Tuesday, 2025-07-08

damiandabrowskimorning07:54
damiandabrowskijrosser: I think it should be considered as a limitation of standalone backend07:55
jrosseryou mean we can't improve it?07:56
jrosserand i'm also quite confused about your comment here https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/954269/2/defaults/main.yml#38607:56
damiandabrowskiif standalone backend allowed to combine cert types as hashi_vault backend does, we wouldn't need  tasks like this:07:57
jrosseris it really true that most of our roles use a certificate and ca bundle in the same file07:57
damiandabrowskihttps://opendev.org/openstack/ansible-role-zookeeper/src/branch/master/handlers/main.yml#L1607:57
jrosseri'm just suggesting that we could fix that07:57
jrosserand make the features of the standalone backend be better aligned with what the vault one can do07:58
jrosserthen the changes required for the vault backend will be smaller07:58
jrosserif we can come up with a consistent set of things for `type` then a bunch of tidying up could be done07:58
noonedeadpunk++ that would be an awesome thing to do08:01
damiandabrowskii think it may be possible to fix it for standalone backend, I just wonder if we should do this before merging hashi_vault backend or do this as a follow up08:01
noonedeadpunkIf this removes complexity for tha hashi backend - then better to do before08:02
noonedeadpunkand not introduce something we don't need08:02
jrosserimho the hashi_vault backend patches are currently carrying a lot of workarounds for the current state of the PKI role08:02
jrosserand i give the example of glance here https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/95426908:02
jrosserwith maybe just fixing this `type` thing and agreeing on the names, it could be that actually no change at all is needed in os_glance with 954269 to make it compatible with the vault backend08:03
jrosserjust a group_var setting to enable it08:03
damiandabrowskimaybe you're right, i'll look into this08:06
damiandabrowskicoming back to your question if we really put certificate and ca bundle in the same file for most of the roles08:07
damiandabrowskiyes, i'm pretty sure we do(when backend tls is enabled)08:07
damiandabrowskihttps://opendev.org/openstack/ansible-role-pki/src/branch/master/tasks/standalone/create_cert.yml#L8208:07
damiandabrowskiso "*-chain.crt" files contain cert + ca_bundle08:08
damiandabrowskiand we have quite a lot of references to them :D 08:09
damiandabrowskihttps://paste.opendev.org/show/bMlyUJHGexLjzEiumubs/08:09
jrosserok cool thats fine08:29
jrossersounds like good reason to align these things a bit more08:29
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Do not disable configure_mirrors extra repos for debian  https://review.opendev.org/c/openstack/openstack-ansible/+/95431608:37
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/95426908:38
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/95426909:09
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_glance master: Switch cinderstore job to noble  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/95432009:09
jrosseri think there might be some systematic brokenness for debian-bookworm on 2024.109:15
opendevreviewMerged openstack/openstack-ansible-plugins master: Add retry logic to improve reliability  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/95393709:17
noonedeadpunkI could assume it's that, if not jammy was explicitly in codintion: https://opendev.org/openstack/openstack-ansible/src/branch/stable/2024.1/zuul.d/playbooks/pre-gate-cleanup.yml#L21-L2709:19
jrosserunfortunately we don't seem to gather any /etc/ for those jobs that are failing09:26
jrosseri never really did understand why that happens09:26
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/95426909:27
opendevreviewJonathan Rosser proposed openstack/ansible-role-pki master: Add python3-setuptools for redhat-10 based distros.  https://review.opendev.org/c/openstack/ansible-role-pki/+/95421309:30
opendevreviewJonathan Rosser proposed openstack/ansible-role-pki master: Allow certificates to be installed by specifying them by name  https://review.opendev.org/c/openstack/ansible-role-pki/+/95423909:30
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_glance master: Switch cinderstore job to noble  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/95432009:53
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/95426909:53
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/95426910:52
jrosserargh i am out of practice with this10:52
jrossermaybe we need this all down the stable branches https://review.opendev.org/c/openstack/openstack-ansible/+/95431610:53
