Excerpts from Fox, Kevin M's message of 2017-08-04 21:46:05 +0000:
> Yeah, but you still run into stuff like db contact and driver information
> being mixed up with secret used for contacting that service. Those should be
> separate fields I think so they can be split/merged with that mechanism.
That is also supported, through value interpolation.
> From: Doug Hellmann [d...@doughellmann.com]
> Sent: Friday, August 04, 2017 1:49 PM
> To: openstack-dev
> Subject: Re: [openstack-dev] [oslo][oslo.config] Pluggable drivers and
> protect plaintext secrets
> Excerpts from Fox, Kevin M's message of 2017-08-04 20:21:19 +0000:
> > I would really like to see secrets separated from config. Always have...
> > They are two separate things.
> > If nothing else, a separate config file so it can be permissioned
> > differently.
> > This could be combined with k8s secrets/configmaps better too.
> > Or make it much easier to version config in git and have secrets somewhere
> > else.
> Sure. It's already possible today to use multiple configuration
> files with oslo.config, using either the --config-dir option or by
> passing multiple --config-file options.
> > Thanks,
> > Kevin
> > ________________________________
> > From: Raildo Mascena de Sousa Filho [rmasc...@redhat.com]
> > Sent: Friday, August 04, 2017 12:34 PM
> > To: firstname.lastname@example.org
> > Subject: [openstack-dev] [oslo][oslo.config] Pluggable drivers and protect
> > plaintext secrets
> > Hi all,
> > We had a couple of discussions with the Oslo team related to implement
> > Pluggable drivers for oslo.config and use those feature to implement
> > support to protect plaintext secret on configuration files.
> > In another hand, due the containerized support on OpenStack services, we
> > have a community effort to implement a k8s ConfigMap support, which
> > might make us step back and consider how secret management will work, since
> > the config data will need to go into the configmap *before* the container
> > is launched.
> > So, I would like to see what the community think. Should we continue
> > working on that pluggable drivers and protect plain text secrets support
> > for oslo.config? Makes sense having a PTG session on Oslo to discuss
> > that feature?
> > Thanks for the feedback in advance.
> > Cheers,
> >  https://review.openstack.org/#/c/454897/
> >  https://review.openstack.org/#/c/474304/
> > 
> > https://github.com/flaper87/keystone-k8s-ansible/blob/6524b768d75a28adf44c74aca77ccf13dd66b1a9/provision-keystone-apb/tasks/main.yaml#L71-L108
> > 
> > https://kubernetes.io/docs/<https://kubernetes.io/docs/tasks/configure-pod-container/configmap/>tasks/configure-pod-container/configmap/<https://kubernetes.io/docs/tasks/configure-pod-container/configmap/>
> >  https://etherpad.openstack.org/p/oslo-ptg-queens
OpenStack Development Mailing List (not for usage questions)