23:30:24 <adrian_otto> #startmeeting containers_tls
23:30:25 <openstack> Meeting started Thu Jul  9 23:30:24 2015 UTC and is due to finish in 60 minutes.  The chair is adrian_otto. Information about MeetBot at http://wiki.debian.org/MeetBot.
23:30:26 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
23:30:28 <openstack> The meeting name has been set to 'containers_tls'
23:30:31 <adrian_otto> o/
23:30:36 <sdake> o/
23:30:36 <adrian_otto> who's here?
23:30:38 <madhuri> o/
23:30:39 <yuanying> o/
23:30:51 <sicarie> o/
23:30:55 <redrobot> o/
23:31:07 <adrian_otto> Madhuri called us together for some discussion about our TLS feature today.
23:31:15 <madhuri> #link  https://blueprints.launchpad.net/magnum/+spec/magnum-as-a-ca
23:31:19 <adrian_otto> We'll reference links to the blueprint and spec review
23:31:53 <madhuri> To support TLS in Magnum, we need to generate certs and store them securely
23:32:03 <madhuri> We have few options to do that
23:32:18 <madhuri> So I wanted to discuss which option is the best one
23:32:30 <adrian_otto> #link https://review.openstack.org/194905 Add TLS support in Magnum.
23:32:37 <madhuri> I will get the link here of the ml
23:32:43 <adrian_otto> let's back up one step
23:32:58 <adrian_otto> the reason we care about this at all is that Magnum bays are small distributed systems
23:33:11 <adrian_otto> and the components of those systems typically run on public networks
23:33:25 <adrian_otto> so the various API endpoints need suitable access control
23:33:56 <adrian_otto> Magnum does not adequately secure the kubernetes client-> master or master-> minion communications
23:34:11 <adrian_otto> there is no access control or encryption of those communications
23:34:22 <adrian_otto> so in order for Magnum to be production ready we must address that
23:34:51 <adrian_otto> Kubernetes and Docker Swarm both support TLS, which can be used as a mechanism both for simple access control, and encryption
23:35:08 <adrian_otto> so Madhuri has been working on possible implementations to address this
23:35:15 <adrian_otto> Madhuri, you can lead from this point
23:35:32 <madhuri> Thank you adrian_otto for the introduction
23:35:57 <madhuri> So Magnum needs certficates and to store them securely
23:36:07 <madhuri> We tried to use Anchor for it
23:36:25 <madhuri> But got some disagreement about it as being stackforge project
23:36:38 <chair6> that changes tomorrow, when it moves from stackforge -> openstack namespace
23:36:45 <sdake> i think the disageement would disappear if it were optional rather then mandatory madhuri
23:36:56 <adrian_otto> are those objections primarily related to the maturity level of the Anchor software?
23:37:13 <sdake> adrian_otto since its going to the openstack namespace this is a moot point
23:37:19 <madhuri> Yes for that we first thought of adding our own tool to generate certificate for initial release
23:37:34 <sdake> but my argument on this point is we dont want to depend on stackforge projects because they may never make it into the openstack namespace, making our project unshippable
23:37:43 <madhuri> But then we are left with no option for its secure storage
23:37:53 <madhuri> Agree.
23:38:02 <sdake> hard depend
23:38:06 <sdake> soft depend, different story