single command to config coe clients

Registered by Ricardo Rocha on 2016-05-10

This blueprint has been superseded. See the newer blueprint "Support generating conf file for k8s/swarm client side" for updated plans.

Right now for a client to get access to an existing bay the following sequence (or similar) is required:

1. openssl genrsa -out key.pem 4096
2. openssl req -new ... -key key.pem -out cert.csr
3. magnum ca-sign --bay mybay --csr cert.csr > cert.pem
4. magnum ca-show --bay mybay > ca.pem

And then clients still need to know how to configure TLS for the specific COE they are using.

This is ok but maybe we could wrap this into a single command taking care of everything.

# magnum config --bay mybay

which would do all the steps above, and create a local config file either in the local dir or directly in the expected coe config dirs. Example for docker swarm would be ~/.docker/config.json, or local dir config.json to be passed as docker --config=config.json.

Blueprint information

Status:
Complete
Approver:
hongbin
Priority:
High
Drafter:
Ricardo Rocha
Direction:
Approved
Assignee:
Ricardo Rocha
Definition:
Superseded
Series goal:
Accepted for newton
Implementation:
Unknown
Milestone target:
None
Completed by
hongbin on 2016-07-17

Related branches

Sprints

Whiteboard

This seems like user CLI improvement, but good to have it I think. A config.json maybe not good enough, what about k8s/mesos which are using ca file directly? (Eli 5-17-2016)

(ricardo_rocha): There should be a similar mechanism for kubernetes, passing a similar file to --kubeconfig. Currently we're doing the following sequence for kubectl:

# kubectl config set-credentials mybay-test --client-key=$PWD/key.pem --client-certificate=$PWD/cert.pem
# kubectl config set-cluster mybay-test --server=https://urlhere:6443 --certificate-authority=$PWD/ca.pem
# kubectl config set-context default/mybay-test --user=mybay-test --cluster=mybay-test
# kubectl config use-context default/mybay-test

which results in the following in ~/.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /home/ricardo/ca.pem
    server: https://urlhere:6443
  name: mybay-test
contexts:
- context:
    cluster: mybay-test
    user: mybay-test
  name: default/mybay-test
current-context: default/mybay-test
kind: Config
preferences: {}
users:
- name: mybay-test
  user:
    client-certificate: /home/ricardo/cert.pem
    client-key: /home/ricardo/key.pem

We can generate something like this for k8s so users pass it later with kubectl --kubeconfig.

I'm willing to take this BP myself :-)

This bp is duplicated of following bp.
https://blueprints.launchpad.net/magnum/+spec/client-tls-auth-configuration

(hongbin): I closed this BP since it duplicates with https://blueprints.launchpad.net/magnum/+spec/client-tls-auth-configuration .

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.