[Openstack-operators] PLEASE READ: VPNaaS API Change - not backward compatible

Paul Michali pc at michali.net
Mon Aug 24 18:32:02 UTC 2015

As part of the effort to provide support for multiple local subnets for
VPNaaS IPSec connections, there are three API changes planned [1].

One is to add a new "endpoint groups" API that will describe what is being
connected. This is the place were local and peer subnets will be specified.
It will allow future VPN flavors to reuse this API for other types of VPN

The second is to modify the IPSec site connection API to make use of this
new endpoint groups API and no longer use the peer CIDRs arguments.

The third is to remove the subnet ID from the VPN service API, and again,
use the new endpoint groups API for this information (and to allow >1).

A previous email send out from Kyle Mestery, asking about the production
usage of VPNaaS, did not indicate that this service was used in production
by operators.

As a result, we'd like to propose making this change as a non-backward
compatible change, which greatly reduces the effort.

The change WILL support migration, so older databases can be migrated to
the new schema and continue to operate, with future changes using the new
API. This gives a smooth upgrade path to the new capability.

The change would NOT support the older API in parallel with the new API, so
users upgrading would need to also update any client scripts/tools to use
the revised/new VPN API.

If this is acceptable to operators, we'd like to go forward with these
plans. Please respond within 7 days of this email, if you have concerns
about the proposal.


Paul Michali (IRC pc_m)
VPNaaS Core

Ref: https://review.openstack.org/#/c/191944/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150824/8b5c6e64/attachment.html>

More information about the OpenStack-operators mailing list