I have been in pre-deployment discussions with a couple of operators over the last 18 months or so when it came up. I think the intent was to use IPSEC hardware offload using the NIC, but I don't know if they ended up using TLS in production once they learned that TLS was a vastly more common option. I think at the very least the presence of the IPSEC code and the fact that it's being maintained gives the impression that it is a valid option. There may be environments where IPSEC is used outside the OpenStack deployment, and a desire for consistency. There may even be some operators that would want to use both for the added layers of defense, possibly using IPSEC offload to offset the performance impact. I wouldn't be against deprecating it, but I think that the IPSEC code still has some mind-share. -Dan On 2/15/21 6:39 AM, Alex Schultz wrote:
Is this thing still even used? I thought it was a temporary thing until TLS everywhere was finished. If it's not used we should just retire it.
On Fri, Feb 12, 2021 at 7:35 AM Marios Andreou <marios@redhat.com <mailto:marios@redhat.com>> wrote:
hello TripleO,
per $subject I want to propose that tripleo-ipsec moves to the independent release model, as done recently for os-collect-config and friends at [1].
The tripleo-ipsec repo hasn't had much/any commits in the last year [2]. In fact, we hadn't even created a ussuri branch for this repo and no-one noticed (!).
Because of the lack of stable/ussuri some of the release jobs failed, as discussed at [3] and which ttx tried to fix (thank you!) with [4].
Unfortunately this hasn't resolved the issue and jobs are still failing, as discussed just now in openstack-release [4]. If we agree to move tripleo-ipsec to independent then it will also resolve this build job issue.
If we move tripleo-ipsec to independent it means we can still release it if required, but we will no longer create stable/branches for the repo.
please voice any objections here or go and comment on the proposal at [6]
thanks for reading!
regards, marios
[1] https://review.opendev.org/c/openstack/releases/+/772570 <https://review.opendev.org/c/openstack/releases/+/772570> [2] https://opendev.org/openstack/tripleo-ipsec/commits/branch/master <https://opendev.org/openstack/tripleo-ipsec/commits/branch/master> [3] http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.h... <http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.html> [4] https://review.opendev.org/c/openstack/releases/+/772995 <https://review.opendev.org/c/openstack/releases/+/772995> [5] http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-rel... <http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-release.2021-02-12.log.html> [6] https://review.opendev.org/c/openstack/releases/+/775395 <https://review.opendev.org/c/openstack/releases/+/775395>