16:00:20 <gthiemonge> #startmeeting Octavia
16:00:20 <opendevmeet> Meeting started Wed Sep 28 16:00:20 2022 UTC and is due to finish in 60 minutes.  The chair is gthiemonge. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:20 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:20 <opendevmeet> The meeting name has been set to 'octavia'
16:00:23 <gthiemonge> Hi!
16:00:30 <oschwart> o/
16:00:32 <tweining> o/
16:00:33 <matfechner> o/
16:00:48 <johnsom> o/
16:00:48 <QG> o/
16:04:04 <gthiemonge> #topic Announcements
16:04:39 <gthiemonge> I have no announcement this week, we are good with the RC1 for Zed (this week is the deadline for final RCs)
16:05:02 <tweining> no news is good news
16:05:25 <johnsom> +1
16:07:31 <gthiemonge> #topic CI Status
16:08:25 <gthiemonge> regarding the CI, we still have those tests that are randomly failing on stable branches
16:08:44 <gthiemonge> we need to review/approve this backport: https://review.opendev.org/q/Ib3f269cbe80222aafb22a36bb09444480a4bbb8d
16:08:58 <gthiemonge> (I'll take a look after the meeting)
16:09:05 <gthiemonge> johnsom: maybe you can also review them?
16:09:37 <johnsom> ack
16:10:39 <gthiemonge> thanks
16:12:15 <gthiemonge> #topic Brief progress reports / bugs needing review
16:13:15 <gthiemonge> I proposed a fix for a bug reported on storyboard: Octavia raises an exceptino when deleting a listener that has a deleted certificate
16:13:22 <gthiemonge> #link https://review.opendev.org/c/openstack/octavia/+/859387
16:13:55 <johnsom> We should ping barbican team again on getting the register feature working for secrets.
16:14:10 <gthiemonge> johnsom: what's that?
16:14:57 <johnsom> So, when we used barbican "containers" to store certs, we "registered" that it was in-use with barbican so it could not be deleted.
16:15:27 <dmendiza[m]> johnsom: the API side implementation landed in Zed
16:15:27 <gthiemonge> I didn't know that
16:15:29 <johnsom> When we moved to the secrets API for the pkcs12 bundles, they hadn't yet implemented the "register" feature for secrets.
16:15:40 <dmendiza[m]> johnsom: we're working on the client bits now (including Castellan)
16:15:53 <johnsom> dmendiza[m] Boom, there we go
16:16:15 <johnsom> So we should add an RFE to implement that API in Octavia
16:16:55 <QG> is this feature : https://specs.openstack.org/openstack/barbican-specs/specs/juno/api-add-container-registration.html ?
16:16:57 <johnsom> Deleted certs are a problem for failover in addition to deletion.
16:17:23 <gthiemonge> johnsom: right
16:17:26 <johnsom> QC That is what we have implemented in Octavia for the old way of handling certs
16:17:26 <dmendiza[m]> QG https://specs.openstack.org/openstack/barbican-specs/specs/train/secret-consumers.html
16:17:33 <gthiemonge> that's intersting
16:17:54 <QG> johnsom: the old way ?
16:18:31 <johnsom> QG Yes, the method that does not use pkcs12 files.
16:18:39 <johnsom> It still works, but is deprecated
16:19:04 <gthiemonge> dmendiza[m]: thanks for the update on this ;-)
16:19:30 <QG> ohhhh ok so creating a container with certificate; key and chain is deprecated secrets in it in favor of pkcs12 ?
16:19:35 <johnsom> QG https://docs.openstack.org/octavia/pike/user/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer
16:19:38 <johnsom> That is the old way
16:20:28 <johnsom> Right, containers is deprecated in favor of using secrets with pkcs12
16:20:45 <QG> johnsom: ok thanks !
16:21:32 <johnsom> The switch happened in Queens
16:22:04 <QG> and why this way has been depreciated ?
16:23:32 <johnsom> Many user experience issues. For one, it's a heck of a lot more barbican API calls. But also, people would mix the wrong key for the cert in the container. PKCS12 is an industry standard and helps users not make as many mistakes
16:24:40 <QG> johnsom: ohhhh ok thanks make sence  :)
16:24:47 <johnsom> Or not include all of the needed intermediate certs, etc.
16:26:08 <johnsom> Oh, and it is compatible with Vault/castellan where containers are barbican proprietary
16:26:36 <johnsom> Ok, I will stop now, we can keep the meeting moving
16:27:01 <tweining> can you do me a favor and review a one-line change for me please. I added *.orig to .gitignore so that those files cannot get added accidentally after a merge conflict (which happened to me recently)
16:27:12 <tweining> https://review.opendev.org/c/openstack/octavia/+/853875
16:28:36 <QG> I anyone wanted to test the ability to create Prometheus listener
16:28:40 <gthiemonge> tweining: ack
16:28:40 <QG> #link https://review.opendev.org/c/openstack/octavia-dashboard/+/858576
16:28:42 <johnsom> tweining Did you propose this on all of the Octavia repos? lib, client, etc?
16:29:09 <tweining> johnsom: no, but I agree that I should
16:29:16 <johnsom> +1 thanks!
16:29:36 <gthiemonge> QG: I haven't tested it yet, but I'm going to take a look, and to the ESLint fix too
16:29:52 <QG> gthiemonge: Thanks !
16:29:57 <tweining> #action tweining to propose change to add *.orig to .gitignore to other octavia repos like lib, client, etc.
