Excerpts from Fox, Kevin M's message of 2017-08-04 21:46:05 +0000: > Yeah, but you still run into stuff like db contact and driver information > being mixed up with secret used for contacting that service. Those should be > separate fields I think so they can be split/merged with that mechanism.
That is also supported, through value interpolation. https://docs.openstack.org/oslo.config/latest/reference/cfg.html#option-value-interpolation Doug > > Thanks, > Kevin > ________________________________________ > From: Doug Hellmann [[email protected]] > Sent: Friday, August 04, 2017 1:49 PM > To: openstack-dev > Subject: Re: [openstack-dev] [oslo][oslo.config] Pluggable drivers and > protect plaintext secrets > > Excerpts from Fox, Kevin M's message of 2017-08-04 20:21:19 +0000: > > I would really like to see secrets separated from config. Always have... > > They are two separate things. > > > > If nothing else, a separate config file so it can be permissioned > > differently. > > > > This could be combined with k8s secrets/configmaps better too. > > Or make it much easier to version config in git and have secrets somewhere > > else. > > Sure. It's already possible today to use multiple configuration > files with oslo.config, using either the --config-dir option or by > passing multiple --config-file options. > > Doug > > > > > Thanks, > > Kevin > > > > ________________________________ > > From: Raildo Mascena de Sousa Filho [[email protected]] > > Sent: Friday, August 04, 2017 12:34 PM > > To: [email protected] > > Subject: [openstack-dev] [oslo][oslo.config] Pluggable drivers and protect > > plaintext secrets > > > > Hi all, > > > > We had a couple of discussions with the Oslo team related to implement > > Pluggable drivers for oslo.config[0] and use those feature to implement > > support to protect plaintext secret on configuration files[1]. > > > > In another hand, due the containerized support on OpenStack services, we > > have a community effort to implement a k8s ConfigMap support[2][3], which > > might make us step back and consider how secret management will work, since > > the config data will need to go into the configmap *before* the container > > is launched. > > > > So, I would like to see what the community think. Should we continue > > working on that pluggable drivers and protect plain text secrets support > > for oslo.config? Makes sense having a PTG session[4] on Oslo to discuss > > that feature? > > > > Thanks for the feedback in advance. > > > > Cheers, > > > > [0] https://review.openstack.org/#/c/454897/ > > [1] https://review.openstack.org/#/c/474304/ > > [2] > > https://github.com/flaper87/keystone-k8s-ansible/blob/6524b768d75a28adf44c74aca77ccf13dd66b1a9/provision-keystone-apb/tasks/main.yaml#L71-L108 > > [3] > > https://kubernetes.io/docs/<https://kubernetes.io/docs/tasks/configure-pod-container/configmap/>tasks/configure-pod-container/configmap/<https://kubernetes.io/docs/tasks/configure-pod-container/configmap/> > > [4] https://etherpad.openstack.org/p/oslo-ptg-queens > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
