14:02:12 <enikanorov_> #startmeeting neutron lbaas 14:02:13 <mestery> enikanorov_: The meeting is typically called just lbaas? or neutron_lbaas? 14:02:13 <openstack> Meeting started Thu May 1 14:02:12 2014 UTC and is due to finish in 60 minutes. The chair is enikanorov_. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:02:14 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:02:16 <mestery> Heh 14:02:17 <mestery> :) 14:02:17 <openstack> The meeting name has been set to 'neutron_lbaas' 14:02:27 <mestery> #link https://wiki.openstack.org/wiki/Network/LBaaS Agenda 14:02:41 <mestery> So, thanks to all for joining and thanks for the great discussions on the ML! 14:02:57 <mestery> One thing I was hoping was that today we could try to keep focused on a single conversation at a time. 14:03:09 <mestery> I've noticed in the past few weeks it's hard to keep up with everything during this meeting. 14:03:26 <mestery> There is a lot to cover for sure, but trying to focus on one conversation at a time makes it easier. Sound ok? 14:03:37 <blogan> sounds good 14:03:37 <enikanorov_> sure 14:03:39 <sbalukoff> Ok! 14:03:41 <TrevorV> agred 14:03:43 <TrevorV> agreed*** 14:03:44 <tmc3inphilly> rgr 14:03:46 <mestery> Great! 14:03:51 <jorgem> hello 14:03:54 <rm_work> we'll try 14:03:57 <mestery> :) 14:03:59 <mestery> rm_work: :) 14:04:28 <mestery> OK, so to start off per enikanorov_'s email, lets talk about sbalukoff's google doc a bit more 14:04:31 <mestery> #link https://docs.google.com/document/d/129Da7zEk5p437_88_IKiQnNuWXzWaS_CpQVm4JBeQnc/edit#heading=h.hgpfh6kl7j7a 14:04:33 <samuelbercovici> sure 14:05:13 <mestery> sbalukoff: I've read through this, thanks for putting this together! 14:05:28 <sbalukoff> Glad I could help! 14:05:35 <mestery> Actually, I see a lot more recent comments on this since I read through it a few days back even :) 14:06:10 <mestery> sbalukoff enikanorov_: The main focus in this document is the API, correct? Have people had a chance to look at this in detail yet? 14:06:34 <blogan> i've looked at it and asked some questions about it to stephen on the ML 14:06:39 <jorgem> yes 14:06:50 <sbalukoff> Yes, my understanding was this was an API design proposal, and we've attached a proposed object diagram to it, too. 14:06:51 <samuelbercovici> mestery: I have looked at it and sent comments on L7 to ML and will send later today comments on SSL. 14:07:00 <blogan> stephen did answer them and most of them were minor quibbles 14:07:30 <mestery> OK, great! Are people converging on this being at least a good starting point from the LBaaS API perspective? 14:08:08 <jorgem> mestery: I sent an email last and think that all proposals should be compared on equal footing. 14:08:16 <enikanorov_> more particularly, a question to Rackspace folks: do you find 'single call' part of the document suitable for your needs? 14:08:25 <sbalukoff> I would also like to know at some point (not necessarily during this meeting): What requirements / use cases or other concerns that you have might not be addressed in thie proposal? 14:08:27 <mestery> jorgem: Yes, completely agree there. 14:08:28 <samuelbercovici> blogan: did not see response on [openstack-dev] [Neutron][LBaaS]L7 conent switching APIs 14:08:34 <rm_work> yes -- funnily enough, it actually seems remarkably similar to what we proposed :) I think I am ok with most of it, besides a few naming issues and minor attributes 14:08:40 <jorgem> I'd like to discuss the pros and cons of each proposal. So far I see three. 14:08:51 <rm_work> though yes, we should go through all of them 14:09:14 <german_> +1 14:09:24 <jorgem> There are things I do like about this proposal but I want to make sure we get the good ideas from all of them. 14:09:27 <blogan> samuelbercovici: it was the day stephen put it on the ML, wasn't in response to that thread 14:09:29 <mestery> jorgem: I am fine with that, I think we should ideally try to converge by next week so we can make effective use of the Summit facetime. Agree? 