16:32:37 <tweining> ok, I have one more item, but for the open discussion
16:32:50 <gthiemonge> #topic Open Discussion
16:32:56 <tweining> thanks :)
16:33:36 <tweining> so you might have noticed that I worked on a change that adds support for pre-commit to octavia
16:33:38 <johnsom> #link https://storyboard.openstack.org/#!/story/2010333
16:33:38 <tweining> https://review.opendev.org/c/openstack/octavia/+/858739
16:34:00 <johnsom> Though that might be a duplicate to an existing story
16:34:20 <gthiemonge> johnsom: the old story is probably lost in storyboard
16:35:09 <tweining> it's kind of related to the one line change above. this time it's about avoiding things like trailing spaces in releasenotes yamls, which happens regularly to me
16:35:44 <gthiemonge> tweining: how does it work? we would have to install pre-commit to install those rules?
16:36:04 <tweining> pre-commit basically installs pre-push or pre-commit Git hooks that do some checks as configured in the yaml
16:37:08 <tweining> it is very flexible. the way my configuration works is that it does basic super-fast checks for each commit, and more complex checks only for each push
16:37:30 <tweining> and if pre-commit is not installed this does nothing
16:37:30 <johnsom> Doesn't black modify the code?
16:38:04 <tweining> yes, if it is not formatted yet.
16:38:14 <tweining> about that one I am unsure too.
16:38:29 <gthiemonge> but only in your patch?
16:38:47 <tweining> yes, only changed files AFAIR
16:39:12 <tweining> if code is pep8 compliant black should not change it I think
16:39:24 <johnsom> I think I would prefer to have that in tox somewhere, rather than running at push time.
16:39:56 <tweining> ok, I can remove that particular check then.
16:40:37 <tweining> flake8 should be sufficient anyway for that purpose
16:41:04 <tweining> (the purpose of rejecting the push operation if the code is not formatted)
16:42:08 <gthiemonge> does it take a lot of time? I already run tox -epep8 before sending a patch (it includes flake8)
16:42:15 <tweining> in theory we could make it even run tox I think.
16:42:36 <johnsom> Yeah, that is a fair question, are we doubling up
16:43:00 <tweining> we could make it run tox -epep8 instead maybe, or remove it
16:43:22 <gthiemonge> I'll test the flake8 hook
16:43:28 <opendevreview> Merged openstack/octavia-dashboard master: Update master for stable/zed  https://review.opendev.org/c/openstack/octavia-dashboard/+/857841
16:44:08 <opendevreview> Merged openstack/octavia-dashboard master: Switch to 2023.1 Python3 unit tests and generic template name  https://review.opendev.org/c/openstack/octavia-dashboard/+/857842
16:44:44 <tweining> I don't remember exactly how it works but AFAIR one has to install pre-commit's push hook explicitly or else only the pre-commit hook gets installed. but I can investigate that point.
16:45:34 <tweining> I do remember, that in another project I was working on we ran the full test suite with tox using pre-commit
16:46:07 <gthiemonge> tweining: ack, thanks for working on it
16:46:24 <tweining> the other checks are super-fast however
16:46:50 <gthiemonge> tweining: tox in pre-commit, that might be tough :D
16:47:44 <tweining> tox -epy3,functional,pep8 seems okay to me
16:48:43 <tweining> but only in pre-push then
16:48:56 <gthiemonge> yeah I might use that
16:49:02 <oschwart> Tobiko also uses pre-commit hooks https://opendev.org/x/tobiko/src/branch/master/.pre-commit-config.yaml
16:49:24 <oschwart> So far it was confortable
16:49:43 <tweining> you use mypy checks? cool
16:50:46 <oschwart> Yeah and it runs pretty fast (1-2 seconds)
16:51:01 <oschwart> (mypy)
16:51:03 <tweining> btw. for Fedora pre-commit can be installed via "dnf install pre-commit"
16:52:29 <tweining> when I had a look at it mypy created a lot of false positives, but I would like to try it out as well at some point
16:52:35 <gthiemonge> good to know
16:52:58 <johnsom> Yeah, too many linters become a problem. We already get push back on using pylint
16:53:17 <tweining> and to install the hooks cd to the Git repo and execute "pre-commit install --hook-type pre-commit --hook-type pre-push"
16:53:29 <johnsom> If this will require packages on the developer systems, we should update the contributor guide.
16:53:39 <tweining> without the arguments it will only install the pre-commit hook
16:54:38 <tweining> johnsom: good point. it's all optional but it makes sense to explain it in the guide at least.
16:55:24 <gthiemonge> it seems that many projects use it: https://codesearch.opendev.org/?q=pre-commit&i=nope&literal=nope&files=.pre-commit-config.yaml&excludeFiles=&repos=
16:56:29 <gthiemonge> ok folks, 4min before the hour... any other topics for this meeting?
16:57:01 <oschwart> Can we close this story https://storyboard.openstack.org/#!/story/2007429 ? Looking for some low hanging fruits to implements/fix I found it
16:57:38 <oschwart> Not urgent of course, but it looks to me like we already implemented/fixed it
16:58:13 <gthiemonge> oschwart: ok, I'll take a look and will mark it as invalid if it is fixed
16:58:25 <oschwart> gthiemonge thanks
16:59:09 <oschwart> Nothing else from me
17:00:07 <gthiemonge> ok
17:00:11 <gthiemonge> thank you folks!!
17:00:17 <gthiemonge> #endmeeting