13:00:36 <redrobot> #startmeeting barbican
13:00:37 <openstack> Meeting started Tue Feb 12 13:00:36 2019 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:38 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:00:40 <openstack> The meeting name has been set to 'barbican'
13:01:52 <redrobot> #topic Roll Call
13:02:04 <redrobot> Courtesy ping for ade_lee hrybacki jamespage Luzi lxkong moguimar raildo rm_work xek
13:02:14 <Luzi> o/
13:02:14 <moguimar> o/
13:02:31 <redrobot> Good morning y'all!
13:02:52 <redrobot> As usual our agenda can be found here:
13:02:58 <graeb> o/
13:03:01 <redrobot> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
13:03:08 <rm_work> OMG o/
13:03:11 <rm_work> Hi
13:03:55 <graeb> Hello
13:04:04 <redrobot> rm_work, you made it!!!
13:04:22 <rm_work> yes I'm still awake somehow 😑
13:04:39 <redrobot> #topic Review Past Meeting Action Items
13:05:22 <redrobot> #link http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-02-05-13.00.html
13:05:43 <redrobot> rm_work, yikes!  Well, I'm glad to have you here. 😬
13:05:57 <redrobot> ok, let's see about these action items
13:06:34 <redrobot> First one:
13:06:36 <redrobot> redrobot to add a story to fix functional tests to be run in parallel
13:07:39 <redrobot> I did do this
13:07:42 <redrobot> #link https://storyboard.openstack.org/#!/story/2004915
13:07:48 <redrobot> I added it as a task to the gates story
13:08:02 <rm_work> Success! Now to do the actual work :D
13:08:16 <redrobot> I was talking to ade_lee_ about it, and he was suggesting that each tests needs to create its own project
13:08:25 <redrobot> which makes sense
13:08:29 <redrobot> rm_work, exactly!
13:08:47 <redrobot> next one:
13:08:49 <redrobot> redrobot to check with ade_lee about adding Vault features to Barbican for Rocky
13:08:49 <rm_work> You can also just clean up better, or account for other objects existing
13:09:04 <rm_work> We have some examples of this in the Octavia tempest tests
13:09:10 <rm_work> Not sure which is easier
13:09:11 <redrobot> I did not do this.  My bad 😔
13:09:21 <redrobot> rm_work, problem is quota tests that are counting # of secrets
13:09:28 <rm_work> Maybe in functional tests, making new projects is trivial
13:09:30 <redrobot> rm_work, obvs doesn't work when run in parallel
13:09:44 <rm_work> Yeah you do need multiple, we use two
13:09:47 <redrobot> yeah, this is for functional tests
13:09:57 <rm_work> When you say functionalll
13:10:47 <rm_work> Does that mean tempest? Against a real backend? Or is it still a fake in-memory thing
13:11:21 <redrobot> rm_work, not tempest.  The functional tests in the barbican server that run on every gate
13:11:33 <redrobot> including simple crypto, kmip, and hopefully soon softhsm
13:12:08 <rm_work> Yeah but do you spin up a real API or is it just a pecan-test-scaffold thing?
13:12:20 <redrobot> it's a real api
13:12:27 <rm_work> I forget how yours work but I seem to recall them being more heavyweight than oura
13:12:35 <redrobot> so keystone is available for us to create projects on the fly
13:12:36 <rm_work> *our Octavia functionals
13:12:40 <rm_work> Hmm k
13:13:08 <rm_work> Well whatever, this is kinda a pointless discussion, whoever does it can do whichever option they want :D
13:13:16 <redrobot> back to the second action item that I did not do
13:13:34 <redrobot> I think that the safe call is to make new Vault stuff for Train
13:13:41 <redrobot> but I'll check with ade_lee_ for sure
13:13:55 <redrobot> #action redrobot to check with ade_lee about adding Vault features to Barbican for Rocky (1)
13:14:08 <rm_work> Wait, so ditch the existing vault driver?
