Tuesday, 2021-05-11

« Monday, 2021-05-10 Index Wednesday, 2021-05-12 »
*** nikparasyr has joined #openstack-barbican07:16
*** tosky has joined #openstack-barbican07:39
*** mgoddard has quit IRC07:45
*** mgoddard has joined #openstack-barbican07:50
*** Luzi has joined #openstack-barbican10:03
*** dwilde has joined #openstack-barbican12:53
redrobot#startmeeting barbican13:00
openstackMeeting started Tue May 11 13:00:17 2021 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.13:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.13:00
*** openstack changes topic to " (Meeting topic: barbican)"13:00
openstackThe meeting name has been set to 'barbican'13:00
redrobot#topic Roll Call13:00
*** openstack changes topic to "Roll Call (Meeting topic: barbican)"13:00
redrobotCourtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work tosky xek nearyo oleksandry13:01
redrobotAs usual the agenda can be found here:13:01
redrobot#link https://etherpad.opendev.org/p/barbican-weekly-meeting13:01
Luzio/13:01
redrobotHi Luzi13:01
Luzihi redrobot13:01
moguimaro/13:02
redrobotHi moguimar!13:02
toskyhi13:03
redrobotHi tosky!13:03
redrobotLet's get started13:03
redrobot#topic LIaison Updates13:03
*** openstack changes topic to "LIaison Updates (Meeting topic: barbican)"13:03
redrobotmoguimar? tosky?13:04
moguimarI missed the oslo meeting yesterday13:04
moguimarno updates13:04
redrobotno worries, moguimar13:04
*** dwilde has quit IRC13:04
redrobottosky must be multitasking ... let's move on to the next topic13:06
toskynothing special (just a tiny patch)13:06
toskybut yeah, #nexttopic :)13:06
redrobotack, we'll get to it during Wayward Reviews13:06
redrobot#topic Kanban Review13:06
*** openstack changes topic to "Kanban Review (Meeting topic: barbican)"13:06
moguimarno progress on hvac13:06
redrobot#link https://tree.taiga.io/project/dmend-openstack-barbican/kanban13:06
redrobotOK, just added card #16 to track the fix to the Vault backend encoding issue13:08
redrobotmoguimar any updates on your end?13:08
*** rajivmucheli has joined #openstack-barbican13:09
moguimarnope13:11
redrobotOK, moving on13:11
redrobot#topic Bug Review13:11
*** openstack changes topic to "Bug Review (Meeting topic: barbican)"13:11
redrobot#link https://storyboard.openstack.org/#!/project_group/barbican13:11
redrobotlooks like no new barbican stories13:11
redrobot#link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=013:11
redrobotAnd no new Catellan bugs13:11
redrobot#link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=013:12
redrobotand no new Cursive bugs13:12
redrobot#topic Wayward Reviews13:12
*** openstack changes topic to "Wayward Reviews (Meeting topic: barbican)"13:12
redrobot#link https://tinyurl.com/y3zto3ad13:12
redrobotmoguimar easy one: https://review.opendev.org/c/openstack/barbican/+/78791613:13
moguimareasy indeed13:14
redrobotI'm not sure about this one: https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/78704613:18
redrobotChanneling my inner Zen of Python: "Explicit is better than implicit"13:18
redrobotseems like spelling out py36 and py38 would be better than a floating py3 that would run whatever 3.x is available.13:19
moguimarah, I heard about this one13:20
moguimaris a governance thing13:20
moguimarprojects should move to py3 and have the specific version determined by the CI jobs13:20
redrobotHmm...13:23
redrobotI'll need to dig into it further13:23
redrobotbecause I don't like it. :-P13:23
moguimaryeah13:24
moguimarI'd like to see a link to a thread in the ML13:24
redrobotRight... it looks like tosky doesn't like it either on that python-barbicanclient patch. :)13:25
*** dwilde has joined #openstack-barbican13:25
toskyyeah, and I don't like even more those massive changes sent without any coordination or announcement (or prior agreement)13:27
redrobottosky++13:27
redrobotI'm gonna go ahead and reject all those patches13:27
redrobotmoguimar another easy one: https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/78885113:29
moguimardone13:30
toskythe patch I mentioned before is https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/79023713:31
rajivmucheliHi, do the below links assist in:13:34
rajivmucheli1. Vault as backend for Barbican :13:34
rajivmuchelihttps://docs.openstack.org/barbican/latest/install/barbican-backend.html#vault-plugin13:34
rajivmucheli2. Barbican as backend for Vault :13:34
rajivmuchelihttps://docs.openstack.org/security-guide/secrets-management/barbican.html#vault-plugin13:34
*** dwilde has quit IRC13:34
redrobothi rajivmucheli13:37
redrobottosky looking ... your patch is small, but I'm having to look into tempest clients to understand it. 😅13:38
