[openstack-dev] [oslo][oslo.config][ansible][tripleo][kolla][ptg] Pluggable drivers and protect plaintext secrets

Doug Hellmann doug at doughellmann.com
Mon Aug 7 16:15:58 UTC 2017


Excerpts from Raildo Mascena de Sousa Filho's message of 2017-08-04 19:34:25 +0000:
> Hi all,
> 
> We had a couple of discussions with the Oslo team related to implement
> Pluggable drivers for oslo.config[0] and use those feature to implement
> support to protect plaintext secret on configuration files[1].
> 
> In another hand, due the containerized support on OpenStack services, we
> have a community effort to implement a k8s ConfigMap support[2][3], which
> might make us step back and consider how secret management will work, since
> the config data will need to go into the configmap *before* the container
> is launched.
> 
> So, I would like to see what the community think. Should we continue
> working on that pluggable drivers and protect plain text secrets support
> for oslo.config? Makes sense having a PTG session[4] on Oslo to discuss
> that feature?
> 
> Thanks for the feedback in advance.
> 
> Cheers,
> 
> [0] https://review.openstack.org/#/c/454897/
> [1] https://review.openstack.org/#/c/474304/
> [2]
> https://github.com/flaper87/keystone-k8s-ansible/blob/6524b768d75a28adf44c74aca77ccf13dd66b1a9/provision-keystone-apb/tasks/main.yaml#L71-L108
> [3] https://kubernetes.io/docs/
> <https://kubernetes.io/docs/tasks/configure-pod-container/configmap/>
> tasks/configure-pod-container/configmap/
> <https://kubernetes.io/docs/tasks/configure-pod-container/configmap/>
> [4] https://etherpad.openstack.org/p/oslo-ptg-queens

I've added some of the deployment project tags to the subject line to
expand the audience for this discussion.

We're trying to decide what to do about space at the PTG for this
conversation. My Monday-Wednesday are completely booked, so I was
hoping we could do it Thursday. The Oslo team won't have a room then, so
we need to either find space in another room or reserve one of the extra
rooms mentioned on the schedule [1].

Kendall & Thierry, what do we need to do to reserve that room if we
can't find space in another team room?

Before we meet in Denver, it would be very useful to have some documents
describing the end-to-end processes teams foresee using for managing
secrets.

Doug

[1] https://docs.google.com/spreadsheets/u/1/d/1xmOdT6uZ5XqViActr5sBOaz_mEgjKSCY7NEWcAEcT-A/pubhtml?gid=397241312&single=true



More information about the OpenStack-dev mailing list