[openstack-dev] [TripleO] IPSEC integration

Alex Schultz aschultz at redhat.com
Mon Nov 20 23:18:42 UTC 2017

On Thu, Nov 16, 2017 at 12:01 AM, Juan Antonio Osorio
<jaosorior at gmail.com> wrote:
> Hello folks!
> A few months ago Dan Sneddon and me worked in an ansible role that would
> enable IPSEC for the overcloud [1]. Currently, one would run it as an extra
> step after the overcloud deployment. But, I would like to start integrating
> it to TripleO itself, making it another option, probably as a composable
> service.

Is there a spec for this or at least some more detail as to what
exactly this is solving?  I would really like some more explanation
around this feature than just an ansible role proposal.

> For this, I'm planning to move the tripleo-ipsec ansible role repository
> under the TripleO umbrella. Would that be fine with everyone? Or should I
> add this ansible role as part of another repository? After that's available
> and packaged in RDO. I'll then look into the actual TripleO composable
> service.

As I've previously indicated it probably should live under the tripleo
umbrella but I would like to see more details around this prior to
further integration.  It's also very late in the cycle (almost m2) to
be proposing something like this. Is the target for this Rocky?

That being said I don't see anything specific to this role that would
cause problems as part of the deployment process as it exists today.
I do see some possible conflicts around the iptables configuration as
we currently manage that via heat/puppet but I think it's smart enough
to not stomp on each other if we carefully format the rules.  Another
implementation item that might be problematic is the more hard-coded
configuration via template files. What is the plan to make those more
dynamic to support other roles besides just compute/controller?  Right
now tripleo-heat-templates is the source of configuration items that
we expose for the deployment.  What would we be looking to expose to
deployers since what is currently exposed from the role is minimal?

> Any input and contributions are welcome!
> [1] https://github.com/JAORMX/tripleo-ipsec
> --
> Juan Antonio Osorio R.
> e-mail: jaosorior at gmail.com


More information about the OpenStack-dev mailing list