Fix and improve SSL section for Octavia
The `genrsa` command is superseded by the `genpkey` command. The CA cert and key were not being referenced by the ensuing block of `juju config` commands. Improve and streamline wording. Closes-Bug: #1948506 Closes-Bug: #1927664 Change-Id: I4cc64319bb2ab8bafd54a85b5d8dabd3c5947549
This commit is contained in:
parent
e58ab9d6d4
commit
57e75a0488
|
@ -103,26 +103,25 @@ Generate certificates
|
||||||
~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
Octavia uses client certificates for authentication and security of
|
Octavia uses client certificates for authentication and security of
|
||||||
communication between Amphorae (load balancers) and the Octavia control plane;
|
communication between Amphorae (load balancers) and the Octavia control plane.
|
||||||
for the initial version of the Octavia charm, these must be generated by the
|
|
||||||
operator and provided to the Octavia charm as configuration.
|
|
||||||
|
|
||||||
The script below generates example certificates and keys with a 365 day expiry
|
The commands below show how keys and certificates can be generated. These are
|
||||||
period:
|
examples only; modify the parameters as required.
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
mkdir -p demoCA/newcerts
|
mkdir -p demoCA/newcerts
|
||||||
touch demoCA/index.txt
|
touch demoCA/index.txt
|
||||||
touch demoCA/index.txt.attr
|
touch demoCA/index.txt.attr
|
||||||
openssl genrsa -passout pass:foobar -des3 -out issuing_ca_key.pem 2048
|
|
||||||
|
openssl genpkey -algorithm RSA -pass pass:foobar -out issuing_ca_key.pem
|
||||||
openssl req -x509 -passin pass:foobar -new -nodes -key issuing_ca_key.pem \
|
openssl req -x509 -passin pass:foobar -new -nodes -key issuing_ca_key.pem \
|
||||||
-config /etc/ssl/openssl.cnf \
|
-config /etc/ssl/openssl.cnf \
|
||||||
-subj "/C=US/ST=Somestate/O=Org/CN=www.example.com" \
|
-subj "/C=US/ST=Somestate/O=Org/CN=www.example.com" \
|
||||||
-days 365 \
|
-days 365 \
|
||||||
-out issuing_ca.pem
|
-out issuing_ca.pem
|
||||||
|
|
||||||
openssl genrsa -passout pass:foobar -des3 -out controller_ca_key.pem 2048
|
openssl genpkey -algorithm RSA -pass pass:foobar -out controller_ca_key.pem
|
||||||
openssl req -x509 -passin pass:foobar -new -nodes \
|
openssl req -x509 -passin pass:foobar -new -nodes \
|
||||||
-key controller_ca_key.pem \
|
-key controller_ca_key.pem \
|
||||||
-config /etc/ssl/openssl.cnf \
|
-config /etc/ssl/openssl.cnf \
|
||||||
|
@ -139,22 +138,17 @@ period:
|
||||||
-in controller.csr -days 365 -out controller_cert.pem
|
-in controller.csr -days 365 -out controller_cert.pem
|
||||||
cat controller_cert.pem controller_key.pem > controller_cert_bundle.pem
|
cat controller_cert.pem controller_key.pem > controller_cert_bundle.pem
|
||||||
|
|
||||||
The generated certificates and keys must then be provided to the octavia charm:
|
This information is then provided to Octavia via charm configuration options:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
juju config octavia \
|
juju config octavia \
|
||||||
lb-mgmt-issuing-cacert="$(base64 controller_ca.pem)" \
|
lb-mgmt-issuing-cacert="$(base64 issuing_ca.pem)" \
|
||||||
lb-mgmt-issuing-ca-private-key="$(base64 controller_ca_key.pem)" \
|
lb-mgmt-issuing-ca-private-key="$(base64 issuing_ca_key.pem)" \
|
||||||
lb-mgmt-issuing-ca-key-passphrase=foobar \
|
lb-mgmt-issuing-ca-key-passphrase=foobar \
|
||||||
lb-mgmt-controller-cacert="$(base64 controller_ca.pem)" \
|
lb-mgmt-controller-cacert="$(base64 controller_ca.pem)" \
|
||||||
lb-mgmt-controller-cert="$(base64 controller_cert_bundle.pem)"
|
lb-mgmt-controller-cert="$(base64 controller_cert_bundle.pem)"
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
Future versions of the charm may automatically generate the internal
|
|
||||||
Certification Authority required to operate Octavia.
|
|
||||||
|
|
||||||
Resource configuration
|
Resource configuration
|
||||||
~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue