-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve tls certificate documentation #644
base: main
Are you sure you want to change the base?
Conversation
It is very important that important decisions are made at the beginning in connection with | ||
TLS encryption and domains, as these decisions are very difficult to change at a later | ||
date or can only be changed at great expense. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is a good warning, but we should follow up with which decisions exactly are important and why they can't be changed easily later on.
Without this information the reader is a little bit lost imho.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, the sentence is very generic.
I've tried to describe it a little differently - maybe it's better this way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to spell out which settings exactly are hard to change later on.
Rereading this I'm actually not so sure what value this does bring. Maybe we could add a generic warning, which really isn't specific to TLS imho, that if you want to do sweeping changes to your Cloudconfiguration, e.g. when testing things, building an evaluation lab etc. you are way better off always to reprovision from scratch your complete cloud. E.g. if you decide in the middle of the cloud install to switch to let's encrypt, or change your cinder backend I wouldn't bet my life on it that everything is properly cleaned up by neither kolla, nor osism. These are - at it's core - configuration management tools, which have trouble tracking current state. These are not infrastructure as code tools such as Terraform, which do track state. So there is always the need in ansible to write dedicated cleanup tasks, if you want to purge/remove something. This also assumes that you can just reconfigure any deployed openstack service on the fly, when these store some settings also persisted in databases, which also might not be as easily available to outside changes, even if you would use something like terraform. The result of all these constraints is, that you usually figure out a working deployment setup, with all your tested settings in git, and then deploy that once. It's relatively smooth to upgrade this then, and with care, you also can introduce changes, but sometimes you need to do manual cleanups, given the above constraints. So in general I would put this up as a warning. A Cloud Infrastructure isn't something where you can easily rip out parts and just replace them with something else. That's even the case if you run everything inside k8s openstack-operators instead of ansible, as these are usually also full of assumptions on what a "supported" configuration looks like. In practice, this often means only one or two knobs are actually configurable by the end user and the rest is enforced via the operators code, which can't be easily changed as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my global comment.
I don't think a detailed warning in the loadbalancer guide makes sense. This is a rather global feature about how cloud provisioning works in general.
So we could add a global warning to make large changes with care and that they might require manual cleanup.
Thanks
I agree with you in general. Actually, it would be better to bundle such things in a kind of “pre-installation checklist” and provide information on this topic. As a result of a small pilot project that I have with a prospective scs-user of the public sector, I recently started writing something like this. However, it is still in a very very early and very immature stage and I am very happy to receive ideas and contributions. Nevertheless, I also think it is important to describe this here, because there are specific references to the configuration of domains and certificates (we don't always know which path a user takes or whether the user is aware that information is provided elsewhere). I rephrased the last state a bit to make it better understandable/readable. I also added a new documentation section for Let's encrypt based on the kolla-ansible documentation. |
Signed-off-by: Marc Schöchlin <schoechlin@osb-alliance.com>
ff02dda
to
7cfbbbc
Compare
No description provided.