noonedeadpunkI'd try it on 2024.1 tbh just in case11:37
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/2024.1: Do not disable configure_mirrors extra repos for debian  https://review.opendev.org/c/openstack/openstack-ansible/+/95433913:54
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_glance master: Use 'name' to specify SSL certificates to the PKI role  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/95426914:40
anfimovirhello ;)15:00
noonedeadpunk#startmeeting openstack_ansible_meeting15:00
opendevmeetMeeting started Tue Jul  8 15:00:11 2025 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'openstack_ansible_meeting'15:00
noonedeadpunk#topic rollcall15:00
noonedeadpunko/ hey there15:00
damiandabrowskihi!15:00
jrossero/ hello15:03
noonedeadpunk#topic office hours15:05
noonedeadpunkI want to start with ongoing things15:06
noonedeadpunkand specifically adding hashi vault driver to PKI role15:07
noonedeadpunkthere was good amount feedback provided recently both in reviews and IRC.15:07
NeilHanlono/15:08
noonedeadpunkdamiandabrowski: do you wanna raise some discussion now to get unblocked on doing changes for the topic?15:08
damiandabrowskimaybe just to clarify: my main goal now is to try to get rid of the variables passed to the hashi_vault backend right?15:09
damiandabrowskiit would require improving standalone backend, to accept type as a list(the same way as hashi_vault backend does)15:10
jrosserare we sure that a list is necessary?15:10
jrosserthere are only a well defined number of outputs that we need to write15:11
damiandabrowskiIt's not strictly necessary, though it can be helpful.15:12
damiandabrowskiadding support for a list, would allow us to drop handlers like this: https://opendev.org/openstack/ansible-role-zookeeper/src/branch/master/handlers/main.yml#L1615:12
jrosserwell15:13
damiandabrowskibut I don't insist, as I said, it's not strictly necessary.15:13
jrosserwhat we need is some `type` that defines cert + ca chain, be that a list or a constant15:14
noonedeadpunkto be frank, zookepeer looks like being a bit special here (as a java app)15:14
noonedeadpunkas it has a different order of cert/ca15:14
jrosseri think there are a few examples like that, maybe octavia, neutron (ovn)15:14
jrosseranyway, i think this is one of the key things to define15:17
noonedeadpunkok, then the next thing was refactoring of aio bootstrap15:20
damiandabrowskiand jrosser is working on a feature that would allow us to get rid of "cert" parameter for hashi_vault backend and stick just to `name` that would be accepted by both backends15:21
noonedeadpunkand I think we agreed on a proxy approach to resolve chicken-egg situation with proxy?15:21
noonedeadpunkjrosser: are you working on this or jsut pushed an example of how to do that for picking this up?15:22
jrosserwhich one? :)15:22
noonedeadpunkhttps://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/95426915:23
damiandabrowskii was referring to: https://review.opendev.org/c/openstack/ansible-role-pki/+/95423915:23
noonedeadpunkyeah, glance one depending on PKI15:23
jrosserok sure yes - though this does need us to decide what to do with `type`, as i think i already don't quite use the same names as the vault patches (just needs unifying)15:24
jrosserand also figuring out the allowed values/format for `type` and implementing anything missing in the standalone backend15:24
damiandabrowskiI think I can align hashi_vault plugin to the already existing types15:25
damiandabrowskiby applying these mappings I mentioned somewhere in gerrit15:25
noonedeadpunkI guess it's type vs backend now, right?15:25
noonedeadpunkor well15:26
noonedeadpunkit's dfifferent15:26
jrosserwe don't have a spec for this so do we need at least an etherpad?15:26
noonedeadpunkLet's starting to use this one?15:27
noonedeadpunk#link https://etherpad.opendev.org/p/osa-pki-multiple-backends15:27
jrosseri have a number of other minor patches to get the CI working again around this which could be reviewed now15:27
damiandabrowskiyeah, etherpad would be useful. I didn't prepare spec because I thought that adding new backend would be relatively simple15:28
damiandabrowski(I was so wrong :D )15:28
noonedeadpunkYes, Debian CI is broken now due to backport repos15:29
noonedeadpunkso this patch seemingly fixes it even before change to infra is merged15:29
noonedeadpunk#link https://review.opendev.org/c/openstack/openstack-ansible/+/95431615:29
noonedeadpunkok, I added etherpad to the list: https://wiki.openstack.org/wiki/OpenStack-Ansible#Etherpads15:36