14:09:41 <jorgem> mestery: agree 14:09:47 <enikanorov_> i think naming differences and attributes polishing is what could be done on per-feature basis 14:10:00 <rm_work> enikanorov_: sure, which is why i have no real stated objections 14:10:07 <enikanorov_> rm_work: good! 14:10:17 <rm_work> though I don't speak for my whole team, obviously 14:10:18 <mestery> OK, so now hte question is: How should we effectively evaluate all 3 proposals in the coming week? 14:10:41 <jorgem> One of the the important things I do not want to lose sight of is building the API against the features that we have prioritized. Edge cases shouldn't be a show stopper. 14:10:46 <mestery> We need someone to come up with a good comparison of all 3, showing gaps and overlap, etc. 14:11:00 <mestery> jorgem: I agree with that sentiment. 14:11:15 <rm_work> though sbalukoff I am not seeing SSL Termination support? or am I just blind… 14:11:20 <enikanorov_> one moment, guys 14:11:24 <enikanorov_> there are TWO proposals 14:11:26 <enikanorov_> not three 14:11:36 <rm_work> enikanorov_: sbalukoff's, yours, ours? 14:11:37 <sbalukoff> rm_work: It's in there, with SNI support, too. 14:11:44 <blogan> yeah it is 14:11:46 <enikanorov_> mine is a part of stephen's 14:11:47 <jorgem> enikanorov_: I though you wanted to start from the current API? 14:11:51 <german_> SSL support is a concern for the VPN folks, too, so there is some overlap... 14:11:53 <rm_work> sbalukoff: I saw the SNI but not how exactly we'd terminate. i'll look again 14:12:08 <enikanorov_> jorgem: stephen's proposal can be implemented by evolving existing API 14:12:26 <sbalukoff> rm_work: Look at the default_certificate_id attribute of the "listener" object. :) 14:12:38 <jorgem> enikanorov_: Okay, two proposals then. My apologies. 14:12:43 <mestery> jorgem enikanorov_: If this is the case, then we can quickly find gaps between the two proposals and try to close them to satisfy the use cases I think. 14:12:43 <enikanorov_> np 14:13:01 <german_> sbalukoff, since SSL overlaps it should be outside VPN, LBaaS 14:13:02 <enikanorov_> i see one major gap 14:13:09 <rm_work> sbalukoff: so… just by specifying that, it terminates? 14:13:12 <enikanorov_> which is API nesting in jorgem's proposal 14:13:16 <jorgem> mestery: So to answer your question. I think we should have workflows of single and multiple api calls for each of the use cases we have identified. 14:13:17 <enikanorov_> vs flat API in sbalukoff's 14:13:27 <sbalukoff> mestery: Do you want someone to just create a spreadsheet with proposals as the columns, and use cases as the rows? 14:13:30 <mestery> jorgem: I agree with that, per the email thread. 14:13:31 <tmc3inphilly> one conversation por favor 14:13:37 <rm_work> enikanorov_: sbalukoff claimed everything could be nested, did he not? 14:13:39 <mestery> sbalukoff: That would be awesome! 14:13:54 <blogan> i think the main difference is the use of the term load balancer (which obviously can be changed) and rackspace's proposal support multiple vips but only one port on a single "load balancer" instance while stephen's support an IPv4 and IPv6 VIP and multiple ports on the "load balancer" instance which he calls a VIP 14:13:57 <enikanorov_> rm_work: i mean nesting in url structure, not in the payload 14:14:00 <sbalukoff> rm_work: I think I did, or effectively did. 14:14:03 <mestery> Folks, lets focus on the API comparison now, can we leave the SSL stuff to a bit later? 14:14:08 <rm_work> enikanorov_: ah, thanks for the clarification 14:14:18 <mestery> I know that's important, but we need to focus on one thing or it gets too hard to maintain a semblence of order. :) 14:14:31 <enikanorov_> yes, i think we need to discuss SSL separately 14:14:32 <german_> mestery +1 14:14:39 <rm_work> mestery: sorry, will try HARDER. :) 14:14:44 <mestery> Lets finish the API talk and then move on to SSL next. 14:14:52 <enikanorov_> blogan: you see it's structurally the same 14:14:57 <samuelbercovici> mestery +1 14:15:18 <mestery> sbalukoff: So, are you volunteering to produce the API comparision spreadsheet mapping to use cases? CAn you work with jorgem on this? 14:15:35 <blogan> mestery: i will help out as well 14:15:42 <jorgem> mestery: Yes I will help 14:15:44 <mestery> blogan: Perfect! 