Excerpts from Raildo Mascena de Sousa Filho's message of 2017-08-04 19:34:25 +0000: > Hi all, > > We had a couple of discussions with the Oslo team related to implement > Pluggable drivers for oslo.config[0] and use those feature to implement > support to protect plaintext secret on configuration files[1]. > > In another hand, due the containerized support on OpenStack services, we > have a community effort to implement a k8s ConfigMap support[2][3], which > might make us step back and consider how secret management will work, since > the config data will need to go into the configmap *before* the container > is launched. > > So, I would like to see what the community think. Should we continue > working on that pluggable drivers and protect plain text secrets support > for oslo.config? Makes sense having a PTG session[4] on Oslo to discuss > that feature? A PTG session does make sense. My main concern is that the driver approach described is a fairly significant change to the library. I was more confident that it made sense when it was going to be used for multiple purposes. There may be a less invasive way to handle secret storage. Or, we might be able to design a system-level approach for handling those that doesn't require changing the library at all. So let's not frame the discussion as "should we add plugins to oslo.config" but "how should we handle secret values in configuration files". Doug > > Thanks for the feedback in advance. > > Cheers, > > [0] https://review.openstack.org/#/c/454897/ > [1] https://review.openstack.org/#/c/474304/ > [2] > https://github.com/flaper87/keystone-k8s-ansible/blob/6524b768d75a28adf44c74aca77ccf13dd66b1a9/provision-keystone-apb/tasks/main.yaml#L71-L108 > [3] https://kubernetes.io/docs/ > <https://kubernetes.io/docs/tasks/configure-pod-container/configmap/> > tasks/configure-pod-container/configmap/ > <https://kubernetes.io/docs/tasks/configure-pod-container/configmap/> > [4] https://etherpad.openstack.org/p/oslo-ptg-queens