[openstack-dev] [TripleO][Tuskar] Feedback on init-keystone spec

Clint Byrum clint at fewbar.com
Mon May 5 18:56:14 UTC 2014


Excerpts from Jiří Stránský's message of 2014-05-05 01:54:11 -0700:
> On 30.4.2014 09:02, Steve Kowalik wrote:
> > Hi,
> >
> >     I'm looking at moving init-keystone from tripleo-incubator to
> > os-cloud-config, and I've drafted a spec at
> > https://etherpad.openstack.org/p/tripleo-init-keystone-os-cloud-config .
> >
> >     Feedback welcome.
> >
> > Cheers,
> >
> 
> Hi Steve,
> 
> that looks good :) Just to clarify -- should the long-term plan for 
> Keystone PKI initialization still be to generate the key+certs on 
> undercloud and push it to overcloud via Heat? (Likewise for 
> seed->undercloud.)

Long term I'd like to see us generate keys locally and have Barbican
store the keys. It is still not quite far enough on the incubation path
to be something we rely on directly, but we should consider that a very
temporary situation.

Short term we'll have to push things around via Heat. That behooves us
to ensure SSL is working for metadata fetching btw. I've not checked on
that in a very long time, and I'm not sure any of our CI enables it.



More information about the OpenStack-dev mailing list