14:15:53 <enikanorov_> good 14:15:54 <german_> can we share the spreadhseet so we all can pitch in 14:15:54 <mestery> I will assign the three of you an action item for that. 14:16:01 <samuelbercovici> mestery: i will help out as well 14:16:03 <sbalukoff> mestery: Sure! I'm sensing an action item? 14:16:08 <blogan> german_: of course 14:16:11 <mestery> german_: Absolutely! I think it makes sense to have someone start it off and then share it. 14:16:22 <jorgem> sbalukoff: Have you had a chance to look at the workflows we presented. I think if you could create something similar it may help to identify pros and cons. 14:16:24 <jorgem> #link https://drive.google.com/#folders/0B2r4apUP7uPwRVc2MzQ2MHNpcE0 14:16:24 <german_> great!! 14:16:29 <mestery> #action sbalukoff jorgem blogan to draft API comparison spreadsheet mapping to use cases. 14:16:36 <sbalukoff> blogan: Could you (or someone one your team) please produce a glossary of terms for your API proposal? Just so we are all clear on definitions. 14:16:45 <jorgem> sbalukoff: If you have another idea I am open to that as well. 14:16:46 <blogan> sbalukoff: sure 14:17:10 <sbalukoff> jorgem: I looked through a couple of them (I think you had 9 at the time)? 14:17:17 <blogan> #action blogan creates glossary of terms for rackspace's proposal 14:17:18 <jorgem> correct. we will add more 14:17:19 <mestery> So the expectation is by next week's IRC meeting (ideally before) we can have this ready and ideally make a decision to move forward then. 14:17:28 <sbalukoff> I don't know that I can address all use cases, since the use case document is up to 43 so far. 14:17:34 <sbalukoff> And that's just the "user" use cases. 14:17:48 <mestery> jorgem: Thanks for hte link, nice work on drafting all of that up! 14:17:58 <jorgem> sbalukoff: That's fine the main ones that hit on the feautures we have prioritized should be a good place to start. 14:18:00 <enikanorov_> some of the use cases map to particular set of values for attributes 14:18:04 <TrevorV> sbalukoff: I've been doing some work with examples according to our API, not sure if you'd like me to share those in this comparison chart as well 14:18:13 <enikanorov_> like 'support for XXX balancing algorithm' 14:18:25 <TrevorV> sbalukoff: Specifically with use cases I mean 14:18:25 <sbalukoff> By the way-- I want to be clear that my proposal certainly isn't "set in stone". If we discover gaps, I'm hoping to change the proposal to address the gaps. 14:18:45 <enikanorov_> i think that we need to have a general consensus on the API 14:18:49 <jorgem> sbalukoff: understood. Likewise for ours. 14:18:50 <enikanorov_> and then flush details 14:18:51 <sbalukoff> TrevorV: It sounds like that might be useful, eh! 14:18:55 <enikanorov_> like attributes and such 14:19:07 <blogan> sbalukoff: same with rackspace, that was always the intention 14:19:16 <sbalukoff> Cool. 14:19:18 <enikanorov_> otherwise we'll gid in the details without producing a decision 14:19:49 <enikanorov_> *dig 14:19:53 <mestery> I think we have a plan on the API front here to move forward, comparing and closing gaps. 14:20:07 <jorgem> sbalukoff: Let's decide first which use cases to produce workflows so we can make sure we compare the same use cases. What do you think? 14:21:05 <mestery> Can we move on to the SSL discussion now? 14:21:15 <mestery> Seems like there was some interest in talking about that a bit. 14:21:20 <blogan> i have a question about the object model 14:21:23 <sbalukoff> jorgem: That sounds fine to me, mostly... though I'm honestly a little uncomfortable potentially leaving some use cases out. 14:21:23 <blogan> just a quick question 14:21:29 <mestery> blogan: Sure, go ahead please. 14:21:42 <jorgem> sbalukoff: I'm okay with doing all or a subset. It's your call. 14:21:47 <blogan> what happens if the API that is decided on requires a major revamp of the object model? 