redrobotrajivmucheli #1 is correct,  Hashicorp Vault can be used as a backend for Barbican (although there's a huge bug in orders that I'm fixing)13:39
redrobotrajivmucheli #2 is incorrect.  I don't think Barbican can be used as a backend to Vault13:40
toskyredrobot: it's a follow-up of an older patch (not sure why I didn't catch it back then)13:41
redrobottosky cool, I'll finish reviewing it after the meeting13:41
redrobot#topic Open Discussion13:41
*** openstack changes topic to "Open Discussion (Meeting topic: barbican)"13:41
redrobotAnything else y'all want to talk about?13:41
rajivmuchelithanks redrobot, are there any plugins or scope to configure Barbican as backend for Vault ?13:42
redrobotrajivmucheli not here, we don't do any Vault development.   You would have to ask the Vault developers.13:43
rajivmuchelioops ok,13:43
rajivmuchelianother question, i was configuring octavia listener to use a barbican secret13:44
rajivmucheliwhy does barbican validate if its a secret or secret container ?13:45
rajivmuchelihttps://github.com/openstack/octavia/blob/master/doc/source/user/guides/basic-cookbook.rst#deploy-a-tls-terminated-https-load-balancer13:45
rajivmucheliwhen i execute this command `openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1`13:45
redrobotI think the first implementation in Octavia used a secret-container for the different parts (key, cert)13:46
redrobotBut then they changed to a single secret in pkcs#7 format which includes both key and cert in a single file.13:46
rajivmuchelii receive a HTTP 404 from container secret, which is correct since its a secret not secret container. i was wondering why the secret container check takes place13:46
johnsomRight, we still support containers for backward compatibility, but have migrated to using pkcs12 bundles13:46
redrobotOops, pkcs12 not pkcs713:47
johnsomGrin13:47
rajivmucheliyes, its pkcs12,13:47
rajivmuchelithe doc explains `Combine the individual cert/key/intermediates to single PKCS12 files`13:47
openstackgerritMerged openstack/barbican master: setup.cfg: Replace dashes with underscores  https://review.opendev.org/c/openstack/barbican/+/78791613:48
redrobotMaybe you need a different flag instead of --default-tls-container?13:49
johnsomNope13:49
johnsomServer side automatically checks both. Are you getting an errror?13:50
johnsomOr just seeing a log entry?13:51
rajivmucheliits just a log entry showing http 404 from barbican-api, the listener is created though13:55
johnsomYeah, that is just the backward compatibility layer working.13:56
*** dwilde has joined #openstack-barbican13:57
redrobot"It's a feature, not a bug"â„¢13:57
redrobot😎13:57
redrobotAlrighty, we're almost out of time.13:58
redrobotThanks for joining, everyone!13:58
redrobot#endmeeting13:58
*** openstack changes topic to "OpenStack Barbican Development - Weekly Meeting Agenda: https://etherpad.openstack.org/p/barbican-weekly-meeting"13:58
openstackMeeting ended Tue May 11 13:58:13 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)13:58
openstackMinutes:        http://eavesdrop.openstack.org/meetings/barbican/2021/barbican.2021-05-11-13.00.html13:58
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/barbican/2021/barbican.2021-05-11-13.00.txt13:58
openstackLog:            http://eavesdrop.openstack.org/meetings/barbican/2021/barbican.2021-05-11-13.00.log.html13:58
rajivmuchelicool, i dint intend to report it as bug, i wanted to clarify!13:58
rajivmuchelithank you!13:58
johnsomrajivmucheli if you have more Octavia questions, we hang out in #openstack-lbaas13:59
*** Luzi has quit IRC13:59
*** dwilde has quit IRC13:59
*** dwilde has joined #openstack-barbican13:59
rajivmucheli(y)13:59
*** rajivmucheli has quit IRC14:05
openstackgerritMerged openstack/barbican-tempest-plugin master: Add stable/wallaby jobs on master gate  https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/78885114:07
*** iurygregory has quit IRC14:22
*** iurygregory has joined #openstack-barbican14:22
*** nikparasyr has left #openstack-barbican15:06
*** dave-mccowan has quit IRC15:10
*** dwilde has quit IRC16:18
*** dwilde has joined #openstack-barbican16:25
*** dwilde has quit IRC16:35
*** dwilde has joined #openstack-barbican16:41
*** dwilde has quit IRC17:34
*** dwilde has joined #openstack-barbican17:48
*** dwilde has quit IRC18:05
*** dwilde has joined #openstack-barbican18:07
*** dwilde has quit IRC19:39
*** dwilde has joined #openstack-barbican19:57
*** lxkong has quit IRC20:09
*** lxkong has joined #openstack-barbican20:13
*** dwilde has quit IRC21:03
*** tosky has quit IRC23:24
« Monday, 2021-05-10 Index Wednesday, 2021-05-12 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!