tripleo

Add support for Dual CA in Octavia

Bug #1875358 reported by Gregory Thiemonge on 2020-04-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Incomplete	Medium	Gregory Thiemonge

Bug Description

Originally reported in https://bugzilla.redhat.com/show_bug.cgi?id=1828247

When Octavia is deployed with Tripleo, it uses a single CA for all communications between Octavia's services and amphorae: the CA is used by the services to authenticate the amphora and it is used by the amphorae to authenticate the services.

To improve security, upstream documentation recommends the use of two CA:
- one to authenticate amphorae from the services
- one to authenticate clients (services) in the amphorae.

Upstream doc: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

Note that a customer using a single CA should be able to update OSP to a release that supports dual CA without losing control of the existing amphorae.
The following etherpad explains how to achieve it: https://etherpad.opendev.org/p/octavia-single-ca-to-multi-ca

Gregory Thiemonge (gthiemonge) on 2020-04-27

Changed in tripleo:
assignee:	nobody → Gregory Thiemonge (gthiemonge)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-27: Related fix proposed to tripleo-common (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/723536

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-27: Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/723539

Bogdan Dobrelya (bogdando) on 2020-04-27

Changed in tripleo:
milestone:	none → victoria-1
importance:	Undecided → Medium

Emilien Macchi (emilienm) on 2020-07-28

Changed in tripleo:
milestone:	victoria-1 → victoria-3

Marios Andreou (marios-b) on 2020-11-03

Changed in tripleo:
milestone:	victoria-3 → wallaby-1

Marios Andreou (marios-b) on 2020-12-08

Changed in tripleo:
milestone:	wallaby-1 → wallaby-2

Marios Andreou (marios-b) on 2021-01-29

Changed in tripleo:
milestone:	wallaby-2 → wallaby-3

Revision history for this message

Marios Andreou (marios-b) wrote on 2021-02-22:

Bug status has been set to 'Incomplete' and target milestone has been removed due to inactivity. If you disagree please re-set these values and reach out to us on freenode #tripleo

Changed in tripleo:
status:	New → Incomplete
milestone:	wallaby-3 → none

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-09-13: Change abandoned on tripleo-ansible (master)

Change abandoned by "James Slagle <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/716518
Reason: Abandoning this patch per the TripleO Patch Abandonment guidelines
(https://specs.openstack.org/openstack/tripleo-specs/specs/policy/patch-abandonment.html).
If you wish to have this restored and cannot do so yourself, please reach out
via #tripleo on OFTC or the OpenStack Dev mailing list.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-09-13: Change abandoned on tripleo-common (master)

Change abandoned by "James Slagle <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-common/+/723536
Reason: Abandoning this patch per the TripleO Patch Abandonment guidelines
(https://specs.openstack.org/openstack/tripleo-specs/specs/policy/patch-abandonment.html).
If you wish to have this restored and cannot do so yourself, please reach out
via #tripleo on OFTC or the OpenStack Dev mailing list.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.