| *** jamielennox|away is now known as jamielennox | 01:06 | |
| *** diazjf has joined #openstack-barbican | 01:07 | |
| *** Guest54099 has joined #openstack-barbican | 01:48 | |
| *** namnh has joined #openstack-barbican | 01:48 | |
| *** Guest54099 has quit IRC | 01:56 | |
| *** noslzzp has quit IRC | 02:08 | |
| openstackgerrit | Dave McCowan proposed openstack/barbican master: (draft, do not merge) Set Devstack Variable Properly https://review.openstack.org/450844 | 02:10 |
|---|---|---|
| *** catintheroof has joined #openstack-barbican | 02:55 | |
| *** dave-mccowan has joined #openstack-barbican | 02:55 | |
| *** dave-mcc_ has quit IRC | 02:57 | |
| *** dave-mccowan has quit IRC | 03:05 | |
| *** namnh has quit IRC | 03:06 | |
| *** catintheroof has quit IRC | 04:10 | |
| *** diazjf has quit IRC | 04:20 | |
| *** dimtruck is now known as zz_dimtruck | 05:24 | |
| *** zz_dimtruck is now known as dimtruck | 05:24 | |
| *** dimtruck is now known as zz_dimtruck | 05:33 | |
| *** mkoderer has joined #openstack-barbican | 06:15 | |
| *** andreas_s has joined #openstack-barbican | 06:50 | |
| *** pcaruana has joined #openstack-barbican | 06:57 | |
| *** jaosorior has joined #openstack-barbican | 06:57 | |
| *** zz_dimtruck is now known as dimtruck | 07:01 | |
| *** dimtruck is now known as zz_dimtruck | 07:11 | |
| *** zz_dimtruck is now known as dimtruck | 08:02 | |
| *** openstackgerrit has quit IRC | 08:03 | |
| *** dimtruck is now known as zz_dimtruck | 08:12 | |
| *** mjblack has quit IRC | 08:33 | |
| *** mjblack has joined #openstack-barbican | 08:38 | |
| *** zz_dimtruck is now known as dimtruck | 09:02 | |
| *** dimtruck is now known as zz_dimtruck | 09:12 | |
| *** zz_dimtruck is now known as dimtruck | 10:03 | |
| *** dimtruck is now known as zz_dimtruck | 10:13 | |
| *** openstackgerrit has joined #openstack-barbican | 10:19 | |
| openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: Fix bug in barbican-plugin-grenade https://review.openstack.org/452679 | 10:19 |
| openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: Fix bug in barbican-plugin-grenade https://review.openstack.org/452679 | 10:25 |
| *** zz_dimtruck is now known as dimtruck | 11:04 | |
| *** dimtruck is now known as zz_dimtruck | 11:14 | |
| *** diazjf has joined #openstack-barbican | 11:47 | |
| *** diazjf has quit IRC | 11:49 | |
| *** jgr is now known as jgrassler | 11:49 | |
| *** zz_dimtruck is now known as dimtruck | 12:05 | |
| *** dimtruck is now known as zz_dimtruck | 12:15 | |
| *** jaosorior is now known as jaosorior_brb | 12:36 | |
| *** mjblack has quit IRC | 12:52 | |
| *** mjblack has joined #openstack-barbican | 12:55 | |
| *** zz_dimtruck is now known as dimtruck | 13:06 | |
| *** dimtruck is now known as zz_dimtruck | 13:15 | |
| *** catintheroof has joined #openstack-barbican | 13:31 | |
| *** jaosorior_brb is now known as jaosorior | 13:33 | |
| *** noslzzp has joined #openstack-barbican | 13:48 | |
| *** zz_dimtruck is now known as dimtruck | 14:06 | |
| *** peter-hamilton has joined #openstack-barbican | 14:10 | |
| *** jmckind has joined #openstack-barbican | 14:16 | |
| *** gcb has joined #openstack-barbican | 14:18 | |
| *** jmckind has quit IRC | 14:18 | |
| *** dimtruck is now known as zz_dimtruck | 14:19 | |
| *** rpi has joined #openstack-barbican | 14:20 | |
| *** zz_dimtruck is now known as dimtruck | 14:33 | |
| *** jmckind has joined #openstack-barbican | 14:43 | |
| *** chlong has joined #openstack-barbican | 14:45 | |
| *** diazjf has joined #openstack-barbican | 14:52 | |
