| rm_work | johnsom: yeah, doing your test | 00:01 |
|---|---|---|
| rm_work | it works fine | 00:01 |
| johnsom | Really | 00:01 |
| johnsom | hmmm | 00:01 |
| rm_work | openstack secret get http://127.0.0.1/key-manager/v1/secrets/381d8b3f-e9e0-4f6c-ae82-f26053c8ab16 --os-interface public | 00:01 |
| rm_work | ^^ works fine | 00:01 |
| rm_work | openstack secret get http://127.0.0.1/key-manager/v1/secrets/381d8b3f-e9e0-4f6c-ae82-f26053c8ab16 --debug --os-interface internal | 00:01 |
| rm_work | ^^ breaks with a 404 | 00:02 |
| rm_work | because i changed the internal endpoint to be invalid | 00:02 |
| johnsom | Right, and changed your code to default to False right? | 00:02 |
| rm_work | so I'm back to "they didn't install it right" or something | 00:02 |
| rm_work | yes | 00:02 |
| rm_work | are you sure you had them patch our code to pass federated=False? | 00:02 |
| johnsom | In those two places right? | 00:03 |
| rm_work | really in just one place | 00:03 |
| johnsom | Yeah, I watched them do it | 00:03 |
| rm_work | but yes | 00:03 |
| johnsom | Oh, we changed it in two places | 00:03 |
| rm_work | let me finish the test by actually using octavia | 00:03 |
| rm_work | yeah two is fine | 00:03 |
| rm_work | one is really all that's needed tho | 00:03 |
| johnsom | Ok, yeah, we only did octavia with the endpoint_type=internal in the [certificates] section | 00:03 |
| rm_work | since it really picks up the default in the get() function and passes a value to the next one | 00:03 |
| rm_work | and you updated the barbican patch to default to False? | 00:04 |
| rm_work | or you edited the octavia code to pass False explicitly? | 00:04 |
| johnsom | No, hacked the bbq client to False, two lines, then added endpoint_type=internal, restarted octavia-* | 00:04 |
| rm_work | yeah k | 00:05 |
| rm_work | that should be good | 00:05 |
| johnsom | Created a listener, API log still bombed with the public endpoint URL | 00:05 |
| rm_work | did they install python-barbicanclient with -e ? | 00:05 |
| rm_work | and in the right env? | 00:05 |
| johnsom | -e no, isolated though and in the octavia venv | 00:06 |
| johnsom | pip uninstall bbq-client, pip install --isolated . | 00:06 |
| rm_work | hmmm | 00:06 |
| rm_work | i don't know what --isolated does | 00:06 |
| johnsom | isolated to turn off the funky repo stuff they are doing there | 00:06 |
| rm_work | hmm | 00:07 |
| rm_work | well | 00:07 |
| johnsom | pip list gave the -dev version | 00:07 |
| rm_work | <_< | 00:07 |
| johnsom | no package outside the venv | 00:07 |
| johnsom | I tried to check some of this stuff | 00:07 |
| rm_work | ok well... it works | 00:07 |
| rm_work | so something is wonky | 00:07 |
| johnsom | So you expected 404 but got 200? | 00:08 |
| rm_work | no, i expected 404 and got it | 00:08 |
| rm_work | since with internal-url set to "broken", it should break | 00:08 |
| rm_work | and it does | 00:08 |
| johnsom | What the heck.... | 00:09 |
| johnsom | ok | 00:09 |
| johnsom | And you stored using public? | 00:09 |
| rm_work | yes | 00:09 |
| rm_work | and passed the public URL | 00:09 |
| johnsom | We didn't re-store a secret, we tried to use one that was in there. | 00:10 |
| johnsom | is that where we went wrong? | 00:10 |
| rm_work | http://paste.openstack.org/raw/727318/ | 00:10 |
| rm_work | no | 00:10 |
| rm_work | i also didn't re-store | 00:10 |
| rm_work | and it won't matter | 00:10 |
| rm_work | the way this works, it literally just scrapes the UUID and uses whatever endpoint type is specified via keystone session | 00:11 |
| rm_work | `Secret ref calculated to be: secrets/381d8b3f-e9e0-4f6c-ae82-f26053c8ab16` | 00:11 |
| rm_work | that is the log line i added | 00:11 |
| rm_work | just prints "secret_ref" after the if/else | 00:11 |
| rm_work | which indicates that it did reset it to a relative URL | 00:11 |
| rm_work | which means whatever else happens, is up to keystone | 00:12 |
| rm_work | you can see the endpoints there | 00:12 |
| rm_work | and that it uses the expected one | 00:12 |
| johnsom | Hmm looking at the log, this is interesting. it is saying "barbican_legacy" | 00:13 |
| johnsom | This is an old log, before the patch. | 00:13 |
| johnsom | Should it be using barbican and not barbican_legacy? | 00:14 |
| rm_work | .... which one? | 00:14 |
| rm_work | ah yeah | 00:14 |
| rm_work | legacy means Container based | 00:14 |
| rm_work | not PKCS12 | 00:14 |
| johnsom | Do we have the wrong commands then? I know he create the pksc12 | 00:14 |
| rm_work | that is totally not pkcs12 | 00:15 |
| rm_work | wait, give me a sec | 00:15 |
| johnsom | That is all he had for a file, so I'm wondering if we have some bad instructions or something | 00:15 |
| rm_work | oh no, i see what it is | 00:16 |
| rm_work | rofl | 00:16 |
| rm_work | the way we do the cert stuff.... | 00:16 |
| rm_work | we try to load the ref as a container first | 00:16 |
| rm_work | if that is not found, then we go to the other method | 00:16 |
