[openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

Ian Cordasco sigmavirus24 at gmail.com
Wed Apr 13 16:01:32 UTC 2016


-----Original Message-----
From: Lance Bragstad <lbragstad at gmail.com>
Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Date: April 13, 2016 at 10:24:18
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Subject:  Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

> I think we need to ask who we are lowering the barrier of entry for. Are we
> going down this path because we want developers to have less things to do
> to stand up a development environment? Or do we want to make it easy for
> people to realistically test? If you're going to realistically vet magnum,
> why not make that PoC as realistic as possible, as in deploying with
> barbican. As an operator, I think it would be better to have an honest
> assessment of the work required to deploy magnum, even if it costs a little
> extra time. I'd rather hit roadblocks with the realistic approach early
> than reassure my team everything will work correctly when we didn't test
> what we planned to offer to our customers. In my experience, having
> roadblocks pop up later after commitment has been made is expensive and
> stressful.

I agree wtih you, but there is a feeling among some that they want to /try/ Magnum without Barbican. With Magnum supporting a filesystem storage driver, like Glance's filesystem storage driver, I think this can be accomodated for proofs of concept (e.g., that Magnum "works" and serves the user's needs). From an operational perspective, it will be very misleading, especially to management, when the idea of Magnum goes from PoC to supported and requires Barbican and some (Soft or not) HSM which needs to be deployed.

Keep in mind, that Magnum's templates to deploy its COEs also have dependencies on other services that a small cloud may not deploy (e.g., Neutron) or features there of that may not be enabled (e.g., LBaaS). So there may be yet more requests to make Magnum adoption easier and thos requests will impact usage of the deployed COE more than anything else.

(And yes, let's not forget that this thread started regarding adoption, not simplifying PoC deployments which, while certainly related, are not the same thing.)

Ian Cordasco

More information about the OpenStack-dev mailing list