SSL on management services

[YanChii]

Create a SSL certificate during headnode install and push it into cfgdb so new nodes can connect securely. Involves:

• headnode.sh generates new self-signed cert and pushes it into
  • cfgdb (public key) on /esdc/settings/security/services-ssl-cert
  • mgmt01 mdata (public, private key, cfgdb IP)
• mgmt01 configures haproxy SSL ports for erigonesd and cfgdb (if cert is present in mdata)
• computenode.sh queries cfgdb and if services SSL cert exists, it adds it into /opt/local/etc/openssl/dc-erigonesd.pem, rehashes certs/ and configures ssl in local_config.py.
• a new query_cfgdb.sh needs to be created that uses /opt/local/bin/curl to get data securely
• a new cert has cn=*.* (it does not break security because the certificate is trusted by its presence, not by CA signature)
• issue update script for 3.0.0 that generates new openssl certificate, pushes it into mdata (and also cfgdb IP) and reconfigures haproxy

[dn0]

• A prerequisite for this is a HTTP/REST service on cfgdb.

Are we going to use a different SSL certificate as the one which is already used on mgmt for gunicorns?

[YanChii]

Yes, the diferrent one. So we don't need to deal with certificate changes.