#heat log

14:00:26 <ricolin> #startmeeting heat
14:00:27 <openstack> Meeting started Wed Jul 18 14:00:26 2018 UTC and is due to finish in 60 minutes.  The chair is ricolin. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:30 <openstack> The meeting name has been set to 'heat'
14:00:36 <ricolin> #topic roll call
14:00:49 <ramishra> hi
14:00:57 <ricolin> o/
14:01:59 <ricolin> zaneb, meeting time
14:03:21 <zaneb> o/
14:03:34 <ricolin> there you are!:)
14:03:58 <ifat_afek> Hi
14:04:05 <ricolin> ifat_afek, hi
14:04:17 <ricolin> #topic adding items to agenda
14:04:22 <ricolin> #link https://wiki.openstack.org/wiki/Meetings/HeatAgenda#Agenda_.282018-07-18_1400_UTC.29
14:05:48 <ramishra> ricolin: I've to leave early, the agenda looks pretty big:)
14:06:30 <ricolin> ramishra, NP, you have to go, you have to go:)
14:06:59 <ricolin> maybe have little time we can talk about SSL first?
14:07:03 <ricolin> ramishra,
14:08:14 <ramishra> sure, I think therve was of the opinion we don't need that, just ask everyone to install CA certs on heat engines
14:08:38 <ricolin> #topic SSL option in Remote Stack
14:09:01 <ricolin> ramishra, zaneb so I update a version of idea on https://review.openstack.org/#/c/480923
14:09:02 <ricolin> #link https://review.openstack.org/#/c/480923
14:09:29 <ricolin> basically use config to define what files we allows to import
14:10:21 <ricolin> will that be acceptable way
14:10:22 <zaneb> that's not interoperable
14:10:56 <zaneb> although I guess region names are cloud-specific anyway
14:11:19 <zaneb> but in any event it doesn't help at all with the multi-cloud case
14:11:28 <ricolin> For multi-cloud we can actually put ssl options into credential
14:12:40 <ramishra> I this case The user needs to know the file names, why not just the operator configures it for provider/region combination and it's picked up automatically?
14:13:03 <ramishra> As I proposed earlier
14:13:42 <ricolin> ramishra, we can approach that by reading from clouds.yaml, will that works for you?
14:14:29 <zaneb> I doubt private cloud operators are going to provide a custom clouds.yaml that includes their own region info
14:15:02 <ramishra> ricolin: I don't know. IMO if we're keeping a list of cert locations in config, then better have them per provider/region so, the user does not have to do anything
14:15:26 <ricolin> zaneb, they're not going to provide such info for config as well
14:16:10 <zaneb> ricolin: probably not, and they're probably not going to provide a whitelist and cert files either
14:16:12 <ricolin> ramishra, that will work
14:18:28 <ricolin> zaneb, but I think that's up to environment. Will be better if we can try to solve that, but if we can't figure out better idea, a map in config sounds like a plan to me
14:19:38 <ricolin> Or we can try harder to document things and skip this issue and leave it to user for now
14:20:17 <ricolin> these are two ways I can think of on how we approach this
14:20:52 <zaneb> the main thing I care about it multi-cloud, and not having a different interface for multi-cloud vs. multi-region
14:21:48 <zaneb> if we can have no interface at all for multi-region, that's ok with me
14:22:09 <zaneb> having different CAs for different regions sounds kind of crazy to me anyway
14:23:28 <ricolin> zaneb, we can get ssl options from credential like the format here https://docs.openstack.org/os-client-config/latest/user/configuration.html#ssl-settings
14:24:15 <ricolin> in that way we don't need any new property at all, but we still need the config(or something heat managable)
14:24:20 <zaneb> ricolin: we can't because again, those are just local filenames
14:26:28 <ricolin> zaneb, I guess I can at least put something in document for user, before we can fine a way to do it(which we all agree on)
14:27:54 <zaneb> maybe we should get the user to store the CA keys in barbican as separate secrets
14:28:25 <ricolin> zaneb, we still need it as a `file` before we give the file name to client
14:28:59 <ricolin> for now ssl option only allow file_name as input:/
14:29:23 <zaneb> we can use a tempfile. I don't think that's a big deal
14:29:45 <zaneb> or a FIFO even
14:29:49 <ricolin> zaneb, I was thinking about that, but what about the security about that file
14:30:19 <ricolin> do we care about that?
14:30:55 <zaneb> only really an issue for the private key one, but it's a fair point. FIFO (named pipe) would be secure I think
14:31:34 <ricolin> ramishra, what you think
14:32:09 <zaneb> it is an annoying API for the clients though
14:32:20 <zaneb> we should probably look in to fixing that
14:32:36 <ricolin> zaneb, yes we should
14:32:53 <zaneb> would be nice to at least be able to pass e.g. a StringIO object
14:33:14 <ricolin> or a secret?:)
14:34:18 <zaneb> as long as Barbican is optional I don't think we want to bake it in to all of the clients
14:34:37 <ramishra> sounds good, if we can change that interface then users can use get_file
14:35:06 <ricolin> This gonna take more discussion
14:35:12 <ricolin> maybe start with a ML
14:35:29 <ricolin> and fallow with a PTG session
14:35:58 <ricolin> anyone interested in the ML?:)
14:37:03 <ricolin> or we can just change it with small code?
