Secure the client/server communication between ReST client and ReST server

Registered by Steven Dake on 2015-01-20

Kubernetes uses TLS in some way to secure the ReST API endpoint . The documentation points to using nginx to secure the apiserver ReST API. Ideally we would sort out how to secure the ReST API using TLS and possibly nginx (this may require changes to the heat template for launching atomic).

Blueprint information

Status:
Complete
Approver:
Adrian Otto
Priority:
Essential
Drafter:
Steven Dake
Direction:
Approved
Assignee:
Madhuri Kumari
Definition:
Approved
Series goal:
Accepted for liberty
Implementation:
Implemented
Milestone target:
milestone icon liberty-2
Started by
Madhuri Kumari on 2015-07-29
Completed by
Adrian Otto on 2015-12-01

Related branches

Sprints

Whiteboard

T-Shirt sizing: M (may change after getting more details)

Specification Wiki: https://wiki.openstack.org/wiki/Magnum/TLS#Magnum_TSL_Support
Cookbook for TLS certificate handling: https://wiki.openstack.org/w/images/7/7a/Certificate_Cookbook.pdf

Consider looking at Docker Machine as a working example of how to implement this:
https://github.com/docker/machine

My understanding of how Docker-Machine works:

1) The client generates an ssh key pair, and supplies the public key to the nova create API call.
2) The client generates all the TLS certificates and keys.
3) The client uses an ssh connection to the server to put the server's TLS keys to configure the docker daemon on the nova instance.
4) The local docker client is configured to make secured TLS communication with the remote docker server.

Gerrit topic: https://review.openstack.org/#q,topic:bp/secure-kubernetes,n,z

Addressed by: https://review.openstack.org/194905
    Add TLS support in Magnum.

Addressed by: https://review.openstack.org/202873
    Add TLS support in heat kubernetes template

Addressed by: https://review.openstack.org/202881
    Add TLS support in heat kubernetes template for Ironic

Addressed by: https://review.openstack.org/203901
    [WIP] Add Cert controller and handler.

Addressed by: https://review.openstack.org/204798
    Add Cert controller and conductor.

Addressed by: https://review.openstack.org/205376
    Add context to TemplateDefinition.extract_definition

Addressed by: https://review.openstack.org/205381
    Split TemplateDefinitionTestCase to different test case

Addressed by: https://review.openstack.org/205922
    [WIP] Register client cert from k8s master node to Magnum

Addressed by: https://review.openstack.org/205926
    [WIP] Add get_magnum_url method to clients module

Addressed by: https://review.openstack.org/206467
    Add guide for TLS support in Magnum.

Gerrit topic: https://review.openstack.org/#q,topic:bp/barbican-support,n,z

Addressed by: https://review.openstack.org/207324
    Make Kubernetes API call secure.

Addressed by: https://review.openstack.org/212321
    [WIP] Add a tool to manage x509 objects

Addressed by: https://review.openstack.org/214179
    [WIP] Add CA controller for TLS support.

Gerrit topic: https://review.openstack.org/#q,topic:bp/magnum-as-a-ca,n,z

Addressed by: https://review.openstack.org/223025
    Make bay.api_address contains protocol

Addressed by: https://review.openstack.org/223438
    Fix calling parameter at get_cert/delete_cert

Addressed by: https://review.openstack.org/223439
    Allow unicode text as CSR

Addressed by: https://review.openstack.org/232510
    Added a guide to explain how to use secure Kubernetes API

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.