#openstack-lbaas log

16:03:21 <johnsom> #startmeeting Octavia
16:03:22 <openstack> Meeting started Wed Feb 17 16:03:21 2021 UTC and is due to finish in 60 minutes.  The chair is johnsom. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:03:23 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:03:25 <openstack> The meeting name has been set to 'octavia'
16:03:29 <johnsom> #chair rm_work
16:03:30 <openstack> Current chairs: johnsom rm_work
16:03:44 <rm_work> Ah, yes
16:03:53 <gthiemonge> o/
16:04:09 <rm_work> Lol I was literally just here and got distracted with email
16:04:19 <rm_work> o/
16:04:37 <johnsom> That is why I was giving you the opportunity to run the meeting. grin
16:05:12 <cgoncalves> hi
16:06:07 <johnsom> o/
16:06:17 <rm_work> Not on my actual computer yet, too early, sec
16:06:53 <johnsom> It *is* too early, but sadly I have already been on an hour of meetings
16:07:52 <johnsom> #topic Announcements
16:07:59 <johnsom> I can get started with the boiler plate stuff
16:08:07 <johnsom> Final client release is first week in March
16:08:15 <johnsom> Feature freeze for everything else is the second week in March
16:08:23 <johnsom> We have a priority bug review list:
16:08:31 <johnsom> #link https://etherpad.openstack.org/p/octavia-priority-reviews
16:08:48 <johnsom> Any other announcements this week?
16:10:12 <johnsom> #topic Brief progress reports / bugs needing review
16:11:08 <johnsom> I added an RBAC topic later in the agenda, but my focus has been on updating our RBAC policies for the Keystone scoped tokens and default roles.
16:11:16 <johnsom> I will talk more about that in the later topic
16:12:13 <gthiemonge> I fixed the two-node job: https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/773888
16:12:34 <openstackgerrit> Merged openstack/octavia master: Add SCTP support in Amphora  https://review.opendev.org/c/openstack/octavia/+/753247
16:12:44 <gthiemonge> it will be useful to have it to merge the AZ tests in octavia-tempest-plugin
16:12:46 <johnsom> Nice
16:13:33 <gthiemonge> I also worked on the centos-8 job (dirty hack), we're still discussing it with cgoncalves
16:14:17 <gthiemonge> another interesting octavia-tempest-plugin commit: https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/774157
16:15:17 <gthiemonge> it fixes an issue with our ipv6 vip tests (ipv6 vip tests are using devstack non-shared/private network)
16:20:04 <johnsom> Thanks for working on that.
16:20:09 <johnsom> Any other updates? rm_work?
16:22:34 <johnsom> #topic RBAC work
16:22:40 <johnsom> Ok, I will move on
16:23:33 <johnsom> So, if you are not aware Keystone has two initiatives (token scopes and default roles). Even though this isn't a community goal, Red Hat is pushing to have these implemented across the services for Wallaby.
16:24:13 <johnsom> An initial set of patches were pushed
16:24:15 <johnsom> #link https://review.opendev.org/q/project:openstack/octavia+status:open+owner:lbragstad%2540redhat.com
16:24:47 <johnsom> however those were "blow it away" patches that removed all of the advanced RBAC Octavia has had.
16:25:34 <johnsom> I have point on getting these straightened out. The first step in that is:
16:25:41 <johnsom> #link https://review.opendev.org/c/openstack/octavia/+/775957
16:26:05 <johnsom> The intent here is to merge our more strict advanced RBAC with the new default roles and scopes.
16:26:51 <johnsom> Please take some time and carefully review that patch as it's the basis for the following patches and we don't want to make a mistake in our API Rules Based Access Control (RBAC).
16:27:04 <johnsom> That would be bad. (tm)
16:27:16 <rm_work> fortunately I think our testing on the RBAC stuff is pretty good
16:28:00 <johnsom> Yeah, it's going to need to be updated as well. It's on my list
16:28:39 <johnsom> Unfortunately this new stuff complicates the RBAC. So I also spent some time updating the docs to help with that. Let me know if we need more
16:29:55 <johnsom> I ran into an issue where Tempest was giving every credential the new "member" role, which .... means you can't test with non-member or reader roles via Tempest. A patch is pending to fix that.
16:30:05 <johnsom> #link https://review.opendev.org/c/openstack/devstack/+/774524
16:30:54 <johnsom> Ok, that is all I had. Please give it a good look over so we don't  end up with some CVE or something. grin
16:31:38 <johnsom> Or non-backward compatible.
16:31:44 <gthiemonge> ack, I will take a look
16:31:44 <johnsom> #topic Open Discussion
16:31:59 <johnsom> Anything else today?
16:33:36 <rm_work> not much here
16:34:18 <johnsom> I still need to take a look at the bug about failover with subnets out of IPs causing VIP issues. It's top on my list.
16:36:44 <johnsom> Well, if there isn't anything else we can get on with reviews!
16:37:00 <johnsom> #endmeeting