[openstack-dev] [TripleO] IPSEC integration

Juan Antonio Osorio jaosorior at gmail.com
Tue Nov 21 18:00:26 UTC 2017

On 21 Nov 2017 01:19, "Alex Schultz" <aschultz at redhat.com> wrote:

On Thu, Nov 16, 2017 at 12:01 AM, Juan Antonio Osorio
<jaosorior at gmail.com> wrote:
> Hello folks!
> A few months ago Dan Sneddon and me worked in an ansible role that would
> enable IPSEC for the overcloud [1]. Currently, one would run it as an
> step after the overcloud deployment. But, I would like to start
> it to TripleO itself, making it another option, probably as a composable
> service.

Is there a spec for this or at least some more detail as to what
exactly this is solving?  I would really like some more explanation
around this feature than just an ansible role proposal.

Spec created https://blueprints.launchpad.net/tripleo/+spec/ipsec

> For this, I'm planning to move the tripleo-ipsec ansible role repository
> under the TripleO umbrella. Would that be fine with everyone? Or should I
> add this ansible role as part of another repository? After that's
> and packaged in RDO. I'll then look into the actual TripleO composable
> service.

As I've previously indicated it probably should live under the tripleo
umbrella but I would like to see more details around this prior to
further integration.  It's also very late in the cycle (almost m2) to
be proposing something like this. Is the target for this Rocky?

That being said I don't see anything specific to this role that would
cause problems as part of the deployment process as it exists today.
I do see some possible conflicts around the iptables configuration as
we currently manage that via heat/puppet but I think it's smart enough
to not stomp on each other if we carefully format the rules.  Another
implementation item that might be problematic is the more hard-coded
configuration via template files. What is the plan to make those more
dynamic to support other roles besides just compute/controller?

It's on the works. It shouldn't be a big change.

now tripleo-heat-templates is the source of configuration items that
we expose for the deployment.  What would we be looking to expose to
deployers since what is currently exposed from the role is minimal?

I'm looking to get deployers to only need to enable it via an environment
variable. The rest should be automatic.

> Any input and contributions are welcome!
> [1] https://github.com/JAORMX/tripleo-ipsec
> --
> Juan Antonio Osorio R.
> e-mail: jaosorior at gmail.com


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171121/b6889b1b/attachment.html>

More information about the OpenStack-dev mailing list