| *** matt_kosut has joined #openstack-upstream-institute | 06:56 | |
| *** matt_kosut has quit IRC | 21:19 | |
| *** matt_kosut has joined #openstack-upstream-institute | 21:19 | |
| *** matt_kosut has quit IRC | 21:24 | |
| *** tobberydberg has quit IRC | 22:14 | |
| *** tobberydberg has joined #openstack-upstream-institute | 22:19 | |
| *** slavd has joined #openstack-upstream-institute | 23:00 | |
| slavd | Hello all,I have recently started exploring Openstack and Openstack-Ansible with the goal of using it to replace my current private cloud infrastructure.I have been reading the docs about security and I noticed that there isn't really a (straight forward) way of securing Openstack services communication with user provided, trusted, and auto | 23:10 |
|---|---|---|
| slavd | renewing SSL certificates.I believe this should not be the case. My current infrastructure uses a privately hosted CA, that supports the ACME protocol. All my hosts submit CSRs to it, and respond to the ACME challenges in order to get it signed. All certificates are short-lived (1h), but never expire thanks to the ACME automation. I have achieved | 23:10 |
| slavd | this through an open source project called Smallstep Step CA. Thus, I propose the following solution (keep in mind I am not an Openstack developer):Addition of an Ansible HAProxy role for every (possible) Openstack service, basically identical to the already existing HAProxy Ansible role for the public endpoint. Optionally, another Ansible role to | 23:10 |
| slavd | deploy a small container, containing the Smallstep Step CA to act as the ACME provisioner of the PKI and service CSRs. I am providing some links to the Smallstep repositories and documentation for easier access:https://github.com/smallstep/certificateshttps://github.com/smallstep/clihttps://github.com/smallstep/hello-mtlshttps://smallstep.com/docs/ | 23:10 |
| slavd | https://github.com/smallstep/certificates https://github.com/smallstep/cli https://github.com/smallstep/hello-mtls https://smallstep.com/docs/ | 23:14 |
| *** slavd has quit IRC | 23:23 | |
| *** slavd has joined #openstack-upstream-institute | 23:40 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!