On Tue, Feb 16, 2021 at 1:20 AM Dan Sneddon <dsneddon@redhat.com> wrote:
I have been in pre-deployment discussions with a couple of operators over the last 18 months or so when it came up. I think the intent was to use IPSEC hardware offload using the NIC, but I don't know if they ended up using TLS in production once they learned that TLS was a vastly more common option.
I think at the very least the presence of the IPSEC code and the fact that it's being maintained gives the impression that it is a valid option. There may be environments where IPSEC is used outside the OpenStack deployment, and a desire for consistency. There may even be some operators that would want to use both for the added layers of defense, possibly using IPSEC offload to offset the performance impact.
I wouldn't be against deprecating it, but I think that the IPSEC code still has some mind-share.
Thanks for the input Dan - more comments in response to Alex below:
-Dan
On 2/15/21 6:39 AM, Alex Schultz wrote:
Is this thing still even used? I thought it was a temporary thing until TLS everywhere was finished. If it's not used we should just retire it.
o/ good question. The repo hasn't had any action in over a year (ignoring top two commits to tox.ini). We do carry a tripleo-heat-templates file for it @ [1] and environment [2] so there may well be folks using it. However as noted by Dan we really *should* deprecate it if no-one is maintaining this code. Right now we need to move to independent, both to unblock the release jobs, but also so that we as tripleo are no longer required to create a stable branch for this repo. We can still tag a version if that is needed by someone, but no longer tied to a particular release/branch. Moving forward we can start a conversation around deprecating and ultimately removing it in the next cycle, assuming there are no objections to that (i.e. folks using that). regards, marios [1] https://opendev.org/openstack/tripleo-heat-templates/src/commit/8d612ea015c0... [2] https://opendev.org/openstack/tripleo-heat-templates/src/commit/8d612ea015c0...
On Fri, Feb 12, 2021 at 7:35 AM Marios Andreou <marios@redhat.com <mailto:marios@redhat.com>> wrote:
hello TripleO,
per $subject I want to propose that tripleo-ipsec moves to the independent release model, as done recently for os-collect-config and friends at [1].
The tripleo-ipsec repo hasn't had much/any commits in the last year [2]. In fact, we hadn't even created a ussuri branch for this repo and no-one noticed (!).
Because of the lack of stable/ussuri some of the release jobs failed, as discussed at [3] and which ttx tried to fix (thank you!) with [4].
Unfortunately this hasn't resolved the issue and jobs are still failing, as discussed just now in openstack-release [4]. If we agree to move tripleo-ipsec to independent then it will also resolve this build job issue.
If we move tripleo-ipsec to independent it means we can still release it if required, but we will no longer create stable/branches for the repo.
please voice any objections here or go and comment on the proposal at [6]
thanks for reading!
regards, marios
[1] https://review.opendev.org/c/openstack/releases/+/772570 <https://review.opendev.org/c/openstack/releases/+/772570> [2] https://opendev.org/openstack/tripleo-ipsec/commits/branch/master <https://opendev.org/openstack/tripleo-ipsec/commits/branch/master> [3]
http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h...
<
http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h...
[4] https://review.opendev.org/c/openstack/releases/+/772995 <https://review.opendev.org/c/openstack/releases/+/772995> [5]
http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel...
<
http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel...
[6] https://review.opendev.org/c/openstack/releases/+/775395 <https://review.opendev.org/c/openstack/releases/+/775395>