Open Stack

Hello folks,

Since this topic have been discussed for a while, I'll give some updates on
our current progress and which is the next steps for that.

Yesterday, The spec for oslo.config drivers has been approved [1] and we
started that implementation [2] for that spec. After that, we should be
able to implement a Castellan driver for oslo.config, which will provide
the ability to use Castellan reference for those secrets and store it using
a proper key store backend.
Besides that, we are implementing the Custodia support to the key manager
to store/fetch secrets on Castellan [3].

Finally, as next steps for Rocky release, we should discuss (maybe in the
next PTG) some points like using some deployment tool like Ansible or
puppet, through the TripleO service, to create those secrets and store it
properly on Custodia, following that Castellan driver for oslo.config. So,
later, we will be able to restore it properly in the configuration files.

[1] https://review.openstack.org/#/c/454897/7
[2] https://review.openstack.org/#/c/513844/
[3] https://review.openstack.org/#/c/515190/

Regards,

On Mon, Nov 20, 2017 at 1:42 PM Doug Hellmann <doug at doughellmann.com> wrote:

> Excerpts from Jay Pipes's message of 2017-11-20 11:02:33 -0500:
> > On 11/20/2017 10:19 AM, Doug Hellmann wrote:
> > > The spec for adding pluggable drivers to oslo.config is ready for a
> > > final queens review [1]. The latest draft should be simpler to
> implement
> > > (important given where we are in the schedule) at the expense of always
> > > requiring at least one configuration file to specify the location of
> > > other configuration sources. We can improve on that design in the
> future
> > > when we have the drivers working.
> >
> > Hi Doug. Is this spec crucial for various PCI/security-minded folks to
> > review due to how plaintext configuration options are currently handled
> > for sensitive things like password and user/project IDs?
> >
> > Best,
> > -jay
> >
>
> The spec is meant to enable securely storing secrets, but it's
> foundation work before the secret store driver can actually be
> implemented so it doesn't go into a lot of detail about the castellan
> driver. Still, I would appreciate if the folks interested in that
> feature look at it.
>
> Doug
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat

<https://www.redhat.com>
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171122/c5f058e7/attachment.html>