On 12/11/2014 03:05 PM, Simo Sorce wrote:
> On Thu, 11 Dec 2014 10:43:02 +0100
> Petr Spacek <pspa...@redhat.com> wrote:
>> On 10.12.2014 18:50, Simo Sorce wrote:
>>> On Wed, 10 Dec 2014 15:13:30 +0100
>>> Petr Spacek <pspa...@redhat.com> wrote:
>>>> I think that external DNS could depend on Vault (assuming that
>>>> external DNS support will be purely optional).
>>> TBH, I do not think this is a sensible option, the Vault will drag
>>> huge dependencies for now, and I would like to avoid that if all we
>>> need is to add a couple of A/SRV records to an external DNS.
>>> If we can't come up with a service, I think I am ok telling admins
>>> they need to manually copy the TKEY (or use puppet or other similar
>>> configuration manager to push the key file around) on each replica,
>>> and we defer automatic distribution of TKEYs.
>>> We will have a service that can give out keys, it is identified as
>>> necessary in the replica promotion proposal, so we'll eventually get
>> Thank you for discussion. Now I would like to know in which direction
>> are we heading with external DNS support :-)
>> I have to admit that I don't understand why we are spending time on
>> Vault and at the same time we refuse to use it ...
>> Anyway, someone competent has to decide if we want to implement
>> external DNS support and:
>> - defer key distribution for now
> I vote for deferring for now.
+1, we can defer until we have the Simo's KISS service from replica promotion
Same as Simo, I would also rather avoid the dependency on PKI&Vault for this
base infrastructure feature orthogonal to FreeIPA PKI.
Freeipa-devel mailing list