Friday, 2019-12-13

*** dosaboy has joined #openstack-lbaas00:23
*** yamamoto has quit IRC00:33
*** tobberydberg has quit IRC00:35
*** tobberydberg has joined #openstack-lbaas00:37
*** rcernin has joined #openstack-lbaas00:48
lxkongjohnsom, rm_work yeah, we are in the testing phrase in a new private cloud, met with issue for lb creation failure. From my expeirnce, the agent service may raise some exception with lead to communication between controller and amphora timeout00:55
johnsomlxkong: if the agent raises an exception the controller will log it.00:56
lxkongjohnsom, rm_work with `disable_revert`, can the lb deletion still work?00:56
rm_workI believe it should be ok00:57
rm_work... might want to check for extra resources after though00:57
lxkongcool, will try. thanks00:58
*** yamamoto has joined #openstack-lbaas02:49
*** psachin has joined #openstack-lbaas03:33
*** yamamoto has quit IRC03:42
*** yamamoto has joined #openstack-lbaas03:55
*** psachin has quit IRC04:48
*** zainub_wahid has joined #openstack-lbaas05:12
openstackgerritHidekazu Nakamura proposed openstack/octavia master: Add install guide for Ubuntu
*** gcheresh has joined #openstack-lbaas05:36
*** gcheresh has quit IRC05:54
*** pcaruana has joined #openstack-lbaas06:02
*** ataraday has joined #openstack-lbaas06:09
*** ramishra has joined #openstack-lbaas06:45
*** lemko has joined #openstack-lbaas06:59
*** logan- has quit IRC07:09
*** logan_ has joined #openstack-lbaas07:10
*** logan_ is now known as logan-07:10
*** rcernin has quit IRC07:41
*** tesseract has joined #openstack-lbaas07:43
openstackgerritMerged openstack/octavia stable/stein: Accept oslopolicy-policy-generator path arguments
*** spatel has joined #openstack-lbaas08:50
*** spatel has quit IRC08:54
*** maciejjozefczyk has joined #openstack-lbaas09:03
openstackgerritMerged openstack/octavia stable/train: Accept oslopolicy-policy-generator path arguments
openstackgerritMerged openstack/octavia stable/rocky: Accept oslopolicy-policy-generator path arguments
*** rcernin has joined #openstack-lbaas09:14
*** tkajinam has quit IRC09:19
*** yamamoto has quit IRC09:49
*** rcernin has quit IRC09:53
*** salmankhan has joined #openstack-lbaas10:06
*** salmankhan1 has joined #openstack-lbaas10:22
*** salmankhan has quit IRC10:25
*** salmankhan1 is now known as salmankhan10:25
hkominosmorning all. A quick question about Octavia . is it possible to use it without having barbican installed (i.e. provide only a set of SSL certificates) ?10:40
zainub_wahidhkominos: yes!10:47
cgoncalveshkominos, morning. Aside from Barbican as certificate manager, Octavia also has support for Castellan ( and local. The local cert manager is *not* recommended for any sorts of deployments, just for internal testing.10:49
hkominoscgoncalves. Thx Is there any diagram or something which explains the use of SSL within barbican ? The documentation is a bit confusing11:12
hkominoswithin Octavia I mean11:12
cgoncalveshkominos, just to be clear, you're talking about the use-case of TLS-terminated listeners right?11:14
cgoncalvesaka TLS-terminated load balancers :)11:14
hkominosI am 99% sure that is what I am looking for.11:15
hkominosThe start of this issue is me trying to undertsand the following terminology (maybe tripleO)11:16
hkominos  OctaviaCaCert,  OctaviaCaKey,  OctaviaClientCert ,OctaviaCaKeyPassphrase:11:17
cgoncalvesoh, that. there's no Barbican involved whatsoever there11:17
hkominosI assumed that these are keys so my LB can communicate with the Octavia controllers11:18
cgoncalvesTripleO does not have documentation about that, sorry. OSP (Red Hat's commercial OpenStack offering) documents those parameters11:18
cgoncalvesfor reference, this is the upstream Octavia certificate guide:
hkominos!. I can start there11:19
openstackhkominos: Error: "." is not a valid command.11:19
cgoncalvesplease note that this documentation section in OSP is not much clear. there's work underway to improve it11:20
hkominosYes I saw that. My question is more like: What do these values represent exactly.11:20
hkominosCA certificate for whom to talk to whom ?11:20
cgoncalveshkominos, may I ask why do you want to bring your own certificates?11:20
cgoncalvesTripleO can handle that for you out of the box11:20
cgoncalvesthe certificate configuration guide provide good info on that11:21
*** yamamoto has joined #openstack-lbaas11:23
hkominosI think tripleo provides a self signed certificate.11:24
hkominosI needed a certificate from a CA11:24
hkominosfor business reasons. minimum of which is horizon working without having to accept a "risky" self -signed certificate11:25