| *** diazjf has quit IRC | 15:03 | |
| *** diazjf has joined #openstack-barbican | 15:17 | |
| *** agrebennikov has joined #openstack-barbican | 15:17 | |
| *** dave-mccowan has joined #openstack-barbican | 15:21 | |
| *** agrebennikov has quit IRC | 15:27 | |
| openstackgerrit | Dave McCowan proposed openstack/barbican master: (draft, do not merge) Set Devstack Variable Properly https://review.openstack.org/450844 | 15:29 |
| gcb | hi barbican core reviewers , I'm gcb , PTL of Oslo, as we discussed in the dev ML, castellan-core group will include oslo and barbican core reviewers, I will add both of team members in group castellan-core | 15:31 |
| *** arunkant has quit IRC | 15:40 | |
| *** pcaruana has quit IRC | 15:53 | |
| *** andreas_s has quit IRC | 15:56 | |
| *** gcb has quit IRC | 16:03 | |
| openstackgerrit | Kaitlin Farr proposed openstack/barbican master: Add date filter functional tests https://review.openstack.org/436244 | 16:15 |
| *** namnh has joined #openstack-barbican | 16:19 | |
| namnh | dave-mccowan: Hello Mr.Mccowan, I've uploaded a patch to fix a bug in barbican-plugin-grenade, I already tested it on my local. Could you please review it for me. https://review.openstack.org/#/c/452679/2. | 16:40 |
| dave-mccowan | Hi Nam. Thanks! I'll take a look. | 16:40 |
| namnh | dave-mccowan: thanks, one more thing, today I won't attend our weekly meeting, so I would like to update the status of my task to you | 16:43 |
| namnh | dave-mccowan: 1. I will find the problem and fix bug in the gate job for grenade. | 16:44 |
| namnh | dave-mccowan: 2. After that, I'll update a document for operators, I am preparing this patch [2]. it would be great if the patch [2] get your comment, I will sumarry and update new patch set | 16:45 |
| namnh | [2] https://review.openstack.org/#/c/449022/ | 16:46 |
| namnh | dave-mccowan: finally, I will raise a tag "supports-upgrade" for Barbican :) | 16:46 |
| dave-mccowan | namnh awesome! thanks! | 16:48 |
| namnh | dave-mccowan: Is that all jobs to get "support-upgrade" tag for Barbican? | 16:50 |
| dave-mccowan | namnh that is my recollection. i double check the list later today and let you know if there is anything else i see missing. | 16:51 |
| namnh | dave-mccowan: I see, thanks for your support. | 16:52 |
| namnh | dave-mccowan: I have another information. Currenlty, there is a project (Tacker) is trying to apply barbican. | 16:55 |
| dave-mccowan | namnh i saw a note last week on the email list. do you know the people working on it? do they need help? | 16:57 |
| namnh | Yes, I know: https://review.openstack.org/#/c/445543/ | 16:57 |
| namnh | I also answered some questions from the author of the patch set | 16:58 |
| namnh | dave-mccowan: Yes, I know: https://review.openstack.org/#/c/445543/ | 16:59 |
| namnh | dave-mccowan: I also answered some questions from the author of the patch set | 16:59 |
| dave-mccowan | namnh thanks for the pointer. i will review that patch and also bring it up at the meeting today. | 16:59 |
| *** diazjf has quit IRC | 17:00 | |
| *** kfarr has joined #openstack-barbican | 17:02 | |
| *** chlong has quit IRC | 17:05 | |
| namnh | dave-mccowan: you're welcome. have a nice day. :) | 17:13 |
| dave-mccowan | namnh thanks. have a nice night. I'll try to catch you tomorrow. :-) | 17:13 |
| *** namnh has left #openstack-barbican | 17:14 | |
| *** chlong has joined #openstack-barbican | 17:21 | |
| *** jaosorior is now known as jaosorior_away | 17:29 | |
| *** jamielennox is now known as jamielennox|away | 17:50 | |