14:22:15 <sbalukoff> jorgem: Shall we talk about this offline? (Don't think we need to take up meeting time for that level of specificity, eh.) 14:22:15 <enikanorov_> how major are you expecting it to be? 14:22:27 <jorgem> sbalukoff: Yes, I'll send you an email. 14:22:39 <sbalukoff> Cool, thanks! 14:22:41 <blogan> oh I don't know, its more a theoretical question, I'm just wondering how major revamps work in this type of project 14:22:46 <enikanorov_> every proposal changes object model in some way 14:23:08 <enikanorov_> blogan: so far proposals are focused around the same set of objects 14:23:28 <mestery> Should we expect at least minor object model changes here? jorgem sbalukoff enikanorov_?? 14:23:32 <enikanorov_> it's better to do anychanges in the way that existing code (even if changed) still works 14:23:33 <vjay> what are the aspects in which comparision will be done? like backward compatibil 14:23:38 <enikanorov_> mestery: absolutely 14:23:45 <sbalukoff> mestery: I think so. 14:23:47 <sbalukoff> But... 14:23:48 <vjay> reuse 14:24:06 <sbalukoff> Stated another way, I think: Are there any potential changes that are off the table? 14:24:18 <enikanorov_> object model changes in several aspects: attributes, relationships and object being added 14:24:29 <jorgem> mestery: There will definitely be additions since there are new features being requested. 14:24:36 <enikanorov_> i think both proposals imply that 14:24:43 <blogan> well i'm just afraid that if we try to duct tape the API around an object model that doesn't work well with the API then it will be a maintenance nightmare, thats my real concern 14:24:45 <mestery> sbalukoff: I am an evolutionary guy, so if we can evolve the current model into something new, it's better, but lets see what we come up with. 14:24:52 <mestery> jorgem: Agreed there. 14:25:07 <enikanorov_> blogan: obj model is changed with API obviously 14:25:10 <mestery> blogan: Lets cross that bridge when we get there and make a call as a team at that point. 14:25:16 <blogan> mestery: evolution is fine from a good foundation 14:25:29 <jorgem> I think we should agree on API spec first. Then figure out a transition plan. 14:25:32 <enikanorov_> blogan: the foundation is good enough, actually 14:25:38 <german_> jorgem +1 14:25:41 <mestery> jorgem: +1 14:25:47 <TrevorV> jorgem: +1 14:25:51 <enikanorov_> yes, that would be the right thing to do 14:25:59 <sbalukoff> jorgem: +1 14:26:00 <mestery> Perfect! 14:26:04 <crc32> yea like evolution works but some APIs have to go extinct for this to work. 14:26:04 <tmc3inphilly> +1 14:26:10 <mestery> OK, anything else on the API front now? 14:26:23 <samuelbercovici> jorgem: +1 14:26:25 <mestery> I think we have a good plan for the next week to address this. 14:26:32 <vjay> should we discussion on what aspects to be considered during comparison? 14:26:42 <rm_work> my questions about SSL are specific to sbalukoff's API proposal, so does that count for API discussion or SSL discussion? :) 14:26:42 <mestery> And we should definitely continue the ML discussions on the API Front once the comparison spreadsheet is done. 14:26:44 <vjay> sorry discuss 14:26:53 <blogan> no im good 14:27:06 <mestery> rm_work: Lets answer vjay's question then go to SSL :) 14:27:11 <jorgem> vjay: I think that is a good idea. What metrics to compare on? 14:27:29 <jorgem> before we go into SSL 14:27:32 <sbalukoff> vjay: I think our plan was to compare / contrast workflows for specific use cases, and present this in a spreadsheet. 14:27:32 <mestery> vjay: I think we're covering all use cases and mapping APIs to the use cases, right jorgem sbalukoff? 14:27:49 <sbalukoff> mestery: Yes. 14:28:05 <mestery> vjay: Does that answer your question? 