#openstack-barbican log

13:00:24 <redrobot> #startmeeting barbican
13:00:25 <openstack> Meeting started Tue Aug 20 13:00:24 2019 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:26 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:00:28 <openstack> The meeting name has been set to 'barbican'
13:00:33 <redrobot> #topic Roll Call
13:00:41 <redrobot> Courtesy ping for ade_lee hrybacki jamespage Luzi lxkong moguimar raildo rm_work xek
13:01:08 <redrobot> As usual our agenda can be found here:
13:01:19 <redrobot> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
13:01:30 <moguimar> o/
13:02:04 <mhen> o/
13:02:49 <redrobot> Hi y'all!
13:03:04 <redrobot> Looks like we're a bit light on attendance.
13:03:14 <redrobot> But that's OK, because y'all are awesome! :D
13:03:17 <redrobot> #topic Review Past Meeting Action Items
13:03:17 <rm_work> o/ just back from vacation
13:03:31 <redrobot> #link http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-08-13-13.01.html
13:03:34 <redrobot> rm_work, welcome back!
13:03:40 <redrobot> Let's see:
13:03:45 <redrobot> First action item:
13:03:58 <redrobot> redrobot to document the feature gap between python-barbicanclient and openstacksdk (2)
13:04:02 <redrobot> I did not do this :(
13:04:09 <redrobot> so let's punt it for another week!
13:04:16 <redrobot> #action redrobot to document the feature gap between python-barbicanclient and openstacksdk (3)
13:04:31 <redrobot> OK, moving on
13:04:41 <redrobot> #topic Liaison Updates
13:04:49 <redrobot> moguimar, anything from Osloland?
13:04:51 <moguimar> nope
13:05:04 <moguimar> Osloland is quite quiet as well
13:05:23 <redrobot> moguimar, cool.  Thanks for the tongue twister update ;)
13:05:53 <redrobot> I don't have anything on the agenda ...
13:05:59 <redrobot> Any important dates coming up?
13:06:01 <moguimar> secret consumers review? =D
13:06:05 * redrobot looks at release calendar
13:06:22 <redrobot> #topic Secret Consumers update
13:06:28 <moguimar> #link https://review.opendev.org/#/c/674302/
13:06:37 <moguimar> I think the model is finished
13:06:57 <moguimar> I'm woring on the repositories.py classes
13:07:07 <moguimar> then all the way up
13:07:09 <redrobot> Nice.  Good job so far, moguimar!
13:07:30 <moguimar> I am just not sure about the project_id field
13:08:17 <moguimar> also, in the secrets model, I see that other orms have a cascade="all, delete-orphan"
13:08:56 <moguimar> that's not the behavior in ContainerConsumers, so which one is the best to follow?
13:09:19 * redrobot does not have any answers right now ... still waiting for coffee to kick in ...
13:10:37 <redrobot> Did you put those Qs in the review?
13:10:44 <redrobot> I'll definitely get to it today for reals
13:11:03 <moguimar> I'll drop them there
13:11:54 <redrobot> Sweet.
13:13:11 <redrobot> Anything else on this topic?
13:14:05 <moguimar> not for now
13:14:23 <redrobot> Cool beans.
13:14:25 <redrobot> moving on
13:14:29 <redrobot> #topic Open Discussion
13:14:46 <rm_work> I should probably look at that
13:15:10 <redrobot> rm_work++
13:15:46 <rm_work> Ah hmm maybe have something for discussion
13:15:57 <rm_work> Ran into a problem recently
13:16:00 <redrobot> what's up?
13:16:03 <rm_work> Looking for thoughts
13:16:56 <rm_work> So in the Octavia horizon dashboard, we have a selector for certificates from Barbican for TLS terminated listeners
13:17:19 <rm_work> Previously we showed all containers of the certificates type
13:17:25 <rm_work> Which worked well
13:17:39 <rm_work> Now that we use secrets ... And they don't have types...
13:18:00 <redrobot> > they don't have types
13:18:00 <redrobot> ?
13:18:07 <rm_work> We're left with "show all secrets and let our API validate
13:18:36 <rm_work> Which is less awesome but I can't think of a better way to do it? But it means we have to just show an entire secret list for the user in that UI
13:18:58 <rm_work> There's no way just from the secret list to see which ones contain a pkcs12 bundle
13:19:05 <rm_work> Secrets are just... Secrets
13:19:24 <rm_work> There's no "certificate typed secret"
13:19:27 <rm_work> Right?
13:20:08 <mhen> #link https://docs.openstack.org/barbican/latest/api/reference/secret_types.html
13:20:14 <moguimar> I saw a container for certificates
13:20:20 <moguimar> but secrets seems to be generic
13:20:33 <redrobot> what mhen said
13:20:36 <mhen> there's a "certificate" type, but that's just metadata
13:20:36 <redrobot> Secrets all have a type
13:20:43 <redrobot> if you don't specify it, then type=opaque
13:20:53 <mhen> i.e. it is not validate in any form by Barbican iirc
13:20:57 <mhen> *validated
13:21:02 <moguimar> accordint to the docs, secrets can be whatever you want
13:21:04 <redrobot> right, not validated, but it could be used to filter results
13:21:27 <rm_work> So we could tell the user to specify that when they create their secret I guess
13:21:28 <mhen> and as redrobot said, it's not automatically set
13:21:37 <rm_work> But it's definitely not automatic
13:21:59 <redrobot> right, rm_work.  Not automatic.
