[tripleo] moving tripleo-ipsec to independent release model

Dan Sneddon dsneddon at redhat.com
Mon Feb 15 23:20:12 UTC 2021

I have been in pre-deployment discussions with a couple of operators 
over the last 18 months or so when it came up. I think the intent was to 
use IPSEC hardware offload using the NIC, but I don't know if they ended 
up using TLS in production once they learned that TLS was a vastly more 
common option.

I think at the very least the presence of the IPSEC code and the fact 
that it's being maintained gives the impression that it is a valid 
option. There may be environments where IPSEC is used outside the 
OpenStack deployment, and a desire for consistency. There may even be 
some operators that would want to use both for the added layers of 
defense, possibly using IPSEC offload to offset the performance impact.

I wouldn't be against deprecating it, but I think that the IPSEC code 
still has some mind-share.


On 2/15/21 6:39 AM, Alex Schultz wrote:
> Is this thing still even used?  I thought it was a temporary thing until 
> TLS everywhere was finished. If it's not used we should just retire it.
> On Fri, Feb 12, 2021 at 7:35 AM Marios Andreou <marios at redhat.com 
> <mailto:marios at redhat.com>> wrote:
>     hello TripleO,
>     per $subject I want to propose that tripleo-ipsec moves to the
>     independent release model, as done recently for os-collect-config
>     and friends at [1].
>     The tripleo-ipsec repo hasn't had much/any commits in the last year
>     [2]. In fact, we hadn't even created a ussuri branch for this repo
>     and no-one noticed (!).
>     Because of the lack of stable/ussuri some of the release jobs
>     failed, as discussed at [3] and which ttx tried to fix (thank you!)
>     with [4].
>     Unfortunately this hasn't resolved the issue and jobs are still
>     failing, as discussed just now in openstack-release [4]. If we agree
>     to move tripleo-ipsec to independent then it will also resolve this
>     build job issue.
>     If we move tripleo-ipsec to independent it means we can still
>     release it if required, but we will no longer create stable/branches
>     for the repo.
>     please voice any objections here or go and comment on the proposal
>     at [6]
>     thanks for reading!
>     regards, marios
>     [1] https://review.opendev.org/c/openstack/releases/+/772570
>     <https://review.opendev.org/c/openstack/releases/+/772570>
>     [2]
>     https://opendev.org/openstack/tripleo-ipsec/commits/branch/master
>     <https://opendev.org/openstack/tripleo-ipsec/commits/branch/master>
>     [3]
>     http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.html
>     <http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020112.html>
>     [4] https://review.opendev.org/c/openstack/releases/+/772995
>     <https://review.opendev.org/c/openstack/releases/+/772995>
>     [5]
>     http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-release.2021-02-12.log.html
>     <http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-release.2021-02-12.log.html>
>     [6] https://review.opendev.org/c/openstack/releases/+/775395
>     <https://review.opendev.org/c/openstack/releases/+/775395>

More information about the openstack-discuss mailing list