Manage certificates for Octavia controller-amphora communication
Octavia presently allows for one method for the controller to
communicate with amphorae: the amphora REST API. Both amphora API and
Octavia controller do bi-directional certificate-based authentication in
order to authenticate and encrypt communication.
This change doesn't affect Octavia user-facing API.
What this change does:
- Creates Octavia CA stored on a node where Octavia controller
is running
- Creates certificates for controller-amphora communication
signed by this CA. (Amphora-side certs are generated by Octavia
itself)
Depends on: https://gerrit.mcp.mirantis.net/7680
Related PROD: PROD-11933
Change-Id: Iedca3b5888af6e331005ed7387d4ca68d34e0261
diff --git a/salt/minion/ca/octavia_ca.yml b/salt/minion/ca/octavia_ca.yml
new file mode 100644
index 0000000..ac66bec
--- /dev/null
+++ b/salt/minion/ca/octavia_ca.yml
@@ -0,0 +1,29 @@
+parameters:
+ _param:
+ octavia_ca_common_name: Octavia CA
+ octavia_ca_country: cz
+ octavia_ca_locality: Prague
+ octavia_ca_organization: Mirantis
+ octavia_ca_days_valid_authority: 3650
+ octavia_ca_days_valid_certificate: 365
+ salt:
+ minion:
+ ca:
+ octavia_ca:
+ common_name: ${_param:octavia_ca_common_name}
+ country: ${_param:octavia_ca_country}
+ locality: ${_param:octavia_ca_locality}
+ organization: ${_param:octavia_ca_organization}
+ signing_policy:
+ cert_server:
+ type: v3_edge_cert_server
+ minions: '*'
+ cert_client:
+ type: v3_edge_cert_client
+ minions: '*'
+ cert_open:
+ type: v3_edge_cert_open
+ minions: '*'
+ days_valid:
+ authority: ${_param:octavia_ca_days_valid_authority}
+ certificate: ${_param:octavia_ca_days_valid_certificate}