13:14:09 <redrobot> the (1) is for me to keep track of how many times I kick these things
13:14:36 <redrobot> rm_work, no, I can't recall exactly what was needed, but it's an enhancement to the Vault driver
13:14:40 <redrobot> new features if you will
13:14:49 <rm_work> Ah k
13:15:25 * redrobot has not had his coffee yet
13:15:32 <redrobot> ok, moving on
13:15:37 <redrobot> next action item
13:15:50 <redrobot> redrobot to check with ade_lee about releasing Castellan
13:15:53 <redrobot> I did do this
13:16:09 <redrobot> but I'm not sure if ade_lee_ got a chance to talk to the oslo folks about it
13:16:27 <redrobot> so I'll ping him again about it
13:16:33 <redrobot> #action redrobot to check with ade_lee about releasing Castellan (1)
13:16:42 <moguimar> redrobot: I can do that
13:16:54 <redrobot> awesome, thanks moguimar
13:17:06 <moguimar> bnemec was talking about releases on our last Oslo meeting
13:17:35 <redrobot> gotcha
13:17:40 <redrobot> #undo
13:17:41 <openstack> Removing item from minutes: #action redrobot to check with ade_lee about releasing Castellan (1)
13:17:42 <moguimar> email me what you need and I'll bring it up with them
13:17:54 <redrobot> #action moguimar to check with oslo team about releasing Castellan
13:18:04 <redrobot> moguimar, sounds good
13:18:38 <redrobot> ok, moving on
13:18:54 <redrobot> We don't have any topics on the agenda
13:19:00 <redrobot> so we'll have to play it by ear
13:19:06 <redrobot> anything y'all want to talk about?
13:19:43 <graeb> I write a Barbican patch for https://storyboard.openstack.org/#!/story/2004833
13:19:49 <graeb> It is for review.
13:19:56 <redrobot> #topic Reviews
13:20:05 <redrobot> graeb, awesome, do you want to post a link to the patch?
13:20:16 <graeb> #link https://review.openstack.org/#/c/635736/
13:20:17 <rm_work> I'm contemplating finishing the work I started four years ago and doing secret consumers XD
13:20:34 <redrobot> rm_work, heh... go for it!
13:20:59 <rm_work> But probably it wouldn't be supported by castellan sooooo
13:21:02 <redrobot> That definitely sounds like a Train feature tho
13:21:06 <rm_work> Maybe no point
13:21:28 <rm_work> Since Octavia migrated to using the castellan interface to speak barbican
13:21:50 <redrobot> Interesting
13:22:12 <redrobot> How does an octavia user upload a cert when the Castellan backend is not Barbican?
13:22:14 <rm_work> Now we store a single secret that is a pkcs12 bundle, so
13:22:25 <rm_work> It's up to the operator
13:22:29 <redrobot> Ah
13:22:36 <rm_work> At GD they had a custom API/UI
13:23:00 <rm_work> And it would spit out a path that worked to retrive, so
13:23:07 <redrobot> so reimplemented barbican?
13:23:09 <rm_work> *retrieve
13:23:11 <rm_work> Lol yes
13:23:18 <rm_work> Because they're dumb
13:23:21 <redrobot> lol
13:23:21 <rm_work> I yelled at them
13:23:27 <rm_work> And no longer work there
13:23:30 <rm_work> So ...
13:23:36 <redrobot> heh
13:23:37 * rm_work shrugs
13:24:08 <rm_work> Point being, it is actually kinda reasonable
13:24:17 <rm_work> Places have their own vault storage for example
13:24:26 <rm_work> Already implemented outside of openstack
13:24:42 <redrobot> graeb, added to my review queue
13:24:49 <rm_work> So as long as permissions are right and paths are configured sanely... It works
13:25:10 <redrobot> sure...  though I'm still a fan of deploying Barbican->Vault
13:25:13 <rm_work> Or it should in theory, I haven't really seen a successful full implementation in the wild yet
13:25:17 <rm_work> Yes same
13:25:24 <graeb> redrobot, nice! :)
13:25:26 <redrobot> for obvious reasons 😜
13:25:29 <rm_work> Multitenancy and openstack auth ftw
13:26:18 <redrobot> Any other reviews that need to be mentioned?
13:26:21 <redrobot> Or other topics?
13:28:26 <rm_work> Apparently not? Or I bet 😉
13:28:31 <rm_work> *or I netsplit
13:30:57 <redrobot> I'm gonna go with we're out of topics
13:31:05 <redrobot> thanks for coming, everyone!
13:31:17 <redrobot> especially rm_work! 😘
13:31:45 <redrobot> see y'all next time!
13:31:46 <rm_work> 🤣
13:31:56 <redrobot> #endmeeting