On 2018-03-30 11:27:25 +0900 (+0900), Bernd Bausch wrote: [...] > Regarding the hiera: That makes sense to me. Certificates count as > private data, I guess. [...]
To be fair, certificates and chains are public data published from the servers onto which they're installed. The reason they're in hiera is mostly out of laziness/convenience since we _do_ need to keep the corresponding keys private, and if we replace the keys we need to replace the certs at the exact same time. The inherent asynchronicity we'd end up with by splitting them between private hiera on our management system and public hiera through code review would make that task much harder. -- Jeremy Stanley
signature.asc
Description: PGP signature
_______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
