#openstack-barbican log

12:00:52 <xek> #startmeeting barbican
12:00:52 <opendevmeet> Meeting started Tue Oct  3 12:00:52 2023 UTC and is due to finish in 60 minutes.  The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:00:52 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:00:52 <opendevmeet> The meeting name has been set to 'barbican'
12:01:05 <xek> #topic Roll Call
12:01:15 <xek> Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar
12:01:32 <rajiv> hi
12:02:00 <mharley> o/
12:02:35 <rajiv> do we have the weekly meeting today ?
12:03:01 <lpiwowar> o/
12:04:00 <xek> morning :)
12:04:17 <xek> @rajiv yep, it has just started
12:04:29 <rajiv> yo!
12:04:29 <xek> As usual our agenda can be found here:
12:04:36 <xek> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
12:04:42 <xek> Just the usual items today
12:04:51 <xek> #topic Review Past Meeting Action Items
12:05:11 <xek> #link https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-09-05-12.00.html
12:05:36 <xek> There was a patch fixing the python-barbicanclient gate, which is already merged
12:06:31 <xek> #link https://review.opendev.org/c/openstack/python-barbicanclient/+/894738
12:07:05 <xek> #topic Liaison Updates
12:07:15 <xek> It's the final week of Bobcat
12:07:50 <dmendiza[m]> 🙋
12:08:00 <dmendiza[m]> Welcome back, Grzegorz Grasza !
12:08:27 <xek> Morning @dmendiza :)
12:08:35 <xek> During my PTO secret consumers were reverted in castellan bobcat https://review.opendev.org/q/topic:revert-castellan-bobcat
12:09:11 <xek> as it broke services requirements cross-job
12:09:56 <xek> Not much we can do at this point, but the changes are still on the main branch, so they're scheduled to go in in the next cycle
12:10:55 <xek> That's all from me
12:12:22 <xek> @lpiwowar any updates from QA?
12:12:22 <lpiwowar> From the QE side I do not have any updates
12:12:53 <lpiwowar> But if there is something urgent you need me to take a look at. I will do so:)
12:13:28 <xek> @lpiwowar ack, thanks!
12:13:44 <xek> #topic Open Discussion
12:13:57 <rajiv> Hey, i have 3 questions.
12:14:11 <rajiv> 1. Can we upgrade from Zed to Bobcat directly now ?
12:14:53 <xek> Barbican didn't have any breaking changes in Bobcat, so it should be fine
12:15:10 <rajiv> cool!
12:15:43 <rajiv> 2. is there a fix for CVE-2023-1636 ? the associated articles dont provide a fix yet
12:17:05 <xek> This CVE is related to how Barbican is deployed, presumably in TripleO
12:18:19 <rajiv> okay, i have a custom policy file with custom roles, which means i am not impacted ? will there be any details updated in the associated CVE links ?
12:18:42 <rajiv> my barbican setup in production runs on kubernetes
12:18:49 <xek> There are some details here: https://access.redhat.com/security/cve/cve-2023-1636
12:19:16 <xek> if you are running in kubernetes this CVE doesn't apply to you
12:20:23 <rajiv> yes i was referring to this article but wasnt sure. Thanks for confirming.
12:20:35 <rajiv> 3. Any update on bug request : https://bugs.launchpad.net/barbican/+bug/2036506
12:20:39 <xek> the main issue in TripleO is that the host network namespace is shared with the host and between containers
12:21:31 <rajiv> ack
12:22:43 <xek> I don't have any updates on the above bug
12:23:34 <xek> @dmendiza is it on your radar?
12:25:09 <dmendiza[m]> I saw the report but haven't looked into it
12:25:44 <rajiv> i have QA device if we wish to troubleshoot!
12:26:30 <rajiv> also, i am running barbican on FIPS mode, docu says its not supported. Should i raise a bug request ?
