#openstack-barbican log

15:01:00 <xek> #startmeeting barbican
15:01:00 <opendevmeet> Meeting started Mon Jan 13 15:01:00 2025 UTC and is due to finish in 60 minutes.  The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:00 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:00 <opendevmeet> The meeting name has been set to 'barbican'
15:01:16 <xek> #topic Roll Call
15:01:24 <xek> Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar
15:01:32 <xek> o/
15:01:37 <xek> As usual our agenda can be found here:
15:01:44 <xek> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
15:03:34 <rajiv> Hey
15:03:49 <dmendiza[m]> 🙋
15:04:16 <xek> #topic Review Past Meeting Action Items
15:04:48 <xek> #link https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-12-16-15.01.html
15:04:59 <xek> There were no action items
15:05:05 <xek> #topic Liaison Updates
15:06:16 <xek> QA update - I added the patch to make the octavia job non-voting
15:06:19 <xek> #link https://review.opendev.org/c/openstack/barbican/+/938221
15:07:49 <mharley[m]> o/
15:08:02 <xek> although https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/937366 is merged
15:08:16 <xek> so octavia should be passing
15:09:17 <xek> #topic Open Discussion
15:10:17 <rajiv> Hi, in my pursuit to support multi-vendor/device HSM devices, i was testing a POST API and was blocked by https://opendev.org/openstack/barbican/src/branch/master/barbican/model/models.py#L1576-L1581, if i remove this constraint, backend is not initialised
15:10:28 <rajiv> any suggestions on how to go forward ?
15:13:36 <xek> did you also add some entries breaking the initial constraint?
15:14:00 <xek> I wouldn't expect it to fail if only these lines were removed
15:14:23 <rajiv> testing with __table_args__ = () also failed
15:14:27 <xek> but maybe it's checking if the definitions are consistent with the database
15:14:52 <xek> you probably have to prepare a database migration to test this change
15:15:31 <rajiv> oh ok, a alembic procedure ? is there any docu on how to do it ?
15:16:04 <rajiv> as HSM devices communicate over pkcs11, i felt its better to enhance the existing functionality instead of writing a custom plugin, is this the best approach ?
15:16:16 <xek> there might be in other projects
15:16:24 <xek> the procedure should be the same or very similar
15:17:25 <rajiv> okay
15:18:03 <xek> it probably mostly depends on whether you will want to propose it to be merged into barbican, or maintain it yourself
15:18:47 <rajiv> would this functionality help others ? or worth creating a blueprint ?
15:19:44 <rajiv> lastly, to support this, creating a multiple secret stores is the ideal option right ? or is there any other approach ?
15:20:21 <xek> I think it's better to propose it, you'll also can expect more feedback than when keeping it in house, ending up with a better implementation in the end
15:20:35 <rajiv> cool :)
15:21:12 <xek> dmendizamaybe you have some pointers on that?
15:23:32 <rajiv> this is my first proposal, it worked locally but further reviews are welcome : https://review.opendev.org/c/openstack/barbican/+/938186
15:26:49 <xek> I see you've alreday got some feedback :)
15:27:09 <xek> don't be discuraged by the -1, it's just an annotation that changes are needed
15:27:31 <rajiv> sure :)
15:28:10 <rajiv> dmendiza[m]: i also mailed the multi-device support query, it will be of great help if you could reply :)
15:28:10 * dmendiza[m] catches up on scrollback
15:29:15 <dmendiza[m]> Barbican already has a way of instantiating multiple backends.  However, the StoreCryptoAdapter class is/was limited to a single instance.  I don't remember the details of the limitation.
15:29:31 <dmendiza[m]> Removing that constraint may or may not work, you'll just have to test it.
15:30:04 <rajiv> removing the constraint failed to initialise the backend
15:30:43 <dmendiza[m]> Right, so you'll have to dig into why that happens.  🤷
15:31:15 <dmendiza[m]> I think the main issue will be with oslo config
15:31:38 <rajiv> oh ok
15:31:39 <dmendiza[m]> because there is a 1-to-1 config for StoreCryptoAdapter to PKCS#11 device
15:32:18 <dmendiza[m]> I think you can do two StoreCryptoAdapters with one using SimpleCrypto and the other one using PKCS#11
15:32:48 <dmendiza[m]> but yeah, two with two PKCS#11 adapter will need to have different configuration stanzas and that's not currently possible
15:33:57 <rajiv> i see, seems to be more complicate than i expected.
15:34:24 <rajiv> lastly, is it better to create multiple secretstores to support this functionality or is there any other option ?
15:35:04 <dmendiza[m]> the easier option is to have two deployments
15:35:18 <dmendiza[m]> then the user can choose a deployment based on what HSM they want to use
15:36:23 <rajiv> two deployments of barbican in 1 openstack cloud ? this means more endpoints, more issues in k8s ingresses, right ?
15:36:58 <rajiv> is it possible to implement multiple barbican instances in 1 openstack deployment ? is there any documentation ?
15:38:24 <xek> it might be possible, but I guess you would have to duplicate other services which depend on barbican, since they will each point to one instance
15:39:52 <rajiv> oh yes, keystone, nfs, etc seems to be more work than the above :(
15:41:30 <dmendiza[m]> https://docs.openstack.org/barbican/latest/configuration/plugin_backends.html#enabling-multiple-barbican-backends
15:42:26 <dmendiza[m]> Oh, I misread your question
15:42:36 <dmendiza[m]> They link is probably not helpful. 😅
15:42:40 <rajiv> np :)
15:47:33 <xek> let's continue to the last topic
15:48:33 <xek> #topic Bug Review
15:48:48 <xek> There were no new bugs reported since our last meeting
15:49:42 <xek> This concludes our first meeting in 2025 :)
15:49:47 <xek> That's it for today, see y'all next week!
15:49:51 <xek> #endmeeting