https://github.com/Open-SFC - Even though Open-SFC project is for "Service Function Chaining", there is one feature called "Configuration relay" which is very useful generic feature.
Openstack neutron advanced services project provides configuration support for few network services. VPN-as-a-Service, Firewall-as-a-Service and LB-as-a-Service are few examples. These services provide RESTFul API for IPSec VPN, Stateful firewall and Load balancers. These services also follow similar “plugins” and “agents” paradigm. Plugins implement the RESTful API and store the configuration in the database. Also, these plugin send the configuration to the Agents. Agents, today run in the "Network Nodes", which receives the configuration from plugin and configure local services such as Strongswan, IP Tables and HA proxy. Here, network nodes are reachable from the Openstack controller and hence plugin drivers and agents can communicate with each other (via AMQP).
In recent past, many network services are being implemented as vNFs. With distributed security and end-to-end security becoming norm, network security services (such as firewall and IPSec VPN) are embedded within the application VMs. In these cases, advanced-network-service agents need to be run in these virtual machines. But, there is an issue of communication reachability between plugin drivers and agents. Virtual machines are on the data network and controller nodes are in the management network. For isolation/security reasons, virtual machines are normally not allowed to send/receive traffic from the management network directly.
Configuration relay is expected to mitigate this issue. Configuration relay is expected to run in each compute node in the VMM/Hypervisor. Since VMM is reachable from the controllers, this relay in the VMM becomes conduit (just for configuration) between network service plugin drivers with the agents in the local virtual machines.
I will post more information on how this relay works technically. But following repositories/directories have source code.
FSL_NOVA_SerialPort_Patch in https://github.com/Open-SFC/nova is patch to the nova portion of the compute node – This patch allows creation of virtio-serial port (to allow communication between local virtual machine and configuration relay) via libvirtd and QEMU.
crd_relay_agent.py and remote_control.py in https://github.com/Open-SFC/nscs/tree/master/nscs/crd_relay_agent is a small service in compute that enabled configuration relay.
Example program in the vNF that communicates with relay to get hold of configuration : https://github.com/Open-SFC/nscs/tree/master/nscs/vNF_cfg_daemon (Based on comment posted by Srikanth)