Hi folks,
I think I've raised this topic in the past, but I believe it won't hurt to reiterate and maybe come to a final agreement. TL;DR ironic-image is a mess, and I would like to dramatically simplify it.
There are several ways to deploy Ironic now:
1) Without TLS: just Ironic
2) Without or without TLS: Ironic API under mod_wsgi + Conductor via RPC
3) With TLS: TLS via httpd + Ironic via localhost and a private port
4) With TLS: TLS via httpd + Ironic via a unix socket
I want to drop 2 and 3. The mod_wsgi approach was never a good choice for us (alone its RAM impact is very unfortunate), we just did not have anything better until the all-in-one executable. JSON RPC cannot be run as WSGI anyway.
As to unix sockets, we have run with them in OpenShift for a couple of releases already without any issues. I find allocating a private port for the metal3 pod annoying especially since it runs with host networking (so this port may conflict with anything on control plane nodes). I've recently added unix sockets support to JSON RPC, so we now can use the same approach to TLS there.
The end result I'd like to see is:
1) No TLS - just all-in-one Ironic (and the RPC if needed).
2) TLS - Ironic (and its RPC if needed) on a unix socket, httpd as a frontend.
Does anyone have any use cases I'm missing? Any opinions? If you agree, how do we approach the deprecation process?
Dmitry
P.S.
This conversation only affects operators that use ironic-image.
-- Red Hat GmbH, Registered seat: Werner von Siemens Ring 12, D-85630 Grasbrunn, Germany
Commercial register: Amtsgericht Muenchen/Munich, HRB 153243,
Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross