fuel-dev team mailing list archive

Thread
Date

Re: How to manage and shared a self-signed certificate for OSt public endpoint?

To: Sergii Golovatiuk <sgolovatiuk@xxxxxxxxxxxx>
From: Guillaume Thouvenin <thouveng@xxxxxxxxx>
Date: Wed, 9 Jul 2014 12:51:07 +0300
Cc: fuel-dev <fuel-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CA+HkNVvvYpLLMTy0kxUC+5pttBzodTnXBfLXK+dcCew5MscPYQ@mail.gmail.com>

Hi Sergii,

 So just to rephrase, generated a self-signed certificate from the fuel
master with the correct CN for the VIP and distributed the certificate to
all HAProxy should be easy. Cool :). Otherwise I'm using HAProxy >= 1.5 and
this version will be generated by OSCI fuel team I guess. Securing the
backend traffic will be done as a second step I think.

Thanks for your confirmation.


On Tue, Jul 8, 2014 at 10:20 PM, Sergii Golovatiuk <sgolovatiuk@xxxxxxxxxxxx
> wrote:

> Hi Guillaume,
>
> The solution should be pretty straight forward. Fuel uses VIP under
> pacemaker control. Traffic goes through that VIP to HAProxy of active node.
> The rest nodes don't serve the traffic. Fuel doesn't use any kind of
> balancing. Recently, HAProxy 1.5 was released which introduces SSL
> termination. This allows you to use it to secure user<->VIP traffic.
> Additionally you may secure backend traffic though I think it's not so
> important.
>
> --
> Best regards,
> Sergii Golovatiuk,
> Skype #golserge
> IRC #holser
>
>
> On Tue, Jul 8, 2014 at 3:26 PM, Guillaume Thouvenin <thouveng@xxxxxxxxx>
> wrote:
>
>> Hi folks,
>>
>>  I'm currently writing a specification to enable SSL for OSt public
>> endpoint [1]. I'm using HAProxy to manage SSL and I have a question when we
>> are in HA mode (I mean with more than one HAProxy). My first thought was to
>> generate a self-signed certificate with puppet and put this certificate on
>> the controller where it can be used by HAProxy. The problem is if we have
>> several HAProxy. In my scenario there will be several different
>> certificates. So another idea is to generate the self-signed certificate
>> from the fuel master (using the CN of the VIP) and then distribute it to
>> controller nodes through a mechanism like mcollective. Does it make sense
>> to you? Who can help me to find where this can be done into fuel?
>>
>> Thanks a lot for your help,
>> Best Regards,
>> Guillaume
>>
>> [1] https://review.openstack.org/#/c/102273/
>>
>> --
>> Mailing list: https://launchpad.net/~fuel-dev
>> Post to     : fuel-dev@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~fuel-dev
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>

References

How to manage and shared a self-signed certificate for OSt public endpoint?
From: Guillaume Thouvenin, 2014-07-08
Re: How to manage and shared a self-signed certificate for OSt public endpoint?
From: Sergii Golovatiuk, 2014-07-08