13:00:17 <redrobot> #startmeeting barbican
13:00:18 <openstack> Meeting started Tue May 11 13:00:17 2021 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:19 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:00:21 <openstack> The meeting name has been set to 'barbican'
13:00:26 <redrobot> #topic Roll Call
13:01:03 <redrobot> Courtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work tosky xek nearyo oleksandry
13:01:16 <redrobot> As usual the agenda can be found here:
13:01:17 <redrobot> #link https://etherpad.opendev.org/p/barbican-weekly-meeting
13:01:21 <Luzi> o/
13:01:26 <redrobot> Hi Luzi
13:01:46 <Luzi> hi redrobot
13:02:21 <moguimar> o/
13:02:35 <redrobot> Hi moguimar!
13:03:21 <tosky> hi
13:03:46 <redrobot> Hi tosky!
13:03:49 <redrobot> Let's get started
13:03:55 <redrobot> #topic LIaison Updates
13:04:07 <redrobot> moguimar? tosky?
13:04:08 <moguimar> I missed the oslo meeting yesterday
13:04:11 <moguimar> no updates
13:04:27 <redrobot> no worries, moguimar
13:06:19 <redrobot> tosky must be multitasking ... let's move on to the next topic
13:06:21 <tosky> nothing special (just a tiny patch)
13:06:34 <tosky> but yeah, #nexttopic :)
13:06:38 <redrobot> ack, we'll get to it during Wayward Reviews
13:06:47 <redrobot> #topic Kanban Review
13:06:54 <moguimar> no progress on hvac
13:06:56 <redrobot> #link https://tree.taiga.io/project/dmend-openstack-barbican/kanban
13:08:22 <redrobot> OK, just added card #16 to track the fix to the Vault backend encoding issue
13:08:36 <redrobot> moguimar any updates on your end?
13:11:01 <moguimar> nope
13:11:09 <redrobot> OK, moving on
13:11:18 <redrobot> #topic Bug Review
13:11:24 <redrobot> #link https://storyboard.openstack.org/#!/project_group/barbican
13:11:29 <redrobot> looks like no new barbican stories
13:11:41 <redrobot> #link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0
13:11:50 <redrobot> And no new Catellan bugs
13:12:00 <redrobot> #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0
13:12:04 <redrobot> and no new Cursive bugs
13:12:17 <redrobot> #topic Wayward Reviews
13:12:25 <redrobot> #link https://tinyurl.com/y3zto3ad
13:13:08 <redrobot> moguimar easy one: https://review.opendev.org/c/openstack/barbican/+/787916
13:14:38 <moguimar> easy indeed
13:18:41 <redrobot> I'm not sure about this one: https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/787046
13:18:57 <redrobot> Channeling my inner Zen of Python: "Explicit is better than implicit"
13:19:13 <redrobot> seems like spelling out py36 and py38 would be better than a floating py3 that would run whatever 3.x is available.
13:20:13 <moguimar> ah, I heard about this one
13:20:18 <moguimar> is a governance thing
13:20:35 <moguimar> projects should move to py3 and have the specific version determined by the CI jobs
13:23:49 <redrobot> Hmm...
13:23:54 <redrobot> I'll need to dig into it further
13:23:59 <redrobot> because I don't like it. :-P
13:24:27 <moguimar> yeah
13:24:38 <moguimar> I'd like to see a link to a thread in the ML
13:25:10 <redrobot> Right... it looks like tosky doesn't like it either on that python-barbicanclient patch. :)
13:27:06 <tosky> yeah, and I don't like even more those massive changes sent without any coordination or announcement (or prior agreement)
13:27:17 <redrobot> tosky++
13:27:42 <redrobot> I'm gonna go ahead and reject all those patches
13:29:42 <redrobot> moguimar another easy one: https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/788851
13:30:25 <moguimar> done
13:31:30 <tosky> the patch I mentioned before is https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/790237
13:34:01 <rajivmucheli> Hi, do the below links assist in:
13:34:02 <rajivmucheli> 1. Vault as backend for Barbican :
13:34:02 <rajivmucheli> https://docs.openstack.org/barbican/latest/install/barbican-backend.html#vault-plugin
13:34:03 <rajivmucheli> 2. Barbican as backend for Vault :
13:34:03 <rajivmucheli> https://docs.openstack.org/security-guide/secrets-management/barbican.html#vault-plugin
13:37:39 <redrobot> hi rajivmucheli
13:38:18 <redrobot> tosky looking ... your patch is small, but I'm having to look into tempest clients to understand it. 😅
13:39:55 <redrobot> rajivmucheli #1 is correct,  Hashicorp Vault can be used as a backend for Barbican (although there's a huge bug in orders that I'm fixing)
13:40:15 <redrobot> rajivmucheli #2 is incorrect.  I don't think Barbican can be used as a backend to Vault
13:41:02 <tosky> redrobot: it's a follow-up of an older patch (not sure why I didn't catch it back then)
13:41:23 <redrobot> tosky cool, I'll finish reviewing it after the meeting
13:41:29 <redrobot> #topic Open Discussion
13:41:36 <redrobot> Anything else y'all want to talk about?
13:42:43 <rajivmucheli> thanks redrobot, are there any plugins or scope to configure Barbican as backend for Vault ?
13:43:23 <redrobot> rajivmucheli not here, we don't do any Vault development.   You would have to ask the Vault developers.
13:43:56 <rajivmucheli> oops ok,
13:44:32 <rajivmucheli> another question, i was configuring octavia listener to use a barbican secret
13:45:02 <rajivmucheli> why does barbican validate if its a secret or secret container ?
13:45:36 <rajivmucheli> https://github.com/openstack/octavia/blob/master/doc/source/user/guides/basic-cookbook.rst#deploy-a-tls-terminated-https-load-balancer
13:45:56 <rajivmucheli> when i execute this command `openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') lb1`
13:46:01 <redrobot> I think the first implementation in Octavia used a secret-container for the different parts (key, cert)
13:46:32 <redrobot> But then they changed to a single secret in pkcs#7 format which includes both key and cert in a single file.
13:46:45 <rajivmucheli> i receive a HTTP 404 from container secret, which is correct since its a secret not secret container. i was wondering why the secret container check takes place
13:46:56 <johnsom> Right, we still support containers for backward compatibility, but have migrated to using pkcs12 bundles
13:47:15 <redrobot> Oops, pkcs12 not pkcs7
13:47:26 <johnsom> Grin
13:47:42 <rajivmucheli> yes, its pkcs12,
13:47:47 <rajivmucheli> the doc explains `Combine the individual cert/key/intermediates to single PKCS12 files`
13:48:14 <openstackgerrit> Merged openstack/barbican master: setup.cfg: Replace dashes with underscores  https://review.opendev.org/c/openstack/barbican/+/787916
13:49:45 <redrobot> Maybe you need a different flag instead of --default-tls-container?
13:49:52 <johnsom> Nope
13:50:49 <johnsom> Server side automatically checks both. Are you getting an errror?
13:51:04 <johnsom> Or just seeing a log entry?
13:55:15 <rajivmucheli> its just a log entry showing http 404 from barbican-api, the listener is created though
13:56:38 <johnsom> Yeah, that is just the backward compatibility layer working.
13:57:25 <redrobot> "It's a feature, not a bug"™
13:57:51 <redrobot> 😎
13:58:01 <redrobot> Alrighty, we're almost out of time.
13:58:06 <redrobot> Thanks for joining, everyone!
13:58:13 <redrobot> #endmeeting