is then never used.

Actually, the snippet does feed two certificates. One for the issuing CA (controller_ca_*.*) and one for the controller (controller_cert_bundle.pem). The fix really here should be to choose one (issuing_ca_*.*) or the other (controller_ca_*.*). I think the former would be better suited so that there is no chance of confusion.

> Actually, the snippet does feed two certificates. One for the issuing CA
> (controller_ca_*.*) and one for the controller
> (controller_cert_bundle.pem). The fix really here should be to choose
> one (issuing_ca_*.*) or the other (controller_ca_*.*). I think the
> former would be better suited so that there is no chance of confusion.

It does, but it references the same file for both types of
certificates, which is not the intention and diverges from upstream
recommendations.

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-octavia/+/792492

Reviewed: https://review.opendev.org/c/openstack/charm-octavia/+/792492
Committed: https://opendev.org/openstack/charm-octavia/commit/654258c9827bf3f8dde8481a5b4923d5fa7d1a47
Submitter: "Zuul (22348)"
Branch: master

commit 654258c9827bf3f8dde8481a5b4923d5fa7d1a47
Author: Frode Nordahl <email address hidden>
Date: Fri May 21 03:11:53 2021 +0200

    README: Fix example certificate generation for internal octavia/amphora comms

    Closes-Bug: #1927664
    Change-Id: Ib4391f384c18fdb078c080e7bd94f906b71e900b

I think this section needs an update:
https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-octavia.html#generate-certificates

To match with the change:
https://opendev.org/openstack/charm-octavia/commit/654258c9827bf3f8dde8481a5b4923d5fa7d1a47

Reviewed: https://review.opendev.org/c/openstack/charm-deployment-guide/+/825033
Committed: https://opendev.org/openstack/charm-deployment-guide/commit/57e75a04888442d79dd455bccb44276326f452c1
Submitter: "Zuul (22348)"
Branch: master

commit 57e75a04888442d79dd455bccb44276326f452c1
Author: Peter Matulis <email address hidden>
Date: Mon Jan 17 22:07:55 2022 -0500

    Fix and improve SSL section for Octavia

    The `genrsa` command is superseded by the `genpkey`
    command.

    The CA cert and key were not being referenced by the
    ensuing block of `juju config` commands.

    Improve and streamline wording.

    Closes-Bug: #1948506
    Closes-Bug: #1927664
    Change-Id: I4cc64319bb2ab8bafd54a85b5d8dabd3c5947549