Secure the client/server communication between ReST client and ReST server

Registered by Steven Dake

Kubernetes uses TLS in some way to secure the ReST API endpoint . The documentation points to using nginx to secure the apiserver ReST API. Ideally we would sort out how to secure the ReST API using TLS and possibly nginx (this may require changes to the heat template for launching atomic).

Blueprint information

Adrian Otto
Steven Dake
Madhuri Kumari
Series goal:
Accepted for liberty
Milestone target:
milestone icon liberty-2
Started by
Madhuri Kumari
Completed by
Adrian Otto

Related branches



T-Shirt sizing: M (may change after getting more details)

Specification Wiki:
Cookbook for TLS certificate handling:

Consider looking at Docker Machine as a working example of how to implement this:

My understanding of how Docker-Machine works:

1) The client generates an ssh key pair, and supplies the public key to the nova create API call.
2) The client generates all the TLS certificates and keys.
3) The client uses an ssh connection to the server to put the server's TLS keys to configure the docker daemon on the nova instance.
4) The local docker client is configured to make secured TLS communication with the remote docker server.

Gerrit topic:,topic:bp/secure-kubernetes,n,z

Addressed by:
    Add TLS support in Magnum.

Addressed by:
    Add TLS support in heat kubernetes template

Addressed by:
    Add TLS support in heat kubernetes template for Ironic

Addressed by:
    [WIP] Add Cert controller and handler.

Addressed by:
    Add Cert controller and conductor.

Addressed by:
    Add context to TemplateDefinition.extract_definition

Addressed by:
    Split TemplateDefinitionTestCase to different test case

Addressed by:
    [WIP] Register client cert from k8s master node to Magnum

Addressed by:
    [WIP] Add get_magnum_url method to clients module

Addressed by:
    Add guide for TLS support in Magnum.

Gerrit topic:,topic:bp/barbican-support,n,z

Addressed by:
    Make Kubernetes API call secure.

Addressed by:
    [WIP] Add a tool to manage x509 objects

Addressed by:
    [WIP] Add CA controller for TLS support.

Gerrit topic:,topic:bp/magnum-as-a-ca,n,z

Addressed by:
    Make bay.api_address contains protocol

Addressed by:
    Fix calling parameter at get_cert/delete_cert

Addressed by:
    Allow unicode text as CSR

Addressed by:
    Added a guide to explain how to use secure Kubernetes API


Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.


No subscribers.