[kolla-ansible] External Ceph keyring encryption

Michał Nasiadka mnasiadka at gmail.com
Wed Feb 19 17:29:00 UTC 2020


Hi Jason,

I don’t think it should be instead, we could support both modes - happy to
help in reviewing/co-authoring.

Best regards,
Michal

On Wed, 19 Feb 2020 at 18:23, Jason Anderson <jasonanderson at uchicago.edu>
wrote:

> Hi all,
>
> My understanding is that KA has dropped support for provisioning Ceph
> directly, and now requires an external Ceph cluster (side note: we should
> update the docs[1], which state it is only "sometimes necessary" to use an
> external cluster--I will try to submit something today).
>
> I think this works well, but the handling of keyrings cuts a bit against
> the grain of KA. The keyring files must be dropped in to the
> node_custom_config directory. This means that operators who prefer to keep
> their KA configuration in source control must have some mechanism for
> securing that, as it is unencrypted. What does everybody think about
> storing Ceph keyring secrets in passwords.yml instead, similar to how SSH
> keys are handled?
>
> Thanks,
> /Jason
>
> [1]:
> https://docs.openstack.org/kolla-ansible/latest/reference/storage/external-ceph-guide.html
>
>
> --
> Jason Anderson
>
> Chameleon DevOps Lead
> *Consortium for Advanced Science and Engineering, The University of
> Chicago*
> *Mathematics & Computer Science Division, Argonne National Laboratory*
>
-- 
Michał Nasiadka
mnasiadka at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200219/a1dc1435/attachment.html>


More information about the openstack-discuss mailing list