13:22:07 <rm_work> And I forsee a 100% chance of a support request increase because people's stuff isn't showing up
13:22:08 <redrobot> We talked about adding validations many moons ago.
13:22:13 <redrobot> hehe
13:22:18 <rm_work> Well I don't see how you can
13:22:36 <rm_work> Since you even support end to end encryption of the payload to the store
13:22:53 <rm_work> So Barbican couldn't even see the secret in that case
13:22:56 <mhen> redrobot, out of interest, what was the consensus on that?
13:23:24 <redrobot> rm_work, could be client-side validation ... which is not helpful if you're going straight to API, but the CLI could do it.
13:23:31 <rm_work> :/
13:23:56 <redrobot> mhen, it was a "good idea" that never got anywhere...  It was back in my Rackspace days, so it's been a while.
13:24:08 <mhen> redrobot, I see thanks
13:24:22 <rm_work> Ok, so what do you think? If we change the UI to show secrets with type certificate, and add a doc line that says "make sure to type it as a certificate!" ...
13:24:39 <rm_work> I feel like that's going to be a headache
13:24:51 <rm_work> Is that mutable?
13:25:07 <rm_work> Can people fix existing secrets that don't have that set correctly?
13:25:15 <redrobot> I'm not sure it is ... but maybe it should be
13:25:24 <redrobot> I'd have to go test it out.
13:25:42 <rm_work> K.
13:25:47 <redrobot> What's the current guidance for uploading stuff?
13:25:55 <redrobot> Use the cli?  Octavia-horizon?
13:26:26 <rm_work> Thanks for the info I guess, I actually didn't think secrets had any type at all, even an unenforced metadata field
13:26:35 <rm_work> Cli or api
13:26:49 <rm_work> Since there's no Barbican horizon dashboard? I think?
13:26:54 <rm_work> Or is there?
13:27:11 <redrobot> Nope ... no barbican-ui yet ...
13:27:15 <rm_work> Right now our docs have cli examples
13:27:26 <rm_work> :( feels like that would help with adoption
13:27:32 <mhen> are there any plans for a Barbican dashboard?
13:27:39 <rm_work> IMO that should probably be a priority
13:27:51 <redrobot> mhen, I've heard a couple of folks ask for it, but no one is committed to make it happen.
13:27:59 <redrobot> rm_work++
13:28:04 <rm_work> I'd help if I knew web at all
13:28:07 <rm_work> :/
13:28:14 <redrobot> I can look into getting some time to get at least a POC going
13:28:27 <rm_work> Right now I can't even change basic variables in our own UI :(
13:28:28 <redrobot> #action redrobot to ask boss for some time to get a barbican-ui POC
13:28:46 <rm_work> None of that shit makes sense
13:28:52 <rm_work> I hate frontend so much
13:29:07 <redrobot> Haha
13:29:22 <rm_work> Everything is just magic
13:29:30 <redrobot> It's been a long while since I've done front end dev.
13:29:48 <rm_work> You can't ever follow an entrypoint through to the end
13:30:47 <redrobot> rm_work, http://dmend.github.io/speaking/django_zero_to_hero/peter_css.gif
13:30:57 <rm_work> It's just all over the place via magic fairies and who knows how you got to that function or what code will run next <_<
13:31:07 <rm_work> Thanks, will check that out
13:31:19 <redrobot> rm_work, it's just an image to make you lol. :-P
13:31:55 <rm_work> Yeah but I figure it comes from a talk? :D
13:32:08 <rm_work> Based on the URL
13:32:18 <redrobot> Heh, yeah, old Django talk I did for PyTexas
13:32:21 <redrobot> a few years back
13:32:44 <rm_work> Still useful?
13:33:05 <rm_work> Few years ago in frontend means none of that tech is used anymore right?
13:33:07 <redrobot> rm_work, possibly?  The Django tutorial in the official docs is pretty solid
13:33:15 <redrobot> would recommend that over my talk.
13:33:26 <rm_work> lol k
13:33:31 <redrobot> rm_work, correct. :)
13:33:50 <redrobot> rm_work, definitely want to get your cert stuff sorted out tho
13:34:14 <redrobot> rm_work, I'll check out the Octavia docs and see if I can send y'all a patch that uses the secret types
13:34:14 <rm_work> Yeah I'll prolly try to go with showing cert type secrets
13:34:32 <rm_work> It's just our dashboard
13:34:32 <redrobot> #action redrobot to review octavia's how-to for uploading certs
13:34:58 <rm_work> But yeah updating the docs to set that would be good
13:35:27 <redrobot> then we'll just have to figure out if the secret type can be changed after-the-fact
13:35:40 <redrobot> #action redrobot to check if secret types can be changed after upload
13:35:49 * redrobot needs to learn how to delegate
13:36:56 <redrobot> rm_work, ok, so for now, I'll check out your docs, and also look into whether the secret type can be checked
13:37:10 <redrobot> rm_work, seem like a reasonable start?
13:38:28 <rm_work> Yeah
13:38:46 <redrobot> cool deal
13:38:51 <rm_work> I'll poke at our UI guy and he if he has time to do the change in the UI side
13:38:56 <redrobot> any other topics we should talk about while we're here?
13:39:00 <rm_work> Or else I've got some tutorials in my future
13:39:15 <redrobot> rm_work, 😂
13:40:16 <redrobot> Okay ...  I think we're done for the day then.
13:40:20 <redrobot> Thanks everyone for coming!
13:40:25 <redrobot> #endmeeting