14:28:08 <samuelbercovici> I think that probably the first 8 use cases should be fine to see how workflows would differ 14:28:12 <sbalukoff> vjay: So, if yo have a specific use case that's not yet addressed in the document, get it in there ASAP! 14:28:21 <vjay> ok. 14:28:32 <vjay> thats fine 14:28:39 <mestery> OK, lets move on to SSL. 14:28:44 <mestery> rm_work: The floor is yours. :) 14:28:51 <rm_work> yes, many of those use cases are really "duplicate" with regard to actual workflow, since they just specify like "do what we just did, but with a different protocol", etvc 14:28:53 <rm_work> *etc 14:29:13 <rm_work> mestery: heh, well I don't have MUCH, just trying to understand how SSL Term works in sbalukoff's proposal 14:29:33 <rm_work> sbalukoff: I think I may get it now -- so to do SSL Term, you use HTTPS protocol, and HTTPS passthrough would use TCP? 14:29:57 <rm_work> I was just expecting HTTPS to be "passthrough" and there to be a specific option to enable SSL Term, since that is what I am used to seeing 14:30:39 <sbalukoff> rm_work: Yes. Though I didn't specifically address the case of doing session tracking using SSL session_id in this-- that could be done with additions to the Layer-7 stuff, or an explicit flag that states whether HTTPS connections should be terminated on the load balancer. 14:31:23 <sbalukoff> rm_work: That specific option could be added. 14:31:27 <rm_work> yeah, ok 14:31:38 <rm_work> I might worry it would be confusing when not explicit :) 14:31:42 <sbalukoff> One of the goals of my API was to try to keep the number of object and number of attributes per object minimal. 14:31:44 <samuelbercovici> SSL session_id is usualy a persistency property for HTTPS 14:31:53 <sbalukoff> Since there's a maintenance cost going forward for having them. 14:32:15 <blogan> sbalukoff: that is a good goal to have 14:32:17 <sbalukoff> samuelbercovici: Yep. 14:32:37 <rm_work> that's all I had :) like I said, just wanted to clear that up 14:32:40 <sbalukoff> blogan: There are other implications like that subtly hidden in my API proposal. 14:32:41 <samuelbercovici> so we could have had HTTPS for non teminated protocols and TLS for terminated ones 14:33:16 <rm_work> samuelbercovici: so that the protocol more clearly implies what's happening with regard to termination? 14:33:26 <sbalukoff> samuelbercovici: Yep! It's just a matter of specifing the exact parameter, and what the load balancer behavior should be for each parameter. 14:33:37 <samuelbercovici> this is a good things as there are capabilities available for TLS which should not be available for HTTPS 14:33:52 <rm_work> I would be for that, though I worry about the redundancy of having another protocol just to explicitly state "this is HTTPS Passthrough" when it's exactly the same functionally as TCP :( 14:34:08 <german_> +1 14:34:31 <samuelbercovici> rm_work: this is not exactly the case as for exmaple SSL session id is only relevant for HTTPS and not TCP 14:34:37 <rm_work> ah, true 14:34:43 <sbalukoff> rm_work: Would it make sense to list the protocols we want to support and how they should be treated on the load balancer? 14:34:56 <german_> yes 14:35:02 <samuelbercovici> actualy TLS has all the capabilitiy of HTTP 14:35:10 <samuelbercovici> from a configuration perspective 14:35:13 <crc32> SSL session id is apart of the TLS handshake so it could be used on TCP as well right? 14:35:19 <rm_work> sbalukoff: maybe? normally I would say that's outside the realm of an API spec, but in this case they have specific implications about API functionality 14:35:47 <sbalukoff> rm_work: The devil is always in the details. :) 14:35:56 <samuelbercovici> crc32: but if it is a pure TCP protocol it should not be avialble for selection 14:36:02 <tmc3inphilly> from an end-user of the api having a specific call out for termination would be best 14:36:09 <tmc3inphilly> less abiguity 14:36:29 <samuelbercovici> i agree 14:36:34 <rm_work> Well, if the protocols were more clear in specifying that they were controlling SSLTerm/Passthrough, it would be fine I think 14:36:35 <sbalukoff> Well, there's also the question: Is there a use case we're considering that uses TLS that *is not* just HTTPS? 14:36:36 <tmc3inphilly> think of least common denominator (customers) 14:36:44 <rm_work> as it is, it was ambiguous enough to cause me confusion 14:36:49 <sbalukoff> ie. some other protocol support that's also using transport layer security? 