[openstack-dev] [kolla] add service discovery, proxysql, vault, fabio and FQDN endpoints

Mark Goddard mark at stackhpc.com
Tue Oct 9 09:04:51 UTC 2018

Thanks for these suggestions Florian, there are some interesting ideas in
here. I'm a little concerned about the maintenance overhead of adding
support for all of these things, and wonder if some of them could be done
without explicit support in kolla and kolla-ansible. The kolla projects
have been able to move quickly by providing a flexible configuration
mechanism that avoids the need to maintain support for every OpenStack
feature. Other thoughts inline.


On Mon, 8 Oct 2018 at 11:15, Florian Engelmann <
florian.engelmann at everyware.ch> wrote:

> Hi,
> I would like to start a discussion about some changes and additions I
> would like to see in in kolla and kolla-ansible.
> 1. Keepalived is a problem in layer3 spine leaf networks as any floating
> IP can only exist in one leaf (and VRRP is a problem in layer3). I would
> like to use consul and registrar to get rid of the "internal" floating
> IP and use consuls DNS service discovery to connect all services with
> each other.

Without reading up, I'm not sure exactly how this fits together. If
kolla-ansible made the API host configurable for each service rather than
globally, would that be a step in the right direction?

> 2. Using "ports" for external API (endpoint) access is a major headache
> if a firewall is involved. I would like to configure the HAProxy (or
> fabio) for the external access to use "Host:" like, eg. "Host:
> keystone.somedomain.tld", "Host: nova.somedomain.tld", ... with HTTPS.
> Any customer would just need HTTPS access and not have to open all those
> ports in his firewall. For some enterprise customers it is not possible
> to request FW changes like that.
> 3. HAProxy is not capable to handle "read/write" split with Galera. I
> would like to introduce ProxySQL to be able to scale Galera.

It's now possible to use an external database server with kolla-ansible,
instead of deploying a mariadb/galera cluster. This could be implemented
how you like, see

4. HAProxy is fine but fabio integrates well with consul, statsd and
> could be connected to a vault cluster to manage secure certificate access.
> As above.

> 5. I would like to add vault as Barbican backend.
> Does this need explicit support in kolla and kolla-ansible, or could it
be done through configuration of barbican.conf? Are there additional
packages required in the barbican container? If so, see

> 6. I would like to add an option to enable tokenless authentication for
> all services with each other to get rid of all the openstack service
> passwords (security issue).
> Again, could this be done without explicit support?

> What do you think about it?
> All the best,
> Florian
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20181009/29dfff30/attachment.html>

More information about the OpenStack-dev mailing list