Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / reclass-system / 63441e25c62295925d8125aad6981f5b6b58f14f^! / . / salt / minion / cert / octavia_amp_client.yml
commit63441e25c62295925d8125aad6981f5b6b58f14f[log] [tgz]
authorElena Ezhova <eezhova@mirantis.com>Mon Jul 17 16:16:32 2017 +0400
committerElena Ezhova <eezhova@mirantis.com>Wed Jul 19 12:52:47 2017 +0400
treeb13f10f121c4ea31a95a8d3cc0431ad320bd9bd8
parent3617b5866c93f5247df6340409520e6dd58d8b15 [diff] [blame]
Manage certificates for Octavia controller-amphora communication

Octavia presently allows for one method for the controller to
communicate with amphorae: the amphora REST API. Both amphora API and
Octavia controller do bi-directional certificate-based authentication in
order to authenticate and encrypt communication.

This change doesn't affect Octavia user-facing API.

What this change does:

- Creates Octavia CA stored on a node where Octavia controller
  is running
- Creates certificates for controller-amphora communication
  signed by this CA. (Amphora-side certs are generated by Octavia
  itself)

Depends on: https://gerrit.mcp.mirantis.net/7680
Related PROD: PROD-11933

Change-Id: Iedca3b5888af6e331005ed7387d4ca68d34e0261

diff --git a/salt/minion/cert/octavia_amp_client.yml b/salt/minion/cert/octavia_amp_client.yml
new file mode 100644
index 0000000..7a8425a
--- /dev/null
+++ b/salt/minion/cert/octavia_amp_client.yml

@@ -0,0 +1,20 @@
+parameters:
+  _param:
+    salt_minion_ca_host: ${_param:openstack_gateway_node01_hostname}.${_param:cluster_domain}
+    salt_minion_ca_authority: octavia_ca
+  salt:
+    minion:
+      cert:
+        octavia_amp_client:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: octavia_amp_client
+          signing_policy: cert_open
+          key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+          ca_file: ${octavia:manager:certificates:ca_certificate}
+          ca_key_file: ${octavia:manager:certificates:ca_private_key}
+          key_file: ${octavia:manager:haproxy_amphora:client_cert_key}
+          cert_file: ${octavia:manager:haproxy_amphora:client_cert}
+          all_file: ${octavia:manager:haproxy_amphora:client_cert_all}
+          user: octavia
+          group: octavia