Tuesday, 2021-08-10

opendevreviewCarlos Gonçalves proposed openstack/octavia stable/victoria: Fix race conditions between API and worker DB calls  https://review.opendev.org/c/openstack/octavia/+/79825608:45
opendevreviewMerged openstack/octavia-dashboard stable/victoria: Change the Octavia Barbican namespace  https://review.opendev.org/c/openstack/octavia-dashboard/+/80064008:57
opendevreviewMerged openstack/octavia-dashboard stable/ussuri: Change the Octavia Barbican namespace  https://review.opendev.org/c/openstack/octavia-dashboard/+/80064108:57
opendevreviewMerged openstack/octavia-dashboard stable/wallaby: Change the Octavia Barbican namespace  https://review.opendev.org/c/openstack/octavia-dashboard/+/80063908:57
opendevreviewMerged openstack/octavia-dashboard stable/train: Change the Octavia Barbican namespace  https://review.opendev.org/c/openstack/octavia-dashboard/+/80064208:57
opendevreviewMerged openstack/octavia-dashboard master: Fix deleting multiple resources  https://review.opendev.org/c/openstack/octavia-dashboard/+/78488008:57
opendevreviewMerged openstack/octavia-dashboard stable/victoria: Imported Translations from Zanata  https://review.opendev.org/c/openstack/octavia-dashboard/+/79941208:57
opendevreviewMerged openstack/octavia-dashboard master: Remove unicode to adapt to python3  https://review.opendev.org/c/openstack/octavia-dashboard/+/76905708:57
*** njohnston_ is now known as njohnston17:58
rm_workjohnsom do you remember, do https health checks just use insecure mode or do they check certificates somehow? If you've got a listener doing https passthrough and try to do a health monitor on https ... 20:17
rm_workI seem to recall maybe the health check template ignoring certs?20:18
johnsomrm_work So, there are TLS-HELLO checks that ignore the cert. But if you have configured a CA for backend re-encrypt the health check will use it.20:19
rm_workAh yeah ok20:20
rm_workBut if there's no decrypt20:20
rm_workThe Listener won't have any certs20:20
rm_workSo does that mean https checks just aren't valid?20:20
johnsomIf you do a HTTPS but don't load a CA, it will not validate the cert (If I remember right, would need to look in the template to make sure)20:21
johnsomThe CA would be on the pool for the backend health check.20:21
rm_workHmm no template looks like I remember it20:22
johnsomYeah, so HTTPS with no CA on the pool, will TLS connect but not verify the cert. HTTPS with a CA on the pool, it will verify the cert.20:23
rm_workI don't see that20:23
rm_workTrying to link but internet being wonky20:23
johnsomThose darn networking people20:23
johnsomsplit listeners is deprecated20:25
rm_workbah lol20:26
rm_worki always forget which one is the main one20:26
rm_workis it different tho?20:26
johnsomI have to stop and think about it too20:26
rm_workit is not different20:26
johnsomI sent the jinja in the pastebin and the first link20:27
rm_workok but none of that is on the monitor opts?20:28
johnsomRight, they follow the pool config20:29
rm_worknot sure I follow that lol20:30
rm_workmonitor ssl opts are just overrides?20:31
rm_workbut wouldn't the code I linked ALWAYS be on there? and thus always ignore certs for monitors?20:31
johnsomThe HTTP health checks, by default, will follow the pool (backend) configuration settings for TLS20:31
rm_workso how do they avoid that `monitor_ssl_opt` being added?20:31
rm_workit looks like it will be added regardless20:32
rm_workand no matter how the pool is configured, once `check-ssl verify none` is on there... it's not verifying20:32
johnsomHmm, you have a point20:32
johnsomYeah, that is a bug IMO20:34

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!