Real applications delivered on top of clouds need to deal with
cross-site operability in multi-cloud and hybrid cloud environments, as
well as interact with different layers of services such as OpenStack and
Kubernetes. OpenStack hasn't always made it as easy as it should be to
deliver complex applications that cross all of these boundaries.
In this talk, we'll describe recent progress in making it easier to
develop applications against the OpenStack API and deploy them across
cloud and service boundaries, and show you how to use the new features.
Then we'll preview work that is currently in progress, and discuss
potential future directions for better integration across sites and
between OpenStack and other tools.
3. An Application Developer
● Who care about real use cases cross
node, cluster, and even platform
● Who need to stay awake 24 hr when
service is added/upgraded
● Who have to care about multiple projects
● Who will always been called when
environment failed
● A lot more in Application itself...
4. Where it needs to be improved
● Cross Community Integration
● Cross Project Integration
● Cross Site/Platform Integration
● Community Improvement
● Upgrade
5. Are we there yet?!
Are we there yet?!
Are we there yet?!
Are we there yet?!
6. Not yet, my little Smurfs!
But here are some things we started
7. Application Credentials [more]
clouds:
openstack:
auth:
auth_url: https://cloud.example.com/identity/v3
username: "Rico"
user_domain_name: "openstack.de"
application_credential_name:
"volume_backups_001"
application_credential_secret: "{Credential ID}"
region_name: "RegionOne"
interface: "public"
identity_api_version: 3
auth_type: "v3applicationcredential"
Cross Site/Platform Integration
An application credential is a scoped auth method
that a user creates to delegate a subset of their role
assignments on a single project to something else -
whoever or whatever possesses knowledge of the
identifier and the secret belonging to the application
credential.
● Has its own secret
● Can only access one project, no matter how
many projects the user is in
● Can have all or a subset of the roles the user
has on that project
● Is user-lived - when the user is deleted, the app
credential dies
● User can have many
9. Nova instance credentials
Cross Project Integration
Once we are able to lock down application credentials to particular
capabilities, it would be useful to automatically assign a set of these
credentials to a Nova server so that the application running on it can use
them to access the cloud. Depending on where the server gets its
metadata from, it should even be possible to regularly rotate the
credentials so that a temporary breach of the server doesn’t necessarily
result in ongoing access.
10. Pre-signed URLs
Several services in OpenStack make use of pre-signed URLs that can be
given to applications to allow them limited access only to resources
explicitly specified by the user. Examples include reading and writing data
in Swift (requires the TempURL middleware), or sending and receiving
messages in Zaqar. You can both limit the type of access (e.g. read-only
or write-only) and the duration for which it is valid. Heat also makes use
of pre-signed URLs in some circumstances to allow workloads to
communicate status back to it.
Cross Project Integration
11. Self-healing with Heat
Cross Project Integration
XXX::Server
XXX::Signal XXX::Alarm
XXX::Workflow
Signal
Meter
Trigger
How you
metering
?
How you
handle
signal?
How you
trigger a
fix job
What's
meter to
you?
Fix
13. Vision for OpenStack Clouds
TC is working with the community to produce a vision
document that will help guide future development of
OpenStack. The document defines giving applications
control over their own infrastructure as one of the
pillars of cloud computing that sets it apart from earlier
models.
Community Improvement
14. Expose SIGs and WGs
Community Improvement
Current
Scenario(Story)
Project A team
Project B team
Project C team
Tasks
Project A team
Project B team
Project C team
Scenario(Story)
SIGs/WGs
Exposed
15. OpenStack site A
Multi-Cloud Orchestration
Cross Site/Platform Integration
Stack2Stack
Stack2
OpenStack site B
resources:
app_stack_at_site_B:
type: OS::Heat::Stack
properties:
context:
credential_secret_id: {Barbican Secret ID}
openstack secret store -n site-b-cred --payload
'{
"auth_type": "v3applicationcredential",
"auth": {
"auth_url": "URL",
"application_credential_id": "Credential ID",
"application_credential_secret": "sec"},
"roles": ["admin"],
"project_id": "Project_ID"
}'
16. K8s Cluster Autoscaling on OpenStack
Cross Community Integration
Kubernetes OpenStack
Node
ResourceGroup
Instance Instance
K8s K8s
ResourceGroup
Instance Instance
K8s K8s
Magnum
Pod
Node
Pod Pod
Node
Pod
Pod Pod Pod Pod
Kubernetes/Autoscaler