#openstack-meeting log

13:00:29 <Luzi> #startmeeting image_encryption
13:00:30 <openstack> Meeting started Mon May  3 13:00:29 2021 UTC and is due to finish in 60 minutes.  The chair is Luzi. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:31 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:00:33 <openstack> The meeting name has been set to 'image_encryption'
13:00:43 <Luzi> #topic Roll Call
13:00:58 <fungi> ohai
13:01:40 <Luzi> hi fungi, lets wait for redrobot
13:05:02 <Luzi> redrobot, are you there?
13:07:09 <rosmaita> o/
13:12:04 <Luzi> hi rosmaita
13:12:16 <Luzi> well it seems redrobot is not available today...
13:12:54 <Luzi> so i will ask them tomorrow in the barbican meeting about the secret consumers
13:13:20 <rosmaita> sounds good
13:13:55 <Luzi> ptg made it at least clear to me, that the secret consumer api is waiting for the microversions. and the microversion were/are waiting for the secure polices
13:14:47 <rosmaita> thanks, that helps me understand the holdup
13:15:27 <fungi> i tried to give a summary to the tc during the ptg as well, notes start at line 51 here at the moment:
13:15:34 <fungi> #link https://etherpad.opendev.org/p/tc-xena-ptg TC Xena PTG notes
13:16:35 <rosmaita> cool, thanks for that summary
13:17:21 <rosmaita> Luzi: don't know if this will help, but cinder is also interested in the consumer API to harden our current handling of encryption keys for encrypted volumes
13:17:46 <Luzi> i know, we talked about it in the autumn ptg
13:18:13 <fungi> during the security sig session we talked about reviving past conversations around making barbican a base service, but step 1 would be finding use cases it enables. that might be one
13:18:56 <rosmaita> yes, in order to have encrypted volumes in cinder, you must have a key manager service
13:19:36 <rosmaita> #link https://docs.openstack.org/cinder/latest/configuration/block-storage/volume-encryption.html
13:19:51 <fungi> thanks!
13:19:57 <Luzi> rosmaita, do you use python-barbicanclient or castellan to interact with barbican=
13:19:58 <fungi> gagehugo: ^ for reference
13:19:58 <Luzi> ?
13:20:30 <rosmaita> i think castellan directly, but i believe that requires python-barbicanclient
13:20:56 <fungi> more importantly, would users of that feature be interacting with barbican, or is it all filtered through the cinder api?
13:21:21 <Luzi> volume encryption is transparant to users
13:21:34 <fungi> like, should users be able to supply keys for encrypting volumes, and if so should they do that through the cinder api or barbican?
13:21:34 <rosmaita> well, we don't want them interacting with barbican, because without the consumer API, they can delete in-use keys
13:21:53 <fungi> sure, i mean hypothetical future with consumer api
13:21:55 <rosmaita> keys are supplied automatically (generated by barbican)
13:22:28 <rosmaita> we haven't found a reliable way for users to upload keys that work
13:22:31 <rosmaita> too many moving parts
13:22:55 <fungi> so for this purpose, castellan and "a castellan-supported keystore" is sufficient i suppose
13:23:22 <rosmaita> yes, though, red hat, for instance, uses barbican
13:24:09 <fungi> got it. so doesn't support the argument for adding barbican to the base services list since we already have it covered by https://governance.openstack.org/tc/reference/base-services.html#current-list-of-base-services
13:24:19 <fungi> #link https://governance.openstack.org/tc/reference/base-services.html#current-list-of-base-services base services list
13:26:11 <rosmaita> well, maybe not
13:26:32 <rosmaita> we also have the upload-volume-to-image workflow
13:26:57 <rosmaita> forget that
13:27:01 <fungi> heh
13:27:16 <rosmaita> as long as you configure cinder and glance correctly, should work with another keystore
13:27:26 <fungi> makes sense, thanks
13:27:26 <rosmaita> though we only test with barbican
13:27:30 <fungi> anyway, i didn't mean to hijack the meeting with tangential topics
13:27:39 <fungi> sorry about that
13:27:47 <Luzi> no worries
13:28:11 <Luzi> its more interesting than only have a discussion about waiting :D
13:28:22 <rosmaita> :)
13:28:28 <fungi> so was the barbican clarification on consumer api and microversions the only real takeaway from the ptg?
13:28:52 <Luzi> mainly,
13:30:39 <fungi> and the "add microversion 1.1" change is still wip, since almost 9 months... any indication where the discussion on making it no longer wip is taking place? barbican meetings?
13:32:00 <rosmaita> Luzi: what are your plans for CI on this? I'm thinking maybe tests in cinder-tempest-plugin since the library will be in os-brick.  I wonder whether it makes sense to work on the os-brick part and get that working even without the consumer API?
