Add support for Dual CA in Octavia
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Incomplete
|
Medium
|
Gregory Thiemonge |
Bug Description
Originally reported in https:/
When Octavia is deployed with Tripleo, it uses a single CA for all communications between Octavia's services and amphorae: the CA is used by the services to authenticate the amphora and it is used by the amphorae to authenticate the services.
To improve security, upstream documentation recommends the use of two CA:
- one to authenticate amphorae from the services
- one to authenticate clients (services) in the amphorae.
Upstream doc: https:/
Note that a customer using a single CA should be able to update OSP to a release that supports dual CA without losing control of the existing amphorae.
The following etherpad explains how to achieve it: https:/
Changed in tripleo: | |
assignee: | nobody → Gregory Thiemonge (gthiemonge) |
Changed in tripleo: | |
milestone: | none → victoria-1 |
importance: | Undecided → Medium |
Changed in tripleo: | |
milestone: | victoria-1 → victoria-3 |
Changed in tripleo: | |
milestone: | victoria-3 → wallaby-1 |
Changed in tripleo: | |
milestone: | wallaby-1 → wallaby-2 |
Changed in tripleo: | |
milestone: | wallaby-2 → wallaby-3 |
Related fix proposed to branch: master /review. opendev. org/723536
Review: https:/