Re: [openstack-dev] [TripleO] IPSEC integration

[Juan Antonio Osorio]

On 21 Nov 2017 01:19, "Alex Schultz"  wrote:

On Thu, Nov 16, 2017 at 12:01 AM, Juan Antonio Osorio
 wrote:
> Hello folks!
>
> A few months ago Dan Sneddon and me worked in an ansible role that would
> enable IPSEC for the overcloud [1]. Currently, one would run it as an
extra
> step after the overcloud deployment. But, I would like to start
integrating
> it to TripleO itself, making it another option, probably as a composable
> service.
>

Is there a spec for this or at least some more detail as to what
exactly this is solving?  I would really like some more explanation
around this feature than just an ansible role proposal.


Spec created https://blueprints.launchpad.net/tripleo/+spec/ipsec


> For this, I'm planning to move the tripleo-ipsec ansible role repository
> under the TripleO umbrella. Would that be fine with everyone? Or should I
> add this ansible role as part of another repository? After that's
available
> and packaged in RDO. I'll then look into the actual TripleO composable
> service.
>

As I've previously indicated it probably should live under the tripleo
umbrella but I would like to see more details around this prior to
further integration.  It's also very late in the cycle (almost m2) to
be proposing something like this. Is the target for this Rocky?

That being said I don't see anything specific to this role that would
cause problems as part of the deployment process as it exists today.
I do see some possible conflicts around the iptables configuration as
we currently manage that via heat/puppet but I think it's smart enough
to not stomp on each other if we carefully format the rules.  Another
implementation item that might be problematic is the more hard-coded
configuration via template files. What is the plan to make those more
dynamic to support other roles besides just compute/controller?


It's on the works. It shouldn't be a big change.

Right
now tripleo-heat-templates is the source of configuration items that
we expose for the deployment.  What would we be looking to expose to
deployers since what is currently exposed from the role is minimal?


I'm looking to get deployers to only need to enable it via an environment
variable. The rest should be automatic.



> Any input and contributions are welcome!
>
> [1] https://github.com/JAORMX/tripleo-ipsec
>
> --
> Juan Antonio Osorio R.
> e-mail: jaosor...@gmail.com
>
>

Thanks,
-Alex

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [TripleO] IPSEC integration

[Alex Schultz]

On Thu, Nov 16, 2017 at 12:01 AM, Juan Antonio Osorio
 wrote:
> Hello folks!
>
> A few months ago Dan Sneddon and me worked in an ansible role that would
> enable IPSEC for the overcloud [1]. Currently, one would run it as an extra
> step after the overcloud deployment. But, I would like to start integrating
> it to TripleO itself, making it another option, probably as a composable
> service.
>

Is there a spec for this or at least some more detail as to what
exactly this is solving?  I would really like some more explanation
around this feature than just an ansible role proposal.

> For this, I'm planning to move the tripleo-ipsec ansible role repository
> under the TripleO umbrella. Would that be fine with everyone? Or should I
> add this ansible role as part of another repository? After that's available
> and packaged in RDO. I'll then look into the actual TripleO composable
> service.
>

As I've previously indicated it probably should live under the tripleo
umbrella but I would like to see more details around this prior to
further integration.  It's also very late in the cycle (almost m2) to
be proposing something like this. Is the target for this Rocky?

That being said I don't see anything specific to this role that would
cause problems as part of the deployment process as it exists today.
I do see some possible conflicts around the iptables configuration as
we currently manage that via heat/puppet but I think it's smart enough
to not stomp on each other if we carefully format the rules.  Another
implementation item that might be problematic is the more hard-coded
configuration via template files. What is the plan to make those more
dynamic to support other roles besides just compute/controller?  Right
now tripleo-heat-templates is the source of configuration items that
we expose for the deployment.  What would we be looking to expose to
deployers since what is currently exposed from the role is minimal?

> Any input and contributions are welcome!
>
> [1] https://github.com/JAORMX/tripleo-ipsec
>
> --
> Juan Antonio Osorio R.
> e-mail: jaosor...@gmail.com
>
>

Thanks,
-Alex

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [TripleO] IPSEC integration

[James Slagle]

On Fri, Nov 17, 2017 at 10:27 AM, Bogdan Dobrelya  wrote:
> On 11/16/17 8:01 AM, Juan Antonio Osorio wrote:
>>
>> Hello folks!
>>
>> A few months ago Dan Sneddon and me worked in an ansible role that would
>> enable IPSEC for the overcloud [1]. Currently, one would run it as an extra
>> step after the overcloud deployment. But, I would like to start integrating
>> it to TripleO itself, making it another option, probably as a composable
>> service.
>>
>> For this, I'm planning to move the tripleo-ipsec ansible role repository
>> under the TripleO umbrella. Would that be fine with everyone? Or should I
>> add this ansible role as part of another repository? After that's
>
>
> This looks very similar to Kubespray [0] integration case. I hope that
> external deployments bits can be added without a hard requirement of being
> under the umbrella and packaged in RDO.

I don't have a strong opinion on it being under the TripleO umbrella
or not, but I agree with Bogdan that I think this could be a good fit
for the external_deploy_tasks interface that kubespray is currently
also consuming. You may find that is an easier way of consuming the
standalone Ansible roles you've already done as opposed to trying to
make those fit into the composable services framework that uses t-h-t
in tree Ansible tasks.


-- 
-- James Slagle
--

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [TripleO] IPSEC integration

[Bogdan Dobrelya]

On 11/16/17 8:01 AM, Juan Antonio Osorio wrote:

Hello folks!

A few months ago Dan Sneddon and me worked in an ansible role that would 
enable IPSEC for the overcloud [1]. Currently, one would run it as an 
extra step after the overcloud deployment. But, I would like to start 
integrating it to TripleO itself, making it another option, probably as 
a composable service.


For this, I'm planning to move the tripleo-ipsec ansible role repository 
under the TripleO umbrella. Would that be fine with everyone? Or should 
I add this ansible role as part of another repository? After that's 


This looks very similar to Kubespray [0] integration case. I hope that 
external deployments bits can be added without a hard requirement of 
being under the umbrella and packaged in RDO.



I've tried to follow the guide [1] for adding RDO packages and the 
package review [2] and didn't succeed. There should be a simpler 
solution to host a package somewhere outside of RDO, and being able to 
add it for an external deployment managed by tripleo. My 2c.


[0] https://github.com/kubernetes-incubator/kubespray
[1] https://www.rdoproject.org/documentation/add-packages/
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1482524

available and packaged in RDO. I'll then look into the actual TripleO 
composable service.


Any input and contributions are welcome!

[1] https://github.com/JAORMX/tripleo-ipsec

--
Juan Antonio Osorio R.
e-mail: jaosor...@gmail.com 


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




--
Best regards,
Bogdan Dobrelya,
Irc #bogdando

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [TripleO] IPSEC integration

[Juan Antonio Osorio]

Hello folks!

A few months ago Dan Sneddon and me worked in an ansible role that would
enable IPSEC for the overcloud [1]. Currently, one would run it as an extra
step after the overcloud deployment. But, I would like to start integrating
it to TripleO itself, making it another option, probably as a composable
service.

For this, I'm planning to move the tripleo-ipsec ansible role repository
under the TripleO umbrella. Would that be fine with everyone? Or should I
add this ansible role as part of another repository? After that's available
and packaged in RDO. I'll then look into the actual TripleO composable
service.

Any input and contributions are welcome!

[1] https://github.com/JAORMX/tripleo-ipsec

-- 
Juan Antonio Osorio R.
e-mail: jaosor...@gmail.com
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev