| rajiv | Hi | 15:01 |
|---|---|---|
| xek | #startmeeting barbican | 15:01 |
| opendevmeet | Meeting started Mon Oct 28 15:01:20 2024 UTC and is due to finish in 60 minutes. The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'barbican' | 15:01 |
| xek | #topic Roll Call | 15:01 |
| xek | o/ | 15:01 |
| xek | Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar | 15:01 |
| xek | As usual our agenda can be found here: | 15:02 |
| xek | #link https://etherpad.openstack.org/p/barbican-weekly-meeting | 15:02 |
| dmendiza[m] | 🙋 | 15:02 |
| xek | #topic Review Past Meeting Action Items | 15:03 |
| xek | #link https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-10-14-15.03.html | 15:03 |
| xek | There were no action items | 15:03 |
| xek | #topic Liaison Updates | 15:03 |
| xek | No updates from me | 15:04 |
| xek | #topic Open Discussion | 15:05 |
| rajiv | Heylo!! | 15:06 |
| rajiv | the barbican release notes are not visible! | 15:06 |
| rajiv | i raised this in previous PTG's but couldnt find any fix for it | 15:06 |
| rajiv | here : https://releases.openstack.org/dalmatian/index.html | 15:06 |
| xek | Hm, I see release notes here: https://docs.openstack.org/releasenotes/barbican/2024.2.html | 15:07 |
| rajiv | okay, then its mapping issue to the main link ? | 15:08 |
| rajiv | second, i wanted to follow up on https://bugs.launchpad.net/barbican/+bug/2036506 | 15:09 |
| xek | yeah, looks like the link to the release notes is missing from that page | 15:09 |
| rajiv | thanks for looking into this dmendiza[m] :) was this patch validated by Thales ? | 15:09 |
| dmendiza[m] | hi rajiv . My patch is a WIP. No plans to have Thales look at it, but I will be testing with an (ancient) Thales Luna HSM. | 15:10 |
| dmendiza[m] | My HSM is too old to test the new firmware, so you may want to download the patch and test it when it's working | 15:10 |
| rajiv | ah ok cool :) i tested the patch today and shared my analysis! | 15:11 |
| rajiv | i have a Thales contact from Engineering to validate once the patch is merged :) | 15:11 |
| dmendiza[m] | Sweet, yeah just keep an eye out on the review, I'll be updating it this week. | 15:13 |
| rajiv | nice! | 15:14 |
| rajiv | last question, is it possible to support multiple vendors on Barbican ? Thales and Utimaco ? | 15:14 |
| rajiv | i see an option for multi-secret store but not mutlti-vendor per secret store ? | 15:15 |
| dmendiza[m] | I think we've only tested multiple_secret_stores with different types e.g. SimpleCrypto + HSM, or SimpleCrypto + KMIP. I'm not sure if 2x StoreCrypto + PKCS11 would work? 🤔 | 15:16 |
| rajiv | SimpleCrypto + HSM, is my current implementation and it definitely works | 15:17 |
| rajiv | i couldnt find an option to validate 2x pkcs11 here https://docs.openstack.org/barbican/latest/install/barbican-backend.html | 15:18 |
| rajiv | i see an overlap in Thales & Utimaco devices. | 15:18 |
| dmendiza[m] | Yeah, the main issue is going to be trying to instantiate two instances of StoreCryptoAdapter: https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/store_crypto.py#L50 | 15:19 |
| rajiv | yep, i guessed the same. | 15:19 |
| rajiv | does this docu need updating ? https://docs.openstack.org/barbican/latest/configuration/plugin_backends.html when compared to https://docs.openstack.org/barbican/latest/install/barbican-backend.html | 15:20 |
| rajiv | stores_lookup_suffix shows pkcs11 but other page its enabled_crypto_plugins = p11_crypto | 15:21 |
| dmendiza[m] | I think both need to be updated probably | 15:21 |
| rajiv | okay, for SimpleCrypto + HSM config, this is fine correct ? https://github.com/sapcc/helm-charts/blob/barb_thales_test/openstack/barbican/templates/etc/_barbican.conf.tpl#L69-L83 | 15:22 |
| dmendiza[m] | Not sure, you'd have to test it and make sure there's no funny business going on with the two instances of StoreCryptoAdapter. | 15:23 |
| rajiv | okay sure. | 15:24 |
| xek | ok, to finish up, let's quickly check the bugs | 15:27 |
| xek | #topic Bug Review | 15:27 |
| xek | I see one new bug | 15:28 |
| xek | #link https://bugs.launchpad.net/barbican/+bug/2084691 | 15:28 |
| xek | Barbican is not passing any name to the KMIP object so the default one is used | 15:28 |
| dmendiza[m] | Yeahh.... KMIP was on the way to deprecation IIRC. Not surprised it's broken since we stopped testing it when PyKMIP started failing at the gate. | 15:29 |
| xek | dmendizacan you respond? maybe we should decide on deprecating it this cycle | 15:30 |
| dmendiza[m] | Sure | 15:30 |
| xek | Thanks! | 15:30 |
| xek | Ok, that's all for today | 15:31 |
| xek | Have a great rest of the week! | 15:31 |
| xek | #endmeeting | 15:31 |
| opendevmeet | Meeting ended Mon Oct 28 15:31:22 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:31 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-10-28-15.01.html | 15:31 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-10-28-15.01.txt | 15:31 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-10-28-15.01.log.html | 15:31 |
| dmendiza[m] | Thanks Grzegorz Grasza ! | 15:31 |
| opendevreview | Ghanshyam proposed openstack/barbican-tempest-plugin master: Support py3.12 and drop py3.8 https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/933360 | 17:58 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!