<div dir="auto"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On 21 Nov 2017 01:19, "Alex Schultz" <<a href="mailto:aschultz@redhat.com">aschultz@redhat.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="quoted-text">On Thu, Nov 16, 2017 at 12:01 AM, Juan Antonio Osorio<br>
<<a href="mailto:jaosorior@gmail.com">jaosorior@gmail.com</a>> wrote:<br>
> Hello folks!<br>
><br>
> A few months ago Dan Sneddon and me worked in an ansible role that would<br>
> enable IPSEC for the overcloud [1]. Currently, one would run it as an extra<br>
> step after the overcloud deployment. But, I would like to start integrating<br>
> it to TripleO itself, making it another option, probably as a composable<br>
> service.<br>
><br>
<br>
</div>Is there a spec for this or at least some more detail as to what<br>
exactly this is solving? I would really like some more explanation<br>
around this feature than just an ansible role proposal.<br></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">Spec created <a href="https://blueprints.launchpad.net/tripleo/+spec/ipsec">https://blueprints.launchpad.net/tripleo/+spec/ipsec</a></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="quoted-text"><br>
> For this, I'm planning to move the tripleo-ipsec ansible role repository<br>
> under the TripleO umbrella. Would that be fine with everyone? Or should I<br>
> add this ansible role as part of another repository? After that's available<br>
> and packaged in RDO. I'll then look into the actual TripleO composable<br>
> service.<br>
><br>
<br>
</div>As I've previously indicated it probably should live under the tripleo<br>
umbrella but I would like to see more details around this prior to<br>
further integration. It's also very late in the cycle (almost m2) to<br>
be proposing something like this. Is the target for this Rocky?<br>
<br>
That being said I don't see anything specific to this role that would<br>
cause problems as part of the deployment process as it exists today.<br>
I do see some possible conflicts around the iptables configuration as<br>
we currently manage that via heat/puppet but I think it's smart enough<br>
to not stomp on each other if we carefully format the rules. Another<br>
implementation item that might be problematic is the more hard-coded<br>
configuration via template files. What is the plan to make those more<br>
dynamic to support other roles besides just compute/controller? </blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">It's on the works. It shouldn't be a big change. </div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Right<br>
now tripleo-heat-templates is the source of configuration items that<br>
we expose for the deployment. What would we be looking to expose to<br>
deployers since what is currently exposed from the role is minimal?<br></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">I'm looking to get deployers to only need to enable it via an environment variable. The rest should be automatic.</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="quoted-text"><br>
> Any input and contributions are welcome!<br>
><br>
> [1] <a href="https://github.com/JAORMX/tripleo-ipsec" rel="noreferrer" target="_blank">https://github.com/JAORMX/<wbr>tripleo-ipsec</a><br>
><br>
> --<br>
> Juan Antonio Osorio R.<br>
> e-mail: <a href="mailto:jaosorior@gmail.com">jaosorior@gmail.com</a><br>
><br>
><br>
<br>
</div>Thanks,<br>
-Alex<br>
<div class="elided-text"><br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
</div></blockquote></div><br></div></div></div>