damiandabrowski | morning | 07:54 |
---|---|---|
damiandabrowski | jrosser: I think it should be considered as a limitation of standalone backend | 07:55 |
jrosser | you mean we can't improve it? | 07:56 |
jrosser | and i'm also quite confused about your comment here https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954269/2/defaults/main.yml#386 | 07:56 |
damiandabrowski | if standalone backend allowed to combine cert types as hashi_vault backend does, we wouldn't need tasks like this: | 07:57 |
jrosser | is it really true that most of our roles use a certificate and ca bundle in the same file | 07:57 |
damiandabrowski | https://opendev.org/openstack/ansible-role-zookeeper/src/branch/master/handlers/main.yml#L16 | 07:57 |
jrosser | i'm just suggesting that we could fix that | 07:57 |
jrosser | and make the features of the standalone backend be better aligned with what the vault one can do | 07:58 |
jrosser | then the changes required for the vault backend will be smaller | 07:58 |
jrosser | if we can come up with a consistent set of things for `type` then a bunch of tidying up could be done | 07:58 |
noonedeadpunk | ++ that would be an awesome thing to do | 08:01 |
damiandabrowski | i think it may be possible to fix it for standalone backend, I just wonder if we should do this before merging hashi_vault backend or do this as a follow up | 08:01 |
noonedeadpunk | If this removes complexity for tha hashi backend - then better to do before | 08:02 |
noonedeadpunk | and not introduce something we don't need | 08:02 |
jrosser | imho the hashi_vault backend patches are currently carrying a lot of workarounds for the current state of the PKI role | 08:02 |
jrosser | and i give the example of glance here https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954269 | 08:02 |
jrosser | with maybe just fixing this `type` thing and agreeing on the names, it could be that actually no change at all is needed in os_glance with 954269 to make it compatible with the vault backend | 08:03 |
jrosser | just a group_var setting to enable it | 08:03 |
damiandabrowski | maybe you're right, i'll look into this | 08:06 |
damiandabrowski | coming back to your question if we really put certificate and ca bundle in the same file for most of the roles | 08:07 |
damiandabrowski | yes, i'm pretty sure we do(when backend tls is enabled) | 08:07 |
damiandabrowski | https://opendev.org/openstack/ansible-role-pki/src/branch/master/tasks/standalone/create_cert.yml#L82 | 08:07 |
damiandabrowski | so "*-chain.crt" files contain cert + ca_bundle | 08:08 |
damiandabrowski | and we have quite a lot of references to them :D | 08:09 |
damiandabrowski | https://paste.opendev.org/show/bMlyUJHGexLjzEiumubs/ | 08:09 |
jrosser | ok cool thats fine | 08:29 |
jrosser | sounds like good reason to align these things a bit more | 08:29 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Do not disable configure_mirrors extra repos for debian https://review.opendev.org/c/openstack/openstack-ansible/+/954316 | 08:37 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954269 | 08:38 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954269 | 09:09 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance master: Switch cinderstore job to noble https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954320 | 09:09 |
jrosser | i think there might be some systematic brokenness for debian-bookworm on 2024.1 | 09:15 |
opendevreview | Merged openstack/openstack-ansible-plugins master: Add retry logic to improve reliability https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/953937 | 09:17 |
noonedeadpunk | I could assume it's that, if not jammy was explicitly in codintion: https://opendev.org/openstack/openstack-ansible/src/branch/stable/2024.1/zuul.d/playbooks/pre-gate-cleanup.yml#L21-L27 | 09:19 |
jrosser | unfortunately we don't seem to gather any /etc/ for those jobs that are failing | 09:26 |
jrosser | i never really did understand why that happens | 09:26 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954269 | 09:27 |
opendevreview | Jonathan Rosser proposed openstack/ansible-role-pki master: Add python3-setuptools for redhat-10 based distros. https://review.opendev.org/c/openstack/ansible-role-pki/+/954213 | 09:30 |
opendevreview | Jonathan Rosser proposed openstack/ansible-role-pki master: Allow certificates to be installed by specifying them by name https://review.opendev.org/c/openstack/ansible-role-pki/+/954239 | 09:30 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance master: Switch cinderstore job to noble https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954320 | 09:53 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954269 | 09:53 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954269 | 10:52 |
jrosser | argh i am out of practice with this | 10:52 |
jrosser | maybe we need this all down the stable branches https://review.opendev.org/c/openstack/openstack-ansible/+/954316 | 10:53 |