cgoncalvesthe self-signed certificate provided by TripleO is exclusively used between the octavia controller services and amphorae11:25
*** yamamoto has quit IRC11:26
hkominosOk.So assume this must be done by OctaviaGenerateCerts:11:29
hkominosOr is this some other value ?11:29
cgoncalvessetting it to false disables the automatice certificate and key generation11:30
cgoncalvesso if you really have to due to e.g. business reasons, set it to false, yes11:30
hkominosBut true requires barbican to be installed right ?11:31
cgoncalvesBarbican is only required if you want to have TLS-terminated load balancers.11:32
*** yamamoto has joined #openstack-lbaas11:32
*** yamamoto has quit IRC11:32
cgoncalvesBarbican is used to store user secrets that are then consumed by Octavia to set up TLS-terminated load balancers11:33
cgoncalvesthis is an old spec and it has already been implemented. I believe this is not what you're looking for at this moment, though, but wanted to share for future reference11:35
hkominosok. But i will read it. Just to understand11:35
hkominoswhat might be happening behind the scenes11:35
hkominosthx for all the URls11:43
openstackgerritGregory Thiemonge proposed openstack/octavia master: DNM improving amphora boot time on Centos
*** zainub_wahid has quit IRC11:51
*** yamamoto has joined #openstack-lbaas11:54
*** yamamoto has quit IRC11:54
*** yamamoto has joined #openstack-lbaas11:55
*** yamamoto has quit IRC12:01
*** nicolasbock has joined #openstack-lbaas12:04
*** spatel has joined #openstack-lbaas12:48
*** spatel has quit IRC12:55
*** goldyfruit has joined #openstack-lbaas13:07
*** yamamoto has joined #openstack-lbaas13:14
rm_workhkominos: if you haven't figured it out yet, I can answer questions too13:29
rm_workhkominos: but it sounds like you are conflating two things:13:29
rm_work1. The set of certificates that Octavia uses as a service to do internal communications (what TripleO will provide out of the box)13:30
rm_work2. User certificates, used to create LoadBalancers that can terminate the user's TLS traffic (provided by the user, stored in Barbican)13:30
rm_workfor #1, self-signed is totally fine, because it will never be user facing -- and in fact, it will be VERY hard to get a real certificate that will work, because that needs to be *CA Signing* certificate, and almost no one is going to be willing to issue you one of those13:31
rm_workfor #2, you don't need to worry about that as a cloud provider -- that's a user-facing thing, they provide them and store them in Barbican13:32
rm_workif you don't have Barbican, you can disable TLS-Termination as an option in the config: [api_settings] allow_tls_terminated_listeners = False13:32
rm_workyou will still be able to deploy Octavia though, and it will function correctly13:33
*** maciejjozefczyk has quit IRC13:43
*** maciejjozefczyk has joined #openstack-lbaas13:45
*** TrevorV has joined #openstack-lbaas14:29
*** maciejjozefczyk_ has joined #openstack-lbaas14:36
*** dmellado has quit IRC14:36
*** ramishra has quit IRC14:37
*** dmellado has joined #openstack-lbaas14:39
*** maciejjozefczyk has quit IRC14:39
openstackgerritGregory Thiemonge proposed openstack/octavia master: DNM improving amphora boot time on Centos
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: DNM: CentOS 8 controller and amphora job
*** spatel has joined #openstack-lbaas15:29
*** spatel has quit IRC15:41
*** baffle has quit IRC15:54
*** yamamoto has quit IRC15:55
*** yamamoto has joined #openstack-lbaas15:56
*** yamamoto has quit IRC16:01
*** tesseract has quit IRC16:53
*** openstackgerrit has quit IRC17:29
*** sapd1 has quit IRC17:34
*** lemko has quit IRC18:48
*** gcheresh has joined #openstack-lbaas19:13
*** maciejjozefczyk_ has quit IRC19:41
*** nicolasbock has quit IRC19:43
*** gcheresh has quit IRC19:50
*** salmankhan has quit IRC20:00
*** gmann is now known as gmann_afk20:13
*** salmankhan has joined #openstack-lbaas20:20
*** salmankhan has quit IRC20:40
*** yamamoto has joined #openstack-lbaas20:40
*** yamamoto has quit IRC20:44
*** gcheresh has joined #openstack-lbaas20:50
*** TrevorV has quit IRC20:58
*** gcheresh has quit IRC21:09
*** logan- has quit IRC22:04
*** logan- has joined #openstack-lbaas22:06
*** KeithMnemonic1 has joined #openstack-lbaas22:15
*** KeithMnemonic has quit IRC22:19
*** pcaruana has quit IRC22:48
*** openstackgerrit has joined #openstack-lbaas23:11
openstackgerritAdam Harwell proposed openstack/octavia-lib master: Missed some flavor references in the AZ methods
*** KeithMnemonic1 has quit IRC23:19
*** yamamoto has joined #openstack-lbaas23:55

Generated by 2.15.3 by Marius Gedminas - find it at!