12:26:59 <xek> yeah, we'll probably need it to test that any fix is compatible with both versions
12:27:15 <rajiv> i approached Thales if they could push a commit but they denied to associate.
12:27:36 <rajiv> I also found SoftHSM also doesnt support CKM_AES_CBC_PAD wrapping mechanism, more details are provided here :
12:27:41 <rajiv> https://github.com/opendnssec/SoftHSMv2/issues/405
12:27:49 <rajiv> https://github.com/opendnssec/SoftHSMv2/issues/229
12:28:20 <rajiv> thanks, how do we plan to fix this ? is there a project workflow i need to setup ?
12:28:27 <xek> @rajiv I think the documentation says it's not supported, since we don't have a voting set of tests for FIPS
12:30:11 <rajiv> okay, i can write few tests, but how can barbican test if FIPS mode is ON ? there isnt any API or DB to check right ?
12:30:14 <xek> Next step is to submit a patch, but I can't make any estimate on when and who could create one
12:31:06 <rajiv> apart p11 plugin enabled, or few changes seen in the kek_data table to confirm, know ?
12:31:12 <xek> There were some tests using a centos image with fips enabled
12:31:21 <xek> Those were running the usual functional test
12:31:31 <xek> ade_lee was working on that
12:32:25 <rajiv> i see, but i dont see any now, talking about tests, there isnt any here right ? https://github.com/openstack/barbican-tempest-plugin
12:33:59 <xek> yeah, I don't see this either, those would show up as a separate job in the review board
12:34:39 <dmendiza[m]> RE: Luna in FIPS mode, I'm not sure it's been tested in a long time.
12:34:57 <xek> but I suppose we could update the documentation with any pointers to how to run in fips, with a note that it's not currently tested in CI
12:35:09 <rajiv> okay, do i follow up bi-weekly for Thales patch ? or how do you recommend ?
12:35:31 <dmendiza[m]> rajiv If you want to work on a patch we can review it when you have it ready
12:35:57 <dmendiza[m]> RE: test, there are no HSM specific tests, we basically just run the same tests against a Barbican deployment that has an HSM
12:36:05 <dmendiza[m]> the tests should work regardless of backend
12:36:15 <rajiv> i am unsure on how or where to start, any hints is highly appreciated ?
12:36:24 <dmendiza[m]> the reason we don't test at the gate is because we don't have public access to an HSM that can be used on every patch that is submitted to barbican.
12:36:27 <rajiv> ack wrt tests
12:37:08 <rajiv> maybe send the patch across and i could test it ?
12:41:51 <xek> I only evoked @dmendiza since he has more experience with HSMs, but I'm not expecting he has the time to prepare a patch
12:42:04 <xek> I'm sure we'll have the time to review a patch, but I'm not sure about creating one
12:42:37 <rajiv> oh ok
12:44:15 <rajiv> do we still support storyboard ? or do i need to raise another issue via opendev.
12:44:33 <rajiv> This is another of my old bugs : https://storyboard.openstack.org/#!/story/2009322
12:45:02 <xek> Please re-add it to launchpad
12:46:26 <xek> Ok, let's continue to the last topic
12:47:17 <xek> #topic Bug Review
12:47:42 <xek> I don't see any new bugs, apart from those already mentioned
12:48:50 <xek> Looks like that's it for today
12:50:23 <xek> I'm on PTO for the next 2 weeks
12:51:07 <xek> this one was planned a while ago :)
12:51:46 <xek> So it looks like we'll be skipping the next 2 weekly meetings
12:52:22 <xek> Unless @dmendiza wants to chair?
12:52:23 <dmendiza[m]> I can cover for you
12:52:39 <xek> ok, cool, thanks!
12:53:22 <xek> We skipped a bunch of meetings last month, but I just had to take this unexpected PTO...
12:53:48 <xek> Anyway, thanks for attendance, see you in 3 weeks!
12:54:38 <xek> #endmeeting