noonedeadpunk | I'd try it on 2024.1 tbh just in case | 11:37 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/2024.1: Do not disable configure_mirrors extra repos for debian https://review.opendev.org/c/openstack/openstack-ansible/+/954339 | 13:54 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954269 | 14:40 |
anfimovir | hello ;) | 15:00 |
noonedeadpunk | #startmeeting openstack_ansible_meeting | 15:00 |
opendevmeet | Meeting started Tue Jul 8 15:00:11 2025 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
opendevmeet | The meeting name has been set to 'openstack_ansible_meeting' | 15:00 |
noonedeadpunk | #topic rollcall | 15:00 |
noonedeadpunk | o/ hey there | 15:00 |
damiandabrowski | hi! | 15:00 |
jrosser | o/ hello | 15:03 |
noonedeadpunk | #topic office hours | 15:05 |
noonedeadpunk | I want to start with ongoing things | 15:06 |
noonedeadpunk | and specifically adding hashi vault driver to PKI role | 15:07 |
noonedeadpunk | there was good amount feedback provided recently both in reviews and IRC. | 15:07 |
NeilHanlon | o/ | 15:08 |
noonedeadpunk | damiandabrowski: do you wanna raise some discussion now to get unblocked on doing changes for the topic? | 15:08 |
damiandabrowski | maybe just to clarify: my main goal now is to try to get rid of the variables passed to the hashi_vault backend right? | 15:09 |
damiandabrowski | it would require improving standalone backend, to accept type as a list(the same way as hashi_vault backend does) | 15:10 |
jrosser | are we sure that a list is necessary? | 15:10 |
jrosser | there are only a well defined number of outputs that we need to write | 15:11 |
damiandabrowski | It's not strictly necessary, though it can be helpful. | 15:12 |
damiandabrowski | adding support for a list, would allow us to drop handlers like this: https://opendev.org/openstack/ansible-role-zookeeper/src/branch/master/handlers/main.yml#L16 | 15:12 |
jrosser | well | 15:13 |
damiandabrowski | but I don't insist, as I said, it's not strictly necessary. | 15:13 |
jrosser | what we need is some `type` that defines cert + ca chain, be that a list or a constant | 15:14 |
noonedeadpunk | to be frank, zookepeer looks like being a bit special here (as a java app) | 15:14 |
noonedeadpunk | as it has a different order of cert/ca | 15:14 |
jrosser | i think there are a few examples like that, maybe octavia, neutron (ovn) | 15:14 |
jrosser | anyway, i think this is one of the key things to define | 15:17 |
noonedeadpunk | ok, then the next thing was refactoring of aio bootstrap | 15:20 |
damiandabrowski | and jrosser is working on a feature that would allow us to get rid of "cert" parameter for hashi_vault backend and stick just to `name` that would be accepted by both backends | 15:21 |
noonedeadpunk | and I think we agreed on a proxy approach to resolve chicken-egg situation with proxy? | 15:21 |
noonedeadpunk | jrosser: are you working on this or jsut pushed an example of how to do that for picking this up? | 15:22 |
jrosser | which one? :) | 15:22 |
noonedeadpunk | https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954269 | 15:23 |
damiandabrowski | i was referring to: https://review.opendev.org/c/openstack/ansible-role-pki/+/954239 | 15:23 |
noonedeadpunk | yeah, glance one depending on PKI | 15:23 |
jrosser | ok sure yes - though this does need us to decide what to do with `type`, as i think i already don't quite use the same names as the vault patches (just needs unifying) | 15:24 |
jrosser | and also figuring out the allowed values/format for `type` and implementing anything missing in the standalone backend | 15:24 |
damiandabrowski | I think I can align hashi_vault plugin to the already existing types | 15:25 |
damiandabrowski | by applying these mappings I mentioned somewhere in gerrit | 15:25 |
noonedeadpunk | I guess it's type vs backend now, right? | 15:25 |
noonedeadpunk | or well | 15:26 |
noonedeadpunk | it's dfifferent | 15:26 |
jrosser | we don't have a spec for this so do we need at least an etherpad? | 15:26 |
noonedeadpunk | Let's starting to use this one? | 15:27 |
noonedeadpunk | #link https://etherpad.opendev.org/p/osa-pki-multiple-backends | 15:27 |
jrosser | i have a number of other minor patches to get the CI working again around this which could be reviewed now | 15:27 |
damiandabrowski | yeah, etherpad would be useful. I didn't prepare spec because I thought that adding new backend would be relatively simple | 15:28 |
damiandabrowski | (I was so wrong :D ) | 15:28 |
noonedeadpunk | Yes, Debian CI is broken now due to backport repos | 15:29 |
noonedeadpunk | so this patch seemingly fixes it even before change to infra is merged | 15:29 |
noonedeadpunk | #link https://review.opendev.org/c/openstack/openstack-ansible/+/954316 | 15:29 |
noonedeadpunk | ok, I added etherpad to the list: https://wiki.openstack.org/wiki/OpenStack-Ansible#Etherpads | 15:36 |
noonedeadpunk | so we won't loose it | 15:36 |
