Hi everyone!
Forst of all I would like to thank everyone for taking time and attending session. I think we had pretty productive time and discussions.
You may find discussion summaries below:
* We agreed to use openstack namespace for collections we will be creating. Amoung collections that we will publish in the nearest future will be:
** config_template
** openstack-ansible-plugins
* During Xena PTG we agreed to switch balancing of MariaDB from HAProxy to ProxySQL. For that we will create and independt role and will leave support for both ProxySQL and HAProxy balancing for 1 release. We will also include migration path as part of the upgrade script.
* We will not officially support Rocky/Alma/etc Linux due to very limited interest for these distros and not having ability to test them properly. However, we should try to allow deployments for these distros since ansible detects OS family as RedHat.
* Next steps with PKI role:
** Issue certificates for libvirt encryption
** Add memcached encryption
** Re-work keystone and octavia roles to use PKI role for certificate issuing and distribution
** cover connection between services and haproxy with SSL
** do some research regarding what drivers could be added additional to "standalone" (like stepCA [1])
* How to handle HAProxy endpoints balancing
** We drop dependancy on haproxy_endpoints role since we never migrated to this way of managing endpoints, it's not straightforward and does not cover usecases where service might break before restart (ie sudoers or policy file change).
** Decide if we want to set affected backend to MAINT state in HAProxy overall and if we're doing this correctly (ie using DRAIN)
** Understand what happens with updated policy files which are used immediatley
* Check alternative to our hardening role and if this is can be considered as replacement: https://github.com/dev-sec/ansible-collection-hardening Decide if we can have resources to properly maintain our hardening role.
* Status of Protecting plaintext secrets Spec [2]:
** convert python script to ansible module. Then we will be able to verify state and even do rotations
** secret should be generated in vault only on single host and then same mapping file generated for all
** think about delegating mapping and secrets creation to another role (or vault role using from_tasks)
** add hashicorp native storage option for vault role
[1] https://smallstep.com/docs/step-ca
[2] https://specs.openstack.org/openstack/openstack-ansible-specs/specs/xena/protecting-plaintext-configs.html
--
Kind Regards,
Dmitriy Rabotyagov