| *** peter-hamilton has quit IRC | 18:01 | |
| *** jmckind has quit IRC | 18:13 | |
| *** diazjf has joined #openstack-barbican | 18:28 | |
| *** sapcc-bot1 has joined #openstack-barbican | 18:40 | |
| *** sapcc-bot has quit IRC | 18:40 | |
| dave-mccowan | Happy Monday Barbicaneers! Weekly IRC meeting starts in 1 hour, 15 minutes. | 18:43 |
| *** dimtruck is now known as zz_dimtruck | 18:46 | |
| *** zz_dimtruck is now known as dimtruck | 18:53 | |
| *** diazjf has quit IRC | 18:56 | |
| *** diazjf has joined #openstack-barbican | 19:01 | |
| *** diazjf has quit IRC | 19:02 | |
| *** agrebennikov has joined #openstack-barbican | 19:06 | |
| agrebennikov | hey Barbican folks, I have a question regarding the functionality of the secrets containers please. | 19:07 |
| agrebennikov | If I got my secret created | 19:07 |
| agrebennikov | is there a way to update it down the road with another cert? | 19:08 |
| agrebennikov | the usecase is pretty common - using barbican with neutron lbaas | 19:08 |
| agrebennikov | when the load balance from the lbaas backend gets the cert from barbican there is no way to update the neutron load balancer with the new secret seems so | 19:09 |
| agrebennikov | so the only way to update the cert within the balancer is to update the barbican secret and trigger the balancer to re-request the cert (while adding the pool member for example) | 19:10 |
| agrebennikov | any help is greatly appreciated | 19:10 |
| *** diazjf has joined #openstack-barbican | 19:17 | |
| *** chlong has quit IRC | 19:37 | |
| *** dimtruck is now known as zz_dimtruck | 19:45 | |
| *** chlong has joined #openstack-barbican | 19:51 | |
| dave-mccowan | hi agrebennikov | 19:53 |
| dave-mccowan | agrebennikov let me confirm your question... | 19:54 |
| agrebennikov | dave-mccowan, sure | 19:54 |
| dave-mccowan | you have a container with secrets that comprise a certificate. you would like to update the container with new secrets to comprise an update certificate? | 19:55 |
| agrebennikov | correct | 19:55 |
| *** diazjf has quit IRC | 19:55 | |
| agrebennikov | so that I don't have to re-create the balancer entirely | 19:55 |
| agrebennikov | right now from my understanding there is a update-secret function | 19:56 |
| agrebennikov | but it is just for uploading the stuff into the container once | 19:56 |
| dave-mccowan | agrebennikov let me check. i know we added the capability to update some things, but not all things. i want to double check that your use case is supported. | 19:58 |
| agrebennikov | dave-mccowan, are you referring to some very recent changes? | 19:58 |
| dave-mccowan | no, at least a couple cycles ago | 19:58 |
| agrebennikov | because right now we are unfortunately stuck with liberty and have some limited ability to port things form mitaka back to it | 19:59 |
| agrebennikov | so we ported the client support for update | 19:59 |
| agrebennikov | and turned out that "update" form the server's perspective is completely not what we wanted to get | 19:59 |
| agrebennikov | :) | 19:59 |
| dave-mccowan | i have an IRC meeting to go to right now. i'll get back to you in a little bit. | 20:00 |
| agrebennikov | all right, really appreciate it | 20:01 |
| dave-mccowan | agrebennikov i know we can't update a secret directly. maybe can change the container to point to new secrets. i just need to check of that is specifically allowed for certificate containers. | 20:01 |
| agrebennikov | absolutely | 20:01 |
| dave-mccowan | alee kfarr ping IRC meeting | 20:03 |
| *** jamielennox|away is now known as jamielennox | 20:05 | |
