Refactor TLS introduction
The TLS-everywhere introduction contains some useful information for the ways you can deploy TLS (public TLS and TLS everywhere). As well as primers on the components used to implement TLS. This commit generalizes the introduction so we can re-use it for public TLS and TLS-everywhere. Subsequent patches will add separate guides that describe how to accomplish both deployment techniques. Change-Id: Ieea23577095dd910c9923a8d1285561a72038a46
This commit is contained in:
parent
e710bbb57b
commit
dcec202b78
|
@ -41,6 +41,6 @@ Documentation on additional features for |project|.
|
|||
security_hardening
|
||||
split_stack
|
||||
ssl
|
||||
tls-everywhere
|
||||
tls-introduction
|
||||
tuned
|
||||
undercloud_minion
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
TLS-Everywhere
|
||||
==============
|
||||
.. _tls-introduction:
|
||||
|
||||
Introduction
|
||||
------------
|
||||
TLS Introduction
|
||||
================
|
||||
|
||||
Depending on your deployment's security requirements, you might be required to
|
||||
encrypt network traffic. TripleO helps you accomplish this by supporting
|
||||
|
@ -12,28 +11,26 @@ we can deploy TLS.
|
|||
The first option is to only encrypt traffic between clients and public
|
||||
endpoints. This approach results in fewer certificates to manage, and we refer
|
||||
to it as *public TLS*. Public endpoints, in this sense, are endpoints only
|
||||
exposed to end-users. Traffic between internal endpoints is not encrypted. We
|
||||
do not describe how to deploy *public TLS* in this document.
|
||||
exposed to end-users. Traffic between internal endpoints is not encrypted.
|
||||
|
||||
The second option leverages TLS for all endpoints in the entire deployment,
|
||||
including the overcloud, undercloud, and any systems that natively support TLS.
|
||||
We typically refer to this approach as *TLS-everywhere* because we use TLS
|
||||
everywhere we can, encrypting as much network traffic as possible. Certificate
|
||||
management is critical with this approach because the number of certificates
|
||||
scales linearly with the number of services in your deployment. TripleO uses
|
||||
several components to help ease the burden of managing certificates. This
|
||||
option is desirable for deployments susceptible to industry regulation or those
|
||||
who have a higher security risk. Healthcare, telecommunications, and the
|
||||
public sector are but a few industries that make extensive use of
|
||||
*TLS-everywhere*. This document contains all the details to deploy
|
||||
*TLS-everywhere*.
|
||||
management automation is critical with this approach because the number of
|
||||
certificates scales linearly with the number of services in your deployment.
|
||||
TripleO uses several components to help ease the burden of managing
|
||||
certificates. This option is desirable for deployments susceptible to industry
|
||||
regulation or those who have a higher security risk. Healthcare,
|
||||
telecommunications, and the public sector are but a few industries that make
|
||||
extensive use of *TLS-everywhere*. You can think of *public TLS* as a subset of
|
||||
what *TLS-everywhere* offers.
|
||||
|
||||
TripleO makes use of the following components to implement *TLS-everywhere*.
|
||||
The sections below describe each component and the role it plays in
|
||||
TripleO uses the following components to implement *public TLS* and
|
||||
*TLS-everywhere*.
|
||||
|
||||
Certmonger
|
||||
~~~~~~~~~~
|
||||
----------
|
||||
|
||||
`Certmonger`_ is a daemon that helps simplify certificate management between
|
||||
endpoints and certificate authorities (CAs). You can use it to generate key
|
||||
|
@ -49,7 +46,7 @@ in your deployment.
|
|||
.. _Certmonger: https://pagure.io/certmonger
|
||||
|
||||
FreeIPA
|
||||
~~~~~~~
|
||||
-------
|
||||
|
||||
`FreeIPA`_ is a multi-purpose system that includes a certificate authority
|
||||
(DogTag Certificate System), LDAP (389 Directory Server), MIT Kerberos, NTP
|
||||
|
@ -63,7 +60,7 @@ from other infrastructure.
|
|||
.. _FreeIPA: https://www.freeipa.org/page/Main_Page
|
||||
|
||||
Installing FreeIPA
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Similar to setting up the undercloud node, you need to set the hostname
|
||||
properly for the FreeIPA server. For this example, let's assume we're using
|
||||
|
@ -87,34 +84,38 @@ Configure FreeIPA::
|
|||
--auto-reverse /
|
||||
--unattended
|
||||
|
||||
Please refer to ``ipa-server-install --help`` for specifics on each argument.
|
||||
The directions above are only a guide. You may need to adjust certain values
|
||||
and configuration options to use FreeIPA, depending on your requirements.
|
||||
Please refer to ``ipa-server-install --help`` for specifics on each argument or
|
||||
reference the `FreeIPA documentation`_. The directions above are only a guide.
|
||||
You may need to adjust certain values and configuration options to use FreeIPA,
|
||||
depending on your requirements.
|
||||
|
||||
.. _FreeIPA documentation: https://www.freeipa.org/page/Documentation
|
||||
|
||||
Novajoin
|
||||
~~~~~~~~
|
||||
--------
|
||||
|
||||
`Novajoin`_ is a vendor data service that extends nova's config drive
|
||||
functionality. When the undercloud creates new nodes for the overcloud,
|
||||
novajoin creates a host entry in FreeIPA to enable the overcloud node to enroll
|
||||
as a FreeIPA client.
|
||||
functionality and you use it when you want to deploy *TLS-everywhere*. When the
|
||||
undercloud creates new nodes for the overcloud, novajoin creates a host entry
|
||||
in FreeIPA to enable the overcloud node to enroll as a FreeIPA client.
|
||||
|
||||
If you want to use novajoin, you must have nova deployed in your undercloud.
|
||||
Novajoin isn't supported for deployments :doc:`deployed_server`.
|
||||
|
||||
Novajoin was introduced in the Queens release and is supported through Train.
|
||||
The tripleo-ipa project, described below, effectively replaced novajoin in the
|
||||
Train release.
|
||||
The `tripleo-ipa`_ project, described below, effectively replaced novajoin in
|
||||
the Train release.
|
||||
|
||||
.. _Novajoin: https://opendev.org/x/novajoin
|
||||
|
||||
tripleo-ipa
|
||||
~~~~~~~~~~~
|
||||
-----------
|
||||
|
||||
`tripleo-ipa`_ is a collection of Ansible roles used to integrate FreeIPA into
|
||||
TripleO deployments. These playbooks support deployments using nova and ironic
|
||||
in the undercloud as well as :doc:`deployed_server`. This project was
|
||||
introduced in Train and effectively replaces the novajoin metadata service.
|
||||
TripleO deployments and you use it when you want to deploy *TLS-everywhere*.
|
||||
These playbooks support deployments using nova and ironic in the undercloud as
|
||||
well as :doc:`deployed_server`. This project was introduced in Train and
|
||||
effectively replaces the novajoin metadata service.
|
||||
|
||||
We recommend using tripleo-ipa for all *TLS-everywhere* deployments as of the
|
||||
Train release. In a future release, we will update TripleO to only support
|
Loading…
Reference in New Issue