noonedeadpunkso we won't loose it15:36
noonedeadpunkok, what else do we have on the table right now?15:37
noonedeadpunkAdding EL10 CI I guess...15:38
NeilHanlonyeah.. i need to come up with a plan for systemd-networkd15:38
noonedeadpunkAnd I don't have any updates on image availability in CI15:38
noonedeadpunkand this ofc ^15:38
NeilHanlonwhich is probably just going to be building it in SIG/Cloud or something for Rocky.. idk...15:38
noonedeadpunkit seems that overall there're more and more things that (un)intentionally broken15:39
NeilHanlonyeah15:39
noonedeadpunkI wonder if nobody just needs networked in RHEL15:39
NeilHanloni don't get what RDO folks are doing here tbh15:39
noonedeadpunkand then ceph15:39
noonedeadpunkand then many more things...15:40
NeilHanlonyeah.. ceph at least I have a plan on already15:40
NeilHanlonwe'll have it in SIG/Storage in rocky15:40
NeilHanlonwhat version do we need, btw?15:40
noonedeadpunkNeilHanlon: btw, were there any progress with building LXC for EPEL? As I guess it's around time for the second ping in there?15:40
noonedeadpunkreef?15:40
NeilHanlonroger on reef15:40
NeilHanlonand yeah i probably do need to ping15:40
NeilHanlondid the reply and set myself a reminder for 2 weeks15:41
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_skyline master: Ensure u-c are used for Skyline installation  https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/95416615:42
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_skyline stable/2025.1: Ensure u-c are used for Skyline installation  https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/95435515:43
noonedeadpunkNeilHanlon: regarding Ceph it also was about EL9 even15:45
noonedeadpunk#link https://answers.launchpad.net/openstack-ansible/+question/82190115:45
NeilHanlonyep yep15:45
NeilHanlonwe should be able to do r9 really easily, i just need to get out of my own way15:45
noonedeadpunkit's not always that easy15:45
noonedeadpunkok, awesome, anything else?15:46
NeilHanlonnot from me.. though, on a personal note, I am currently open for employment opportunities, if anyone has any tips to jobs (contract or otherwise), I'd appreciate it! :) 15:46
noonedeadpunk++15:48
noonedeadpunkok then, will end the meeting a bit early then :)15:49
noonedeadpunk#endmeeting15:49
opendevmeetMeeting ended Tue Jul  8 15:49:17 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:49
opendevmeetMinutes:        https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-07-08-15.00.html15:49
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-07-08-15.00.txt15:49
opendevmeetLog:            https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-07-08-15.00.log.html15:49
jrossernoonedeadpunk: did you ever thing about making the systemd_networkd role have more "native" yaml input that more closely looks directly like the contents of the config files?16:08
jrosserfor example, thats very close to being true here https://github.com/openstack/ansible-role-systemd_networkd/blob/master/templates/systemd-netdev.j216:09
jrosserbut very much not true here https://github.com/openstack/ansible-role-systemd_networkd/blob/master/templates/systemd-network.j216:09
noonedeadpunkjrosser: I frankly not sure how to deal with legacy16:38
noonedeadpunkbut also some parameters there can be repeated multiple times16:39
noonedeadpunklike vlan16:39
noonedeadpunkwhich you can not really do in more native YAML16:39
mossblaserI suppose the config template role has a solution of sorts in that space?17:00
noonedeadpunkoh yes, you can use overrides there, sure18:31
noonedeadpunkbut again - we probably need to add same wrapping as for VLAN to VXLAN and etc as well: https://github.com/openstack/ansible-role-systemd_networkd/blob/master/templates/systemd-network.j2#L44-L5218:32
noonedeadpunkor you mean the `VLAN: {'value': null}` thing?18:33
opendevreviewMerged openstack/openstack-ansible master: Imported Translations from Zanata  https://review.opendev.org/c/openstack/openstack-ansible/+/95392420:01
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-ops master: Bump prometheus.prometheus to 0.27.0  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/95416520:07
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-ops master: Bump prometheus.prometheus to 0.27.0  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/95416520:08
opendevreviewJonathan Rosser proposed openstack/ansible-role-pki master: Allow certificates to be installed by specifying them by name  https://review.opendev.org/c/openstack/ansible-role-pki/+/95423921:30

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!