Hi folks, As we are going to add ssl implementation to lbaas which would be based on well-known haproxy+stunnel combination, there is one problem that we need to solve: securing communication channel between neutron-server and the agent.
I see several approaches here: 1) Rely on secure messaging as described here: http://docs.openstack.org/security-guide/content/ch038_transport-security.html pros: no or minor additional things to care of on neutron-server side and client side cons: might be more complex to test. Also I'm not sure testing infrastructure uses that. We'll need to state that lbaas ssl is only secure when transpost security is enabled. 2) Provide neutron server/agent with certificate for encrypting keys/certificates that are dedicated to loadbalancers. pros: doesn't depend on cloud-wide messaging security. We can say that 'ssl works' in any case. cons: more to implement, more complex deployment. Unless I've missed some other obvious solution what do you think is the best approach here? (I'm not considering the usage of external secure store like barbican at this point) What do you think? Thanks, Eugene.
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
