[openstack-dev] [oslo][oslo.config] Pluggable drivers and protect plaintext secrets

Fox, Kevin M Kevin.Fox at pnnl.gov
Fri Aug 4 20:21:19 UTC 2017

I would really like to see secrets separated from config. Always have... They are two separate things.

If nothing else, a separate config file so it can be permissioned differently.

This could be combined with k8s secrets/configmaps better too.
Or make it much easier to version config in git and have secrets somewhere else.


From: Raildo Mascena de Sousa Filho [rmascena at redhat.com]
Sent: Friday, August 04, 2017 12:34 PM
To: openstack-dev at lists.openstack.org
Subject: [openstack-dev] [oslo][oslo.config] Pluggable drivers and protect plaintext secrets

Hi all,

We had a couple of discussions with the Oslo team related to implement Pluggable drivers for oslo.config[0] and use those feature to implement support to protect plaintext secret on configuration files[1].

In another hand, due the containerized support on OpenStack services, we have a community effort to implement a k8s ConfigMap support[2][3], which might make us step back and consider how secret management will work, since the config data will need to go into the configmap *before* the container is launched.

So, I would like to see what the community think. Should we continue working on that pluggable drivers and protect plain text secrets support for oslo.config? Makes sense having a PTG session[4] on Oslo to discuss that feature?

Thanks for the feedback in advance.


[0] https://review.openstack.org/#/c/454897/
[1] https://review.openstack.org/#/c/474304/
[2] https://github.com/flaper87/keystone-k8s-ansible/blob/6524b768d75a28adf44c74aca77ccf13dd66b1a9/provision-keystone-apb/tasks/main.yaml#L71-L108
[3] https://kubernetes.io/docs/<https://kubernetes.io/docs/tasks/configure-pod-container/configmap/>tasks/configure-pod-container/configmap/<https://kubernetes.io/docs/tasks/configure-pod-container/configmap/>
[4] https://etherpad.openstack.org/p/oslo-ptg-queens

Raildo mascena

Software Engineer, Identity Managment

Red Hat


TRIED. TESTED. TRUSTED.<https://redhat.com/trusted>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170804/cd5167c8/attachment.html>

More information about the OpenStack-dev mailing list