14:36:56 <sbalukoff> If so, can we get that added to the use cases? 14:37:28 <rm_work> HTTP / HTTPS (Terminated) / HTTPS (Passthrough) / TCP 14:37:38 <samuelbercovici> sbalukoff: obviously HTTPS on a non default 443 port does not meet your case, right? 14:38:43 <samuelbercovici> sbalukoff: in your proposal there is a difference between SNI and a siongle certificate, why is this? 14:39:03 <rm_work> but anyway, that is pretty much my only gripe currently with this proposal (other than I'd rather have Loadbalancer as the root object instead of VIP, though I see that you're trying to use an LB object for something specific at a higher level...) 14:39:08 <sbalukoff> samuelbercovici: Actually HTTPS on a non-standard port is still HTTPS, in my opinion. 14:39:14 <crc32> sbalukoff: I can't think of one but tls does appear specified outside of the protocol. So do we lock TLS into HTTP(ssl term) and HTTPS(passthrough with SSLID persistence) only and regret it later on? 14:39:16 <sbalukoff> Covered under the same use case. 14:39:22 <rm_work> sbalukoff +1 14:39:28 <samuelbercovici> balukoff: yes i agree 14:39:33 <TrevorV> sbalukoff: there are a great many SSL termination use-cases in the document. Some of which I have addressed with the Rackspace proposal already, we can see those when we compare the APIs if you like 14:39:43 <rm_work> samuelbercovici: and I think it is because there should be a default cert for fallback if no SNI matches? 14:40:01 <sbalukoff> crc32: Until someone has a use case we want to address, yes. In this case, I don't like leaving things too open-ended or you end up trying to solve problems that are never actually problems. 14:40:19 <rm_work> oh wait, i might be reading the wrong section 14:40:30 <sbalukoff> So on the SNI stuff: 14:40:41 <samuelbercovici> rm_work: I think that might be addressed by ordering the list 14:40:49 <crc32> fair enough. I just wonder if any one wants LDAPS to session persisted. 14:40:56 <sbalukoff> Yes, the default cert id attribute of the listener covers cases of HTTP/1.0 connections, or where SNI is not being used. 14:41:42 <sbalukoff> It turns out, even with SNI, you still need to specify the default cert, in case the web client asks for a hostname that's not explicitly configured. 14:41:42 <rm_work> samuelbercovici: yeah, i would assume the default cert id would be used if there are no SNI rules specified, as opposed to requiring an SNI rule on every SSL LB, and using * as a match 14:42:34 <sbalukoff> If you're just going to be using one certificate for a given HTTPS site, then you don't have to worry about SNI policies at all. 14:42:41 <sbalukoff> Just specify the default_certificate_id. 14:43:14 <sbalukoff> But if you want to use more than one certificate for a listener (ie. this is an IP + single port combination), then the only way to do this is with SNI. 14:43:15 <samuelbercovici> default certificate must be provided in case SNI is not supported 14:43:30 <sbalukoff> samuelbercovici: Correct. 14:43:49 <samuelbercovici> but it can be the 1st in the list 14:43:50 <sbalukoff> Though, with very few exceptions, all modern browsers can do SNI. 14:43:58 <samuelbercovici> if no SNI, than only one certificate 14:44:06 <sbalukoff> Yes. 14:44:23 <sbalukoff> That works too... 14:44:23 <samuelbercovici> so why are there two diferent entries? 14:44:34 <rm_work> samuelbercovici: but then you require the user to set up "SNI Cert" with some match, even if they don't know what SNI *is*? :P 14:44:43 <sbalukoff> I was trying to do the same kind of model that works for default pool vs. pool that gets selected for L7 policy. 14:44:54 <sbalukoff> Er... pool that gets selected by an L7 policy. 14:45:29 <sbalukoff> rm_work: If the user wants to use more than one certificate per HTTPS listener, they need to understand they're using SNI. 14:45:36 <sbalukoff> As it is, though... 