13:32:58 <Luzi> yes in the barbican meetings, at least it should be there - i did not hear that secure polices were the reason the microversion were on hold until the ptg :/
13:33:25 <fungi> oh, the policy work is the blocker? i missed that
13:33:56 <rosmaita> i think it may be a project bandwidth issue, not a technical issue
13:34:11 <fungi> sure, we're all far too familiar with that struggle
13:34:28 <Luzi> rosmaita, the os-brick part can be done without the secret consumer - but after that? how long would that be just dead code?
13:34:57 <Luzi> yeah the barbican team has much to do :/
13:35:01 <rosmaita> well, as long as we get some CI on it, it can be run all the time
13:35:37 <rosmaita> will probably require some devstack patches to enable whatever config you need in the services
13:35:53 <Luzi> okay, i think looking into the cinder-tempest-plugin would be a good start
13:36:09 <rosmaita> but we already use barbican for the encrypted volume tests in cinder-tempest-plugin, so a lot of what you will need is there
13:36:52 <rosmaita> because you really could release this feature without consumer API
13:37:18 <rosmaita> wouldn't have to worry about data leakage :)
13:37:22 <Luzi> well thats only the case if glance is okay with it
13:38:02 <rosmaita> it's kind of a bad hack, but you could do what cinder did with the cinder_encryption_key_deletion_policy metadata
13:38:10 <Luzi> and image encryption requires users to interact with secrets
13:39:34 <fungi> up-side to zuul is you can implement the job completely in proposed changes with depends-on to the various features you need in different projects, and completely run it
13:40:01 <fungi> so you don't have to wait for reviewers to approve stuff
13:40:03 <rosmaita> without the consumer API,  the danger is that an end user might delete an in-use key by mistake ... is that correct?
13:40:11 <Luzi> yes it is
13:41:56 <rosmaita> and once the consumer api is available, there will only be a minor change in the workflow, i think
13:43:02 <Luzi> so you propose to release the feature and add secret consumers later?
13:43:17 <rosmaita> well, at least get it "almost" ready
13:43:32 <rosmaita> glance team is ok with releasing stuff as EXPERIMENTAL
13:43:51 <Luzi> well that would help i think.
13:44:00 <rosmaita> i'm just worried that if consumer api isn't available until M-3, this whole thing has to wait for Y
13:44:13 <Luzi> rosmaita, me too :/
13:44:50 <rosmaita> i'm trying to find our release note from adding automatic key handling to glance
13:45:03 <rosmaita> we have a warning in there about the keys
13:45:42 * redrobot sneaks in through the back door
13:46:19 <Luzi> i will talk to the glance team, if they are okay with having only experimental image encryption, than i will start working on this
13:46:38 <rosmaita> found it, it's in the glance release notes
13:46:41 <fungi> redrobot: we saved a seat for you
13:46:41 <rosmaita> https://docs.openstack.org/releasenotes/glance/train.html#new-features
13:46:46 <rosmaita> third bullet point
13:47:41 <Luzi> yeah, i have to discuss this with the glance team
13:47:48 <Luzi> hi redrobot
13:48:14 <rosmaita> even if they don't want to release it, we can get everything in place and not tell anyone about it until it's ready
13:49:59 <Luzi> i will look through the remaining work - it should be the cinder part and the tests
13:50:30 <Luzi> glance is just missing the secret consumer part and os-brick should also be ready
13:50:30 <rosmaita> ok, cool
13:50:59 <Luzi> redrobot, did you catch up and do you have any updates?
13:50:59 <rosmaita> i think your brick patch needed tests
13:51:13 <rosmaita> or have you added them an i am out of date?
13:52:12 <Luzi> https://review.opendev.org/c/openstack/os-brick/+/709432/7
13:52:17 <Luzi> do you mean unit tests?
13:52:33 <redrobot> Trying to catch up... sorry no updates on Barbican things.  I've been trying to squash a Hashicorp Vault bug
13:53:22 <rosmaita> Luzi: yes, i am out of date on your patch!
13:53:22 <Luzi> to many tasks for only one redrobot :(
13:53:39 <Luzi> yeah it has unit tests :)
13:54:05 <rosmaita> Luzi: when you get a chance, please resolve the merge conflict on that (it's probably in requirements or lower-constraints), which will re-run the CI
13:54:26 <rosmaita> i'll put it on my list to get that reviewed early this week
13:54:36 <Luzi> yes, i will do that
13:54:41 <rosmaita> ty
13:55:30 <Luzi> okay do you have anything else you want to talk about?
13:55:37 <rosmaita> yeah, i think if you can get an end-to-end test in cinder-tempest-plugin that would be fantastic
13:55:44 <rosmaita> and you would be ready for the consumer api
13:56:22 <rosmaita> cinder-tempest-plugin also has tests that interact with glance, so that part is there too
13:57:20 <Luzi> okay thank you
13:58:23 <Luzi> if thats all, thank you for joining today and have a nice week
13:58:33 <Luzi> #endmeeting image_encryption