Support auto-generating required CAs for amphora
Bug #1935577 reported by
Nobuto Murata
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Octavia Charm |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
I though this was requested before, but I couldn't find it so filing it here.
As per the documentation, we need to generate two sets of custom CA for Amphora provider. Since we need to pass blanket CAs anyway, there is no deployment specific input is required to generate those.
https:/
It would be nice if it's fully automated in the charm itself or with an relation to Vault.
summary: |
- Support auto-generating required CA for amphora + Support auto-generating required CAs for amphora |
tags: | added: bseng-395 |
To post a comment you must log in.
Triaging this as wishlist because it is a request for a new feature, that should not be used as a gauge for prioritization of how important that feature is.
The charm itself should not take on the responsibility of managing secrets or life cycle of the CA certificates.
What we would need to do to support this is to extend the Vault charm and its relations with support for issuing CA certificates with attributes and chain of trust appropriate for the use case.
The upstream Octavia documentation [0] recommends using CAs from different chain of trust to avoid a situation where a compromised amphora could impersonate the controller. And this of course complicates the requirements for this feature.
0: https:/ /docs.openstack .org/octavia/ latest/ admin/guides/ certificates. html