14:45:40 <rm_work> but if they don't want more than one.... 14:45:41 <samuelbercovici> the other part is that I prefer to specify trusted certificates using the same scemantics on a differetn list 14:45:54 <rm_work> they shouldn't have to set up SNI, which they would if we removed the "default cert" concept 14:46:04 <sbalukoff> rm_work: Aah! Yes, you're right. 14:46:27 <samuelbercovici> this might be more easier than to ustilize if certificates are actualy stores in Barbican 14:46:53 <sbalukoff> Yeah, I have no problem splitting trusted_certificates away as its own object instead of using the ca_chain field of the tls_certificates objects. 14:47:03 <sbalukoff> The way I suggested uses fewer objects but is certainly more confusing. 14:47:07 <tmc3inphilly> how would that work for an off-the-shelf LB on the backend? 14:47:47 <sbalukoff> tmc3inphilly: Sorry, I'm not sure who you're asking, and that "that" is in your question. 14:47:59 <sbalukoff> and what "that" is. 14:48:04 <sbalukoff> Sheesh. Sorry, guys, it's early. 14:48:12 <tmc3inphilly> sorry the management of certs through Barbican 14:48:17 <samuelbercovici> I am also missing the capability to controll allowed protocols (ex: TLS1, TLS.1.2) and allowed cypher suites both for temination an backencryption 14:48:25 <rm_work> I assume it would be "transparently" 14:48:48 <rm_work> samuelbercovici: I am not sure allowing control of cipher suites is a great idea in general <_< 14:49:03 <tmc3inphilly> you should be able to specify protocols (force TLS 1.2) 14:49:04 <rm_work> I guess if it is an absolute requirement for some... 14:49:12 <sbalukoff> tmc3inphilly: Oh! Well... I need to look into how to use barbican first of all. But presumably it'd would be treated simply as an SSL certificate store. So you could potentially still add and removed certificates using LBaaS API, they just won't be stored by us. 14:49:42 <tmc3inphilly> sbalukoff gotcha 14:49:47 <samuelbercovici> sbalukoff: yes, this is how it shoould be treated 14:49:49 <rm_work> sbalukoff: yeah, that's what I am thinking. it's essentially transparent. we take in the cert -> throw it in barbican -> store the barbican ID 14:49:59 <rm_work> done 14:50:00 <sbalukoff> samuelbercovici: Yes, I didn't address SSL ciper and protocol support. I think I would just make these additional attributes of the listener. 14:50:09 <mestery> rm_work: +1 to that 14:50:36 <crc32> sbalukoff I was advocating useing barbican to store the keys only (Since encrypting the keys was the end goal) and not for storing the X509s as well. 14:50:41 <samuelbercovici> sbalukoff: ok. the one I have in addition 14:50:50 <sbalukoff> samuelbercovici: I don't see a real need to control ciphers and protocol information per certificate. (I'm not even sure that's possible.) 14:51:05 <tmc3inphilly> how about cipher suite profile? 14:51:05 <rm_work> there is some question about HOW we store it in barbican (on the tenant? on our own service account? if it's on the tenant, what happens if they mess with it outside of our API?) but that discussion can happen later 14:51:05 <crc32> sbalukoff' 14:51:08 <samuelbercovici> sbalukoff: you are right 14:51:09 <sbalukoff> crc32: It could be done that way, too, yes. 14:51:40 <tmc3inphilly> pre-defined cipher suite profiles 14:51:46 <enikanorov_> folks, i suggest we switch to the summit agenda 14:51:46 <sbalukoff> rm_work: Yes, it would be on the tenant, and presumably that would break things for us if they do mess with it outside our API. 14:51:47 <crc32> sbalukoff: No I think the attempt was to store the CIPHER suit at the loadbalancer layer. 14:51:52 <enikanorov_> we have 10 minutes left 14:52:07 <mestery> 10 minutes left, yes. :) 14:52:11 <mestery> Actually now 8 14:52:17 <samuelbercovici> sbalukoff: it should be on the tenant 14:52:23 <german_> and we can't run over :-) 14:52:23 <sbalukoff> Ok, further SSL questions on the mailing list! 14:52:33 <mestery> sbalukoff: +1! 14:52:38 <german_> +1 14:52:47 <mestery> OK, so, Summit Agenda. 14:53:00 <mestery> LBaaS has 2 40 minute slots, there is a lot to cover and we want to make good use of those slots. 