[openstack-dev] [kolla] add service discovery, proxysql, vault, fabio and FQDN endpoints

Florian Engelmann florian.engelmann at everyware.ch
Mon Oct 8 10:14:40 UTC 2018


I would like to start a discussion about some changes and additions I 
would like to see in in kolla and kolla-ansible.

1. Keepalived is a problem in layer3 spine leaf networks as any floating 
IP can only exist in one leaf (and VRRP is a problem in layer3). I would 
like to use consul and registrar to get rid of the "internal" floating 
IP and use consuls DNS service discovery to connect all services with 
each other.

2. Using "ports" for external API (endpoint) access is a major headache 
if a firewall is involved. I would like to configure the HAProxy (or 
fabio) for the external access to use "Host:" like, eg. "Host: 
keystone.somedomain.tld", "Host: nova.somedomain.tld", ... with HTTPS. 
Any customer would just need HTTPS access and not have to open all those 
ports in his firewall. For some enterprise customers it is not possible 
to request FW changes like that.

3. HAProxy is not capable to handle "read/write" split with Galera. I 
would like to introduce ProxySQL to be able to scale Galera.

4. HAProxy is fine but fabio integrates well with consul, statsd and 
could be connected to a vault cluster to manage secure certificate access.

5. I would like to add vault as Barbican backend.

6. I would like to add an option to enable tokenless authentication for 
all services with each other to get rid of all the openstack service 
passwords (security issue).

What do you think about it?

All the best,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5210 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20181008/df4c31d6/attachment.bin>

More information about the OpenStack-dev mailing list