Fix and improve SSL section for Octavia
The `genrsa` command is superseded by the `genpkey` command. The CA cert and key were not being referenced by the ensuing block of `juju config` commands. Improve and streamline wording. Closes-Bug: #1948506 Closes-Bug: #1927664 Change-Id: I4cc64319bb2ab8bafd54a85b5d8dabd3c5947549
This commit is contained in:
parent
e58ab9d6d4
commit
57e75a0488
|
@ -103,26 +103,25 @@ Generate certificates
|
|||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Octavia uses client certificates for authentication and security of
|
||||
communication between Amphorae (load balancers) and the Octavia control plane;
|
||||
for the initial version of the Octavia charm, these must be generated by the
|
||||
operator and provided to the Octavia charm as configuration.
|
||||
communication between Amphorae (load balancers) and the Octavia control plane.
|
||||
|
||||
The script below generates example certificates and keys with a 365 day expiry
|
||||
period:
|
||||
The commands below show how keys and certificates can be generated. These are
|
||||
examples only; modify the parameters as required.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
mkdir -p demoCA/newcerts
|
||||
touch demoCA/index.txt
|
||||
touch demoCA/index.txt.attr
|
||||
openssl genrsa -passout pass:foobar -des3 -out issuing_ca_key.pem 2048
|
||||
|
||||
openssl genpkey -algorithm RSA -pass pass:foobar -out issuing_ca_key.pem
|
||||
openssl req -x509 -passin pass:foobar -new -nodes -key issuing_ca_key.pem \
|
||||
-config /etc/ssl/openssl.cnf \
|
||||
-subj "/C=US/ST=Somestate/O=Org/CN=www.example.com" \
|
||||
-days 365 \
|
||||
-out issuing_ca.pem
|
||||
|
||||
openssl genrsa -passout pass:foobar -des3 -out controller_ca_key.pem 2048
|
||||
openssl genpkey -algorithm RSA -pass pass:foobar -out controller_ca_key.pem
|
||||
openssl req -x509 -passin pass:foobar -new -nodes \
|
||||
-key controller_ca_key.pem \
|
||||
-config /etc/ssl/openssl.cnf \
|
||||
|
@ -139,22 +138,17 @@ period:
|
|||
-in controller.csr -days 365 -out controller_cert.pem
|
||||
cat controller_cert.pem controller_key.pem > controller_cert_bundle.pem
|
||||
|
||||
The generated certificates and keys must then be provided to the octavia charm:
|
||||
This information is then provided to Octavia via charm configuration options:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
juju config octavia \
|
||||
lb-mgmt-issuing-cacert="$(base64 controller_ca.pem)" \
|
||||
lb-mgmt-issuing-ca-private-key="$(base64 controller_ca_key.pem)" \
|
||||
lb-mgmt-issuing-cacert="$(base64 issuing_ca.pem)" \
|
||||
lb-mgmt-issuing-ca-private-key="$(base64 issuing_ca_key.pem)" \
|
||||
lb-mgmt-issuing-ca-key-passphrase=foobar \
|
||||
lb-mgmt-controller-cacert="$(base64 controller_ca.pem)" \
|
||||
lb-mgmt-controller-cert="$(base64 controller_cert_bundle.pem)"
|
||||
|
||||
.. note::
|
||||
|
||||
Future versions of the charm may automatically generate the internal
|
||||
Certification Authority required to operate Octavia.
|
||||
|
||||
Resource configuration
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
|
Loading…
Reference in New Issue