15:01:20 <xek> #startmeeting barbican
15:01:20 <opendevmeet> Meeting started Mon Oct 28 15:01:20 2024 UTC and is due to finish in 60 minutes.  The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:20 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:20 <opendevmeet> The meeting name has been set to 'barbican'
15:01:35 <xek> #topic Roll Call
15:01:38 <xek> o/
15:01:49 <xek> Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar
15:02:08 <xek> As usual our agenda can be found here:
15:02:16 <xek> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
15:02:53 <dmendiza[m]> 🙋
15:03:21 <xek> #topic Review Past Meeting Action Items
15:03:39 <xek> #link https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-10-14-15.03.html
15:03:43 <xek> There were no action items
15:03:56 <xek> #topic Liaison Updates
15:04:42 <xek> No updates from me
15:05:39 <xek> #topic Open Discussion
15:06:00 <rajiv> Heylo!!
15:06:11 <rajiv> the barbican release notes are not visible!
15:06:33 <rajiv> i raised this in previous PTG's but couldnt find any fix for it
15:06:56 <rajiv> here : https://releases.openstack.org/dalmatian/index.html
15:07:53 <xek> Hm, I see release notes here: https://docs.openstack.org/releasenotes/barbican/2024.2.html
15:08:41 <rajiv> okay, then its mapping issue to the main link ?
15:09:02 <rajiv> second, i wanted to follow up on https://bugs.launchpad.net/barbican/+bug/2036506
15:09:06 <xek> yeah, looks like the link to the release notes is missing from that page
15:09:27 <rajiv> thanks for looking into this dmendiza[m] :) was this patch validated by Thales ?
15:10:29 <dmendiza[m]> hi rajiv .  My patch is a WIP.  No plans to have Thales look at it, but I will be testing with an (ancient) Thales Luna HSM.
15:10:49 <dmendiza[m]> My HSM is too old to test the new firmware, so you may want to download the patch and test it when it's working
15:11:27 <rajiv> ah ok cool :) i tested the patch today and shared my analysis!
15:11:51 <rajiv> i have a Thales contact from Engineering to validate once the patch is merged :)
15:13:50 <dmendiza[m]> Sweet, yeah just keep an eye out on the review, I'll be updating it this week.
15:14:08 <rajiv> nice!
15:14:52 <rajiv> last question, is it possible to support multiple vendors on Barbican ? Thales and Utimaco ?
15:15:22 <rajiv> i see an option for multi-secret store but not mutlti-vendor per secret store ?
15:16:26 <dmendiza[m]> I think we've only tested multiple_secret_stores with different types e.g. SimpleCrypto + HSM, or SimpleCrypto + KMIP.  I'm not sure if 2x StoreCrypto + PKCS11 would work? 🤔
15:17:36 <rajiv> SimpleCrypto + HSM, is my current implementation and it definitely works
15:18:17 <rajiv> i couldnt find an option to validate 2x pkcs11 here https://docs.openstack.org/barbican/latest/install/barbican-backend.html
15:18:37 <rajiv> i see an overlap in Thales & Utimaco devices.
15:19:36 <dmendiza[m]> Yeah, the main issue is going to be trying to instantiate two instances of StoreCryptoAdapter: https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/store_crypto.py#L50
15:19:57 <rajiv> yep, i guessed the same.
15:20:44 <rajiv> does this docu need updating ? https://docs.openstack.org/barbican/latest/configuration/plugin_backends.html when compared to https://docs.openstack.org/barbican/latest/install/barbican-backend.html
15:21:28 <rajiv> stores_lookup_suffix shows pkcs11 but other page its enabled_crypto_plugins = p11_crypto
15:21:38 <dmendiza[m]> I think both need to be updated probably
15:22:56 <rajiv> okay, for SimpleCrypto + HSM config, this is fine correct ? https://github.com/sapcc/helm-charts/blob/barb_thales_test/openstack/barbican/templates/etc/_barbican.conf.tpl#L69-L83
15:23:55 <dmendiza[m]> Not sure, you'd have to test it and make sure there's no funny business going on with the two instances of StoreCryptoAdapter.
15:24:37 <rajiv> okay sure.
15:27:49 <xek> ok, to finish up, let's quickly check the bugs
15:27:54 <xek> #topic Bug Review
15:28:07 <xek> I see one new bug
15:28:09 <xek> #link https://bugs.launchpad.net/barbican/+bug/2084691
15:28:23 <xek> Barbican is not passing any name to the KMIP object so the default one is used
15:29:06 <dmendiza[m]> Yeahh.... KMIP was on the way to deprecation IIRC.  Not surprised it's broken since we stopped testing it when PyKMIP started failing at the gate.
15:30:28 <xek> dmendizacan you respond? maybe we should decide on deprecating it this cycle
15:30:41 <dmendiza[m]> Sure
15:30:58 <xek> Thanks!
15:31:08 <xek> Ok, that's all for today
15:31:20 <xek> Have a great rest of the week!
15:31:22 <xek> #endmeeting