Thanks for these suggestions Florian, there are some interesting ideas in here. I'm a little concerned about the maintenance overhead of adding support for all of these things, and wonder if some of them could be done without explicit support in kolla and kolla-ansible. The kolla projects have been able to move quickly by providing a flexible configuration mechanism that avoids the need to maintain support for every OpenStack feature. Other thoughts inline.
Regards, Mark On Mon, 8 Oct 2018 at 11:15, Florian Engelmann < florian.engelm...@everyware.ch> wrote: > Hi, > > I would like to start a discussion about some changes and additions I > would like to see in in kolla and kolla-ansible. > > 1. Keepalived is a problem in layer3 spine leaf networks as any floating > IP can only exist in one leaf (and VRRP is a problem in layer3). I would > like to use consul and registrar to get rid of the "internal" floating > IP and use consuls DNS service discovery to connect all services with > each other. > Without reading up, I'm not sure exactly how this fits together. If kolla-ansible made the API host configurable for each service rather than globally, would that be a step in the right direction? > > 2. Using "ports" for external API (endpoint) access is a major headache > if a firewall is involved. I would like to configure the HAProxy (or > fabio) for the external access to use "Host:" like, eg. "Host: > keystone.somedomain.tld", "Host: nova.somedomain.tld", ... with HTTPS. > Any customer would just need HTTPS access and not have to open all those > ports in his firewall. For some enterprise customers it is not possible > to request FW changes like that. > > 3. HAProxy is not capable to handle "read/write" split with Galera. I > would like to introduce ProxySQL to be able to scale Galera. > It's now possible to use an external database server with kolla-ansible, instead of deploying a mariadb/galera cluster. This could be implemented how you like, see https://docs.openstack.org/kolla-ansible/latest/reference/external-mariadb-guide.html . 4. HAProxy is fine but fabio integrates well with consul, statsd and > could be connected to a vault cluster to manage secure certificate access. > > As above. > 5. I would like to add vault as Barbican backend. > > Does this need explicit support in kolla and kolla-ansible, or could it be done through configuration of barbican.conf? Are there additional packages required in the barbican container? If so, see https://docs.openstack.org/kolla/latest/admin/image-building.html#package-customisation . > 6. I would like to add an option to enable tokenless authentication for > all services with each other to get rid of all the openstack service > passwords (security issue). > > Again, could this be done without explicit support? > What do you think about it? > > All the best, > Florian > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
