bernard357
commented
7 years ago The principle for this implementation has been to avoid another directive. For people who want plumbery to assign public IP addresses temporarily, the trick is to change the ipv4: auto directive to ipv4: transient at the domain level. This will be part of the next release of plumbery.
When plumbery has to apply a cloud-init configuration to a node it relies on ssh access to target nodes. For this the statement
internet: icmp 22is commonly applied, so that plumbery: adds a public IPv4 address, assigns it to the node, adds a NAT rule, adds some firewall rules. When this is done in combination with password-less SSH access to nodes, the resulting deployment is really strong.While this way of working is really well-aligned with best practices for public cloud, we have a growing number of enterprise clients that are not ready to expose their workloads permanently to the Internet.
In such cases, plumbery can be run from within the MCP itself, in a separate small server dedicated to the job. However, this is meaning some overhead and additional costs to deploy the plumbery machine itself.
Clients have suggested that they would prefer following trade-off: run plumbery from their own environment, but expose servers to the public Internet only during the configuration phases. In other terms, plumbery will do everything it is doing today, but destroy firewall rules and NAT towards the end of the process.
Some new directive is required so that this new use case is supported adequately.