| johnsom | Was there an LBaaS/Octavia question? | 20:23 |
| agrebennikov | johnsom, well, kind of | 20:23 |
| agrebennikov | not necessarily octavia though | 20:24 |
| dave-mccowan | agrebennikov i confirmed that barbican only support container update for containers of type "generic". you can not change the contents of a certificate container. | 20:24 |
| agrebennikov | dave-mccowan, that's really bad then :( | 20:24 |
| agrebennikov | is there any reason for not implementing that? | 20:24 |
| johnsom | When you get new/renewed certificates you create a new container then do a listener update call to LBaaS/Octavia with the new IDs. It will update the load balancer | 20:24 |
| *** zz_dimtruck is now known as dimtruck | 20:25 | |
| dave-mccowan | agrebennikov i think the idea is to put the consumer in charge of when to update | 20:25 |
| johnsom | agrebennikov It's by design and a very good thing. | 20:25 |
| agrebennikov | johnsom, well, it is basically has to be handled by the neutron part then? | 20:25 |
| johnsom | Otherwise there would need to be notifications of some sort send out to the services using the certs that it changed, this way the user lets us know when they are ready for the certs to change. | 20:26 |
| agrebennikov | because in my particular case I have contrail, and it has its own kind of implementation of everything | 20:26 |
| agrebennikov | johnsom, I actually thought about it as well | 20:26 |
| agrebennikov | ok, let me then go check the contrain-neutron part | 20:27 |
| agrebennikov | thanks a lot folks! | 20:27 |
| johnsom | No problem | 20:27 |
| *** diazjf has joined #openstack-barbican | 20:31 | |
| *** diazjf has quit IRC | 20:32 | |
| agrebennikov | johnsom, the listener-update (at least from the CLI perspective) allows to only update the description, pool and the limit | 20:34 |
| agrebennikov | johnsom, https://docs.openstack.org/cli-reference/neutron.html | 20:34 |
| agrebennikov | johnsom, or do I need to go with raw json? | 20:34 |
| johnsom | Yeah, it looks like the CLI didn't get the memo... | 20:35 |
| agrebennikov | can you point me to the code please? | 20:35 |
| johnsom | https://github.com/openstack/neutron-lbaas/blob/master/neutron_lbaas/extensions/loadbalancerv2.py#L221 | 20:35 |
| agrebennikov | oh, there you go | 20:36 |
| agrebennikov | great! | 20:36 |
| johnsom | All of the cert IDs are update-able | 20:36 |
| johnsom | agrebennikov That will be fixed with the OpenStack client implementation underway now... | 20:36 |
| agrebennikov | but I mean I can just use neutron cli anyway | 20:37 |
| johnsom | I think the horizon dashboard also allows you to update them | 20:37 |
| agrebennikov | (maybe requires a little hack though) | 20:37 |
| agrebennikov | not in liberty for sure :) | 20:37 |
| johnsom | Oh! liberty, umm, yeah, no. | 20:37 |
| agrebennikov | so cli is fine with the customer for now | 20:38 |
| agrebennikov | but probably current client will not allow to issue that command, I'll have to unlock it | 20:39 |
| *** dimtruck is now known as zz_dimtruck | 20:48 | |
| *** zz_dimtruck is now known as dimtruck | 20:48 | |
| *** diazjf has joined #openstack-barbican | 21:14 | |
| *** diazjf has quit IRC | 21:33 | |
| *** kfarr has quit IRC | 21:38 | |
| *** alee_ has joined #openstack-barbican | 21:40 | |
| *** sapcc-bot1 has quit IRC | 22:31 | |
| *** sapcc-bot has joined #openstack-barbican | 22:31 | |
| *** chlong has quit IRC | 22:38 | |
| *** catintheroof has quit IRC | 22:44 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!