Greg Swift
2011-04-29 19:47:58 UTC
hi all. skvidal and i were having a discussion the other day about
the future path of certmaster. Right now this can be a pain because
certmaster has to be installed everywhere that func is due to the
dependance on its libraries. This can cause confusion with
configuration and setup, even for people that have worked with it
before.
- Certmaster is a set of tools and a library for easily
distributing SSL certificates to applications that need them
- Certmaster originated in the Func project
- Any application can use certmaster for easy exchange of SSL certificates
- Certmaster has a a python API and command line tool provided
("certmaster-request") for requesting certificates
- A daemon, called "certmaster" is included to hand certificates out
- The tool "certmaster-ca" is used to list certs and sign them when
requests come in.
- autosigning of new certificate requests is also supported but is
off by default.
- configuration is all done via minimal text files
- certmaster has extensive audit logs of certificate operations
could act as a application independent simple CA for applications.
Yet here we are... about 5 years after the introduction of func and
certmaster. For the most part it seems like no one has taken
certmaster up except for with func, and if you are doing so please let
us know! Plus, now func can live without certmaster thanks to all the
work skvidal has put into the utilization of puppet's certificates.
So looking towards the future we were looking at a two primary issues/concepts:
1: make func easier/cleaner to install, at least on the minions, but
preferably everywhere.
2: try to minimize changes to the code and operational environment so
that this change is as seamless as possible
3: reduce developer overhead of multiple projects
1: Merge certmaster into func, but leave pretty much all of the code
the same. There could be a separate "overlord/certmaster" package
that would have the daemon side tools if desired, but otherwise
everything necessary could end up as a single package.
2: Make certmaster more of just a library package. There would then
be a separate "overlord/certmaster" package that would have those
daemon side tools, but this leaves a separate code base and still has
func minions needing the certmaster library package.
3: Have func take over the code it uses from certmaster, thus
reversing the dependency. There would then be a separate
"overlord/certmaster" package that would have those daemon side tools,
but despite leaving a separate code base func minions would not need
the certmaster package. However the certmaster package would need the
func one.
There are several variations that can come out of those 3 paths, and
we would like your input.
I'm attaching the un-edited conversation between us for you to read
through. If you do read it, please read the whole thing as there were
clarifications and corrections further along in the conversation.
skvidal, if you have any clarifications or points you'd like to add,
please do :)
-greg
the future path of certmaster. Right now this can be a pain because
certmaster has to be installed everywhere that func is due to the
dependance on its libraries. This can cause confusion with
configuration and setup, even for people that have worked with it
before.
- Certmaster is a set of tools and a library for easily
distributing SSL certificates to applications that need them
- Certmaster originated in the Func project
- Any application can use certmaster for easy exchange of SSL certificates
- Certmaster has a a python API and command line tool provided
("certmaster-request") for requesting certificates
- A daemon, called "certmaster" is included to hand certificates out
- The tool "certmaster-ca" is used to list certs and sign them when
requests come in.
- autosigning of new certificate requests is also supported but is
off by default.
- configuration is all done via minimal text files
- certmaster has extensive audit logs of certificate operations
From my understanding (and the 3rd point above) the intention of
certmaster being separate from func in the first place was so that itcould act as a application independent simple CA for applications.
Yet here we are... about 5 years after the introduction of func and
certmaster. For the most part it seems like no one has taken
certmaster up except for with func, and if you are doing so please let
us know! Plus, now func can live without certmaster thanks to all the
work skvidal has put into the utilization of puppet's certificates.
So looking towards the future we were looking at a two primary issues/concepts:
1: make func easier/cleaner to install, at least on the minions, but
preferably everywhere.
2: try to minimize changes to the code and operational environment so
that this change is as seamless as possible
3: reduce developer overhead of multiple projects
1: Merge certmaster into func, but leave pretty much all of the code
the same. There could be a separate "overlord/certmaster" package
that would have the daemon side tools if desired, but otherwise
everything necessary could end up as a single package.
2: Make certmaster more of just a library package. There would then
be a separate "overlord/certmaster" package that would have those
daemon side tools, but this leaves a separate code base and still has
func minions needing the certmaster library package.
3: Have func take over the code it uses from certmaster, thus
reversing the dependency. There would then be a separate
"overlord/certmaster" package that would have those daemon side tools,
but despite leaving a separate code base func minions would not need
the certmaster package. However the certmaster package would need the
func one.
There are several variations that can come out of those 3 paths, and
we would like your input.
I'm attaching the un-edited conversation between us for you to read
through. If you do read it, please read the whole thing as there were
clarifications and corrections further along in the conversation.
skvidal, if you have any clarifications or points you'd like to add,
please do :)
-greg