| *** tkajinam is now known as Guest3966 | 00:09 | |
| *** mhen_ is now known as mhen | 01:34 | |
| *** tkajinam is now known as Guest3972 | 01:47 | |
| *** tkajinam is now known as Guest3986 | 05:43 | |
| *** tkajinam is now known as Guest3988 | 06:53 | |
| frickler | I just saw that barbican is using storyboard. not sure if you are happy with that decision or not, but this thread might be interesting either way https://lists.opendev.org/pipermail/service-discuss/2022-October/000370.html | 15:30 |
|---|---|---|
| dmendiza[m] | johnsom: correct. The idea is that `openstack secret delete $SECRET_UUID` will fail if the secret has consumers registered | 18:24 |
| dmendiza[m] | johnsom: There will also be a `--force` flag | 18:24 |
| johnsom | dmendiza[m] So, currently it just deletes it. I'm guessing there are API side patches still needed. | 18:24 |
| dmendiza[m] | so that `openstack secret delete --force $SECRET_UUID` will delete it | 18:25 |
| dmendiza[m] | johnsom: API side is complete, but docs haven't merged yet | 18:25 |
| dmendiza[m] | we're working on client side (which includes the cli) currently | 18:25 |
| dmendiza[m] | as well as castellan support | 18:25 |
| johnsom | Umm, using current master branch, I can delete secrets with consumers, no problem | 18:25 |
| dmendiza[m] | correct, only cli is enforcing delete | 18:26 |
| johnsom | I don't think "force" was implemented in the API | 18:26 |
| johnsom | Ummm, ok, so why CLI only? That means any automation tools using the API can still delete in use secrets | 18:26 |
| dmendiza[m] | I'm not sure ... the spec only defined `--force` for clients https://specs.openstack.org/openstack/barbican-specs/specs/train/secret-consumers.html | 18:29 |
| johnsom | Ok. So, would there be push back if that was added to the API? | 18:29 |
| dmendiza[m] | Depends on implementation, I think? IIRC the main argument was that users should be able to delete a secret no matter what since they own it. There was concern that having to hunt down all the registered things before deleting was bad ux | 18:32 |
| dmendiza[m] | but I don't know if we talked about adding a `force` flag or parameter or whatever to the api | 18:32 |
| johnsom | Yeah, I am fine with the --force flag and implementing it as a header or something in the API. I'm just a little concerned about our friends like Terraform that tend to be aggressive at deleting things accidentally bypassing the "are you sure" check. | 18:33 |
| dmendiza[m] | ade_lee is out on holiday the rest of the week, unfortunately so we'll have to wait for his input | 18:33 |
| johnsom | Ah, ok, so he would be a good person to discuss this with. Sounds good. | 18:34 |
| johnsom | I'm implementing the Octavia side and finding some issues, this was one of them. | 18:34 |
| dmendiza[m] | cool, yeah, we've got the plumbing to do microversions now | 18:34 |
| dmendiza[m] | so modifying the DELETE call shouldn't be an issue | 18:34 |
| johnsom | It's a bummer I couldn't get started on this before the PTG where we could have talked about it. But, schedules.... | 18:35 |
| dmendiza[m] | it would probably be good to write a spec for this | 18:36 |
| johnsom | Well, before that, I am really curious why the current spec says client side only. | 18:37 |
| dmendiza[m] | Not sure ... possibly because we assumed most folks would be using a client (python-barbicanclient/castellan/cli) and folks consuming the API directly would get the footgun | 18:39 |
| dmendiza[m] | or maybe it was backwards compatibility concerns? ... since we couldn't version APIs yet and we didn't want to make a `v2/` just yet | 18:40 |
| johnsom | dmendiza[m] One more question, do you think it would be ok if I posted fixes on this patch: https://review.opendev.org/c/openstack/python-barbicanclient/+/855952 | 18:43 |
| johnsom | Or should I wait for the author | 18:43 |
| johnsom | ? | 18:44 |
| dmendiza[m] | johnsom let me check with Mauricio in the AM | 18:47 |
| dmendiza[m] | johnsom: OP for that patch is a new team mate on my team | 18:47 |
| johnsom | Ok, thanks. Wasn't sure if they were still active, etc. Different teams handle it in different ways | 18:47 |
| johnsom | Ah, cool | 18:47 |
| dmendiza[m] | frickler: thanks for the heads up, I'll add that to the next weekly meeting agenda | 18:57 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!