14:37:30 <ricolin> I will look into it, welcome anyone join
14:38:12 <ricolin> let's move on,
14:38:42 <ricolin> #topic Hidden Aodh::Alarm resource https://review.openstack.org/#/c/580963/2/etc/heat/environment.d/default.yaml
14:39:13 <ricolin> So Alarm has been deprecated, and now we should try to hide it
14:39:50 <ricolin> for what I concern, what we gonna deal with those resources depends on that resource type
14:40:07 <ricolin> which their is a bunch under https://review.openstack.org/#/c/580963/2/etc/heat/environment.d/default.yaml
14:40:18 <zaneb> wait, the resource registry _is_ hidden isn't it? do any of those resources show up in the API/docs?
14:41:07 <ricolin> zaneb, I don't know actually:)
14:41:44 <zaneb> OS::Quantum* doesn't afaik
14:42:38 <ricolin> cool, so I think we can just remove them all!?
14:43:23 <ramishra> or map them to GnocchiAggregationByResourcesAlarm?
14:43:30 <zaneb> no, just leave them all I thought
14:43:40 <ricolin> ramishra, it can't directly map to
14:44:00 <ramishra> yeah, the resources would be replaced, but that should be ok, no
14:44:50 <ricolin> ramishra, AWS::CloudWatch::Alarm also require Alarm too
14:45:06 <ricolin> but which is a template contain Aodh::Alarm
14:46:09 <ricolin> #link https://github.com/openstack/heat/blob/master/etc/heat/templates/AWS_CloudWatch_Alarm.yaml#L63
14:46:25 <zaneb> so change the template?
14:47:42 <ricolin> zaneb, if that gonna match behavior of `AWS_CloudWatch_Alarm` in AWS?
14:48:19 <zaneb> probably no worse than it does now ;)
14:48:49 <ricolin> at least the parameters doesn't look compatible
14:49:18 <ramishra> I mean there is no ceilometer anymore, so we else we can do:)
14:49:28 <zaneb> it's a template. there is a yaql function ;)
14:50:07 <ramishra> IMO, Just drop those resources and mappings:)
14:50:24 <ricolin> ramishra, +1 on that
14:52:00 <ricolin> Time's running let's move on, we shall keep talking in that patch I guess
14:52:07 <ricolin> #topic Keypair resource in Stack
14:52:43 <ricolin> Keypair is binding with user and only that user can use/saw that keypair, if we update Stack with another user, resources depends on that resource might get error
14:53:10 <zaneb> urg
14:53:17 <ricolin> ramishra, zaneb ideas on that?
14:53:41 <ricolin> I think we can do replace when different user
14:54:04 <zaneb> so if the keypair is created with a public key, then easy(-ish) fix is just to add it for the new user as well
14:54:50 <ricolin> zaneb, yeah, that's the only workaround I know for now
14:55:19 <ricolin> actually it's just keypair name we need to consist with
14:55:31 <zaneb> if the keypair generates a private key itself, then I don't know how best to handle it
14:55:38 <ramishra> ricolin: replacing the key would replace the server resources, would that be acceptable?
14:55:58 <zaneb> this really is a bad API. I don't know why they chose to make it inconsistent with everything else in Nova
14:56:01 <ricolin> ramishra, not sure, but that's one way in my mind
14:56:18 <ramishra> deprecate that resource;)
14:56:24 <ricolin> ramishra, LOL
14:56:50 <ricolin> we can at least give a Known issue for release note
14:57:07 <ricolin> but wondering what will be the best way we can take from here
14:58:20 <zaneb> I don't think replace is the right thing, because we won't be changing the creator of any existing servers
14:58:36 <ricolin> zaneb, okay
14:58:51 <zaneb> but any new servers will be created with the new owner (and thus need access to they keypair under that user)
14:59:08 <zaneb> so we really need one keypair for each user who has ever touched the stack
14:59:42 <ricolin> zaneb, I guess that means nice releasenote
14:59:50 <zaneb> lol
15:00:25 <ricolin> Okay, running out of time
15:00:34 <ricolin> just two more things
15:00:47 <ricolin> I'm gonna release heatclient today
15:01:19 <ricolin> and please review multicloud patch:)
15:01:52 <ricolin> Also we for now remove monasca unittests
15:02:09 <ricolin> will revert it once that monasca issue fixed
15:02:18 <ricolin> Anything else?
15:03:59 <ricolin> Okay thanks zaneb ramishra
15:04:02 <ricolin> #endmeeting