14:53:13 <enikanorov_> i think there should be 2 general discussions 14:53:23 <samuelbercovici> concluding the API decision would be top 14:53:25 <enikanorov_> which are user requirements and operator rquirements 14:53:48 <mestery> We may want to leave some time in one session for the key/certificate discussion with Barbican as well, just a thought. Maybe 15-20 minutes of one of those. 14:53:58 <enikanorov_> right 14:54:02 <samuelbercovici> to me the goal form the summit is to have action items, tasks and prople allocated so work could start 14:54:13 <enikanorov_> i also think that's not necessary to devide those two in 1:1 ratio 14:54:16 <sbalukoff> samuelbercovici: +1 14:54:36 <samuelbercovici> mestery: I think we can discuss 1st with VPNaaS and Barbican on ML 14:54:37 <mestery> Yes, we should be prepared to discuss open items which have not closed prior to the summit, and come out of it with a plan to move forward. 14:54:49 <enikanorov_> also, there's an idea to hold additional face to face discussion out of design tracks. i'll probably will have a room to host this 14:54:54 <mestery> samuelbercovici: Yes, in fact we discussed in the advanced services meeting yesterday. 14:54:55 <enikanorov_> what do you think on this? 14:55:09 <jorgem> Once an API proposal is selected (to start from). We need to figure out a transition plan in terms of implementation. Should that be a part of the general meetings or held in more of the design sessions? 14:55:20 <mestery> enikanorov_: That's good, we need to make sure we send invites on ML so people know where it is, times, etc. 14:55:28 <enikanorov_> mestery: sure! 14:55:45 <mestery> jorgem: I think we should proceed on ML for that one and hope to close before the summit. 14:55:50 <samuelbercovici> enikanorov_: gr8 14:56:07 <jorgem> mestery: Close on API, transition plan or both? 14:56:10 <rm_work> One thing that we will need to do is discuss either the reworking of the current haproxy driver, or the creation of a new opensource driver for the HA / Scalability / Operator Requirements concerns. We've left this on the backburner because of the (correct) focus on the API, but it might at least be worth mentioning. I suppose we could probably un-conference that discussion though. 14:56:45 <samuelbercovici> mestery: if from some reason this is not done by th summit. than it must be done in the summit in whatever manner otherwise we can progress anywhere 14:56:49 <enikanorov_> rm_work: that's interesting 14:56:54 <sbalukoff> rm_work: My team is already engaged in the latter, though we've not made much progress as I've been rather distracted with API discussion lately. :) 14:57:03 <enikanorov_> rm_work: can you send me an email with your thoughts on this? 14:57:05 <rm_work> sbalukoff: yeah, I assume this will be a group effort 14:57:15 <sbalukoff> Yep. 14:57:20 <samuelbercovici> rm_work: +1 14:57:21 <german_> yep 14:57:24 <rm_work> enikanorov_: I'll try to work something up today. Just you, or just throw it up on the ML? 14:57:31 <mestery> jorgem: API, sorry. :)_ 14:57:37 <crc32> ML would be fine rm_work. 14:57:38 <enikanorov_> yeah, ML is even better 14:57:38 <german_> ML, please 14:57:42 <rm_work> kk 14:57:45 <mestery> samuelbercovici: Agreed 14:58:28 <mestery> OK, we're about out of time. 14:58:33 <mestery> Lets wrap this one up now. 14:58:33 <enikanorov_> ok, so we'll have another meeting before the summit 14:58:39 <mestery> We have some good action items! 14:58:43 <enikanorov_> yeah 14:59:03 <samuelbercovici> gr8 stuff!!! 14:59:09 <jorgem> Alright, thanks everyone! 14:59:11 <sbalukoff> Yay! 14:59:12 <rm_work> ah I suppose... 14:59:22 <rm_work> #action rm_work Start driver discussion on ML 14:59:36 <mestery> Thanks everyone, we'll see you all in-channel or on the ML! 14:59:51 <samuelbercovici> bye 14:59:54 <vjay> thanks, bye 14:59:55 <enikanorov_> see you, bye 14:59:57 <german_> bye 15:00:02 <rm_work> thanks! 15:00:05 <TrevorV> thanks! 15:00:09 <tmc3inphilly> ciao 15:01:10 <mestery> enikanorov_: Did you do #endmeeting? 15:01:17 <sbalukoff> Nope. 15:01:20 <enikanorov_> not yet 15:01:23 <mestery> K 15:01:23 <enikanorov_> #endmeeting