openstack/octavia
Code Issues Proposed changes

Clarify that the certificate guide should be used

Browse Source 
The quick start guide was pointing users to the old create_certificate.sh
script. This patch clarifies that the "Octavia Certificate Configuration
Guide" should be used when configurting certificates for the Octavia
controllers.
It also adds a warning to the create_certificate.sh script.

Change-Id: I7a87430be5a1553ff760e31c26ca52090399d00a
This commit is contained in:
Michael Johnson
2019-05-31 09:11:08 -07:00
parent 21a54d6b78
commit d3c3f148f4
2 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
bin/create_certificates.sh
View File

@@ -1,5 +1,11 @@
#!/bin/bash #!/bin/bash
# NOTE: This script should not be used for creating certificates in a
# deployment. It is only used for some testing jobs.
# Please follow the Octavia Certificate Configuration Guide when setting
# up a deployment. See:
# https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
# USAGE: <certificate directory> <openssl.cnf (example in etc/certificate) # USAGE: <certificate directory> <openssl.cnf (example in etc/certificate)
#Those are certificates for testing will be generated #Those are certificates for testing will be generated
# #
@@ -36,6 +42,11 @@ CERT_DIR=$1
OPEN_SSL_CONF=$2 # etc/certificates/openssl.cnf OPEN_SSL_CONF=$2 # etc/certificates/openssl.cnf
VALIDITY_DAYS=${3:-18250} # defaults to 50 years VALIDITY_DAYS=${3:-18250} # defaults to 50 years
echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
echo "Please use the Octavia Certificate Configuration guide:"
echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo $CERT_DIR echo $CERT_DIR

6
doc/source/contributor/guides/dev-quick-start.rst
View File

@@ -261,10 +261,10 @@ amphorae: The amphora REST API. Both amphora API and Octavia controller do
bi-directional certificate-based authentication in order to authenticate and bi-directional certificate-based authentication in order to authenticate and
encrypt communication. You must therefore create appropriate TLS certificates encrypt communication. You must therefore create appropriate TLS certificates
which will be used for key signing, authentication, and encryption. There is a which will be used for key signing, authentication, and encryption. There is a
helper script to do this in this repository under: detailed :doc:`../../admin/guides/certificates` to guide you through this
``bin/create_certificates.sh`` process.
Please note that certificates created with this helper script may not meet your Please note that certificates created with this guide may not meet your
organization's security policies, since they are self-signed certificates with organization's security policies, since they are self-signed certificates with
arbitrary bit lengths, expiration dates, etc. Operators should obviously arbitrary bit lengths, expiration dates, etc. Operators should obviously
follow their own security guidelines in creating these certificates. follow their own security guidelines in creating these certificates.