noonedeadpunk | ok, what else do we have on the table right now? | 15:37 |
noonedeadpunk | Adding EL10 CI I guess... | 15:38 |
NeilHanlon | yeah.. i need to come up with a plan for systemd-networkd | 15:38 |
noonedeadpunk | And I don't have any updates on image availability in CI | 15:38 |
noonedeadpunk | and this ofc ^ | 15:38 |
NeilHanlon | which is probably just going to be building it in SIG/Cloud or something for Rocky.. idk... | 15:38 |
noonedeadpunk | it seems that overall there're more and more things that (un)intentionally broken | 15:39 |
NeilHanlon | yeah | 15:39 |
noonedeadpunk | I wonder if nobody just needs networked in RHEL | 15:39 |
NeilHanlon | i don't get what RDO folks are doing here tbh | 15:39 |
noonedeadpunk | and then ceph | 15:39 |
noonedeadpunk | and then many more things... | 15:40 |
NeilHanlon | yeah.. ceph at least I have a plan on already | 15:40 |
NeilHanlon | we'll have it in SIG/Storage in rocky | 15:40 |
NeilHanlon | what version do we need, btw? | 15:40 |
noonedeadpunk | NeilHanlon: btw, were there any progress with building LXC for EPEL? As I guess it's around time for the second ping in there? | 15:40 |
noonedeadpunk | reef? | 15:40 |
NeilHanlon | roger on reef | 15:40 |
NeilHanlon | and yeah i probably do need to ping | 15:40 |
NeilHanlon | did the reply and set myself a reminder for 2 weeks | 15:41 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_skyline master: Ensure u-c are used for Skyline installation https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/954166 | 15:42 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_skyline stable/2025.1: Ensure u-c are used for Skyline installation https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/954355 | 15:43 |
noonedeadpunk | NeilHanlon: regarding Ceph it also was about EL9 even | 15:45 |
noonedeadpunk | #link https://answers.launchpad.net/openstack-ansible/+question/821901 | 15:45 |
NeilHanlon | yep yep | 15:45 |
NeilHanlon | we should be able to do r9 really easily, i just need to get out of my own way | 15:45 |
noonedeadpunk | it's not always that easy | 15:45 |
noonedeadpunk | ok, awesome, anything else? | 15:46 |
NeilHanlon | not from me.. though, on a personal note, I am currently open for employment opportunities, if anyone has any tips to jobs (contract or otherwise), I'd appreciate it! :) | 15:46 |
noonedeadpunk | ++ | 15:48 |
noonedeadpunk | ok then, will end the meeting a bit early then :) | 15:49 |
noonedeadpunk | #endmeeting | 15:49 |
opendevmeet | Meeting ended Tue Jul 8 15:49:17 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:49 |
opendevmeet | Minutes: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-07-08-15.00.html | 15:49 |
opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-07-08-15.00.txt | 15:49 |
opendevmeet | Log: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-07-08-15.00.log.html | 15:49 |
jrosser | noonedeadpunk: did you ever thing about making the systemd_networkd role have more "native" yaml input that more closely looks directly like the contents of the config files? | 16:08 |
jrosser | for example, thats very close to being true here https://github.com/openstack/ansible-role-systemd_networkd/blob/master/templates/systemd-netdev.j2 | 16:09 |
jrosser | but very much not true here https://github.com/openstack/ansible-role-systemd_networkd/blob/master/templates/systemd-network.j2 | 16:09 |
noonedeadpunk | jrosser: I frankly not sure how to deal with legacy | 16:38 |
noonedeadpunk | but also some parameters there can be repeated multiple times | 16:39 |
noonedeadpunk | like vlan | 16:39 |
noonedeadpunk | which you can not really do in more native YAML | 16:39 |
mossblaser | I suppose the config template role has a solution of sorts in that space? | 17:00 |
noonedeadpunk | oh yes, you can use overrides there, sure | 18:31 |
noonedeadpunk | but again - we probably need to add same wrapping as for VLAN to VXLAN and etc as well: https://github.com/openstack/ansible-role-systemd_networkd/blob/master/templates/systemd-network.j2#L44-L52 | 18:32 |
noonedeadpunk | or you mean the `VLAN: {'value': null}` thing? | 18:33 |
opendevreview | Merged openstack/openstack-ansible master: Imported Translations from Zanata https://review.opendev.org/c/openstack/openstack-ansible/+/953924 | 20:01 |
opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-ops master: Bump prometheus.prometheus to 0.27.0 https://review.opendev.org/c/openstack/openstack-ansible-ops/+/954165 | 20:07 |
opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-ops master: Bump prometheus.prometheus to 0.27.0 https://review.opendev.org/c/openstack/openstack-ansible-ops/+/954165 | 20:08 |
opendevreview | Jonathan Rosser proposed openstack/ansible-role-pki master: Allow certificates to be installed by specifying them by name https://review.opendev.org/c/openstack/ansible-role-pki/+/954239 | 21:30 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!