Fix and improve SSL section for Octavia

The `genrsa` command is superseded by the `genpkey`
command.

The CA cert and key were not being referenced by the
ensuing block of `juju config` commands.

Improve and streamline wording.

Closes-Bug: #1948506
Closes-Bug: #1927664
Change-Id: I4cc64319bb2ab8bafd54a85b5d8dabd3c5947549
This commit is contained in:
Peter Matulis 2022-01-17 22:07:55 -05:00
parent e58ab9d6d4
commit 57e75a0488
1 changed files with 9 additions and 15 deletions

View File

@ -103,26 +103,25 @@ Generate certificates
~~~~~~~~~~~~~~~~~~~~~
Octavia uses client certificates for authentication and security of
communication between Amphorae (load balancers) and the Octavia control plane;
for the initial version of the Octavia charm, these must be generated by the
operator and provided to the Octavia charm as configuration.
communication between Amphorae (load balancers) and the Octavia control plane.
The script below generates example certificates and keys with a 365 day expiry
period:
The commands below show how keys and certificates can be generated. These are
examples only; modify the parameters as required.
.. code-block:: none
mkdir -p demoCA/newcerts
touch demoCA/index.txt
touch demoCA/index.txt.attr
openssl genrsa -passout pass:foobar -des3 -out issuing_ca_key.pem 2048
openssl genpkey -algorithm RSA -pass pass:foobar -out issuing_ca_key.pem
openssl req -x509 -passin pass:foobar -new -nodes -key issuing_ca_key.pem \
-config /etc/ssl/openssl.cnf \
-subj "/C=US/ST=Somestate/O=Org/CN=www.example.com" \
-days 365 \
-out issuing_ca.pem
openssl genrsa -passout pass:foobar -des3 -out controller_ca_key.pem 2048
openssl genpkey -algorithm RSA -pass pass:foobar -out controller_ca_key.pem
openssl req -x509 -passin pass:foobar -new -nodes \
-key controller_ca_key.pem \
-config /etc/ssl/openssl.cnf \
@ -139,22 +138,17 @@ period:
-in controller.csr -days 365 -out controller_cert.pem
cat controller_cert.pem controller_key.pem > controller_cert_bundle.pem
The generated certificates and keys must then be provided to the octavia charm:
This information is then provided to Octavia via charm configuration options:
.. code-block:: none
juju config octavia \
lb-mgmt-issuing-cacert="$(base64 controller_ca.pem)" \
lb-mgmt-issuing-ca-private-key="$(base64 controller_ca_key.pem)" \
lb-mgmt-issuing-cacert="$(base64 issuing_ca.pem)" \
lb-mgmt-issuing-ca-private-key="$(base64 issuing_ca_key.pem)" \
lb-mgmt-issuing-ca-key-passphrase=foobar \
lb-mgmt-controller-cacert="$(base64 controller_ca.pem)" \
lb-mgmt-controller-cert="$(base64 controller_cert_bundle.pem)"
.. note::
Future versions of the charm may automatically generate the internal
Certification Authority required to operate Octavia.
Resource configuration
~~~~~~~~~~~~~~~~~~~~~~