| rm_work | but it is getting an SSL error | 00:17 |
| rm_work | which is not what we catch | 00:17 |
| rm_work | so yeah i need to fix the Container pieces | 00:17 |
| johnsom | Ah, the final part drops into place | 00:17 |
| rm_work | one sec | 00:17 |
| johnsom | Yeah, the public URL blows up due to the TLS differences... | 00:18 |
| johnsom | Hmm, our code looks ok, but I wonder if the endpoint_type isn't going in on the pkcs12 path | 00:20 |
| rm_work | it will | 00:21 |
| rm_work | i need to update my patch | 00:21 |
| rm_work | it goes through the container route *first* | 00:21 |
| rm_work | then does a fallback to secrets | 00:21 |
| rm_work | so i need to do the non-fed thing for containers too | 00:21 |
| rm_work | but my Pycharm is not responding, give e sec | 00:22 |
| rm_work | *me a sec | 00:22 |
| rm_work | my whole mac is going wonky lol | 00:22 |
| johnsom | But how did he store the pkcs12 in a container? How did it go the wrong way? | 00:22 |
| rm_work | he didn' | 00:22 |
| rm_work | t | 00:22 |
| rm_work | it's in a secret | 00:22 |
| rm_work | but the octavia cert code tries the legacy path first | 00:22 |
| rm_work | we just do this: | 00:23 |
| rm_work | 1) Try to get the cert ref as a container | 00:23 |
| rm_work | 2) Did it work? Cool, DONE | 00:23 |
| johnsom | Hmm, ok, this confuses me then: https://github.com/openstack/octavia/blob/master/octavia/certificates/manager/barbican.py#L112 | 00:23 |
| rm_work | 3) It didn't work! It must be PKCS12, try as a secret | 00:23 |
| rm_work | 4) Did it work? Cool, DONE | 00:23 |
| rm_work | yeah that's the non-legacy | 00:24 |
| rm_work | it goes as a secret | 00:24 |
| rm_work | the legacy is first in the chain tho | 00:24 |
| rm_work | oh wait, it isn't? | 00:25 |
| rm_work | hold on | 00:25 |
| rm_work | you're right, it isn't | 00:25 |
| rm_work | legacy is the second in chain | 00:25 |
| rm_work | so the log you sent me is too late | 00:26 |
| rm_work | i need the logs BEFORE that | 00:26 |
| rm_work | fff | 00:26 |
| bbbbzhao_ | =.= | 01:41 |
| johnsom | bbbbzhao_ Hi | 02:03 |
| johnsom | I didn't get to test/work on the flow order change. Still need to do that | 02:04 |
| johnsom | Though I worked on fixing the missing systemd script for udp only listener. | 02:04 |
| johnsom | I also started work cleaning up the tests. | 02:04 |
| johnsom | When we run the api test framework, those are functional tests. I moved those for the keepalivedlvs tests. | 02:05 |
| johnsom | I am in the middle of finishing up the unit tests, but need to stop for the night. | 02:05 |
| johnsom | I will post my patch update soon | 02:05 |
| openstackgerrit | Michael Johnson proposed openstack/octavia master: Followup patch for UDP support https://review.openstack.org/587690 | 02:11 |
| *** yamamoto has joined #openstack-lbaas | 03:16 | |
| *** yamamoto has quit IRC | 03:37 | |
| bbbbzhao_ | johnsom: Thanks, Michael. That's true the use cases in my mind are limited. I thought most of the scenes are covered and the works had been done, but it didn't seem not. I will look at the test which not be cleaned up after the several storyboard work done. Thank you again. | 06:54 |
| openstackgerrit | Carlos Goncalves proposed openstack/octavia master: Revert "Fix the bionic gate to actually run Ubuntu bionic" https://review.openstack.org/588883 | 09:17 |
| openstackgerrit | Carlos Goncalves proposed openstack/octavia-tempest-plugin master: Gate on CentOS 7 and check on Ubuntu Bionic https://review.openstack.org/587414 | 09:21 |
| openstackgerrit | Carlos Goncalves proposed openstack/octavia master: Gate on octavia-dsvm-base based jobs and housekeeping https://review.openstack.org/587442 | 09:32 |
| openstackgerrit | Carlos Goncalves proposed openstack/octavia master: Gate on octavia-dsvm-base based jobs and housekeeping https://review.openstack.org/587442 | 10:17 |
| openstackgerrit | ZhaoBo proposed openstack/octavia master: [UDP] Fix failed member always in DRAIN status https://review.openstack.org/588511 | 12:12 |
| openstackgerrit | ZhaoBo proposed openstack/octavia master: [UDP] Update amphora agent api ref https://review.openstack.org/588893 | 12:12 |
| bbbbzhao_ | johnsom: OH, https://storyboard.openstack.org/#!/story/2003211 we already support it , as --session-persistence option accepts key-value | 12:23 |
| *** PagliaccisCloud has quit IRC | 17:38 | |
| *** ipsecguy has quit IRC | 17:39 | |
| *** PagliaccisCloud has joined #openstack-lbaas | 17:40 | |
| *** yamamoto has joined #openstack-lbaas | 20:24 | |
| *** yamamoto has quit IRC | 20:26 | |
| *** yamamoto has joined #openstack-lbaas | 20:38 | |
| *** yamamoto has quit IRC | 20:55 | |
| *** yamamoto has joined #openstack-lbaas | 21:00 | |
| *** yamamoto has quit IRC | 21:09 | |
| *** yamamoto has joined #openstack-lbaas | 21:29 | |
| *** yamamoto has quit IRC | 21:29 | |
| *** yamamoto has joined #openstack-lbaas | 21:57 | |
| *** yamamoto has quit IRC | 21:58 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!