15:02:55 <noonedeadpunk> #startmeeting openstack_ansible_meeting 15:02:56 <openstack> Meeting started Tue May 11 15:02:55 2021 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:57 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:03:00 <openstack> The meeting name has been set to 'openstack_ansible_meeting' 15:03:00 <noonedeadpunk> #topic office hours 15:03:03 <noonedeadpunk> o/ 15:12:46 <jrosser> o/ sorry in another meeting for a while 15:12:52 <noonedeadpunk> np) 15:13:08 <noonedeadpunk> so, the main thing from me, is that this week we move train to EM 15:14:05 <noonedeadpunk> also https://review.opendev.org/c/openstack/openstack-ansible/+/790042 is super close, but upgrade jobs fail in pretty frustrating way tbh 15:15:30 <noonedeadpunk> oh, well, once I said that, I got the reason:) 15:16:28 <noonedeadpunk> I had pretty short previous week because of public holidays here, so didn't acomplish much 15:17:06 <noonedeadpunk> centos failure for manila is an issue btw, which prevents from fixing a lot of the stuff for the role 15:17:45 <noonedeadpunk> and it's failing with connection timeouts, like it's oom, but see nothing that would point to it in logs 15:18:49 <noonedeadpunk> and test_mount_share_one_vm passes there... 15:19:09 <noonedeadpunk> so really not sure what's wrong there - probably should spawn an aio to check out 15:19:21 <noonedeadpunk> Regarding PKI role - looks really awesome. 15:19:39 <noonedeadpunk> I think I will try it out during the week and check how things look like with it 15:19:56 <jrosser> i need to push a few syntax fixes later 15:20:09 <noonedeadpunk> probably worth slowly removing wip? 15:20:13 <jrosser> but i think i'm very happy with how it's slotted into rabbitmq and haproxy 15:20:30 <noonedeadpunk> yeah, roles are now soooo much cleaner 15:20:48 <noonedeadpunk> with amount of stuff dropped from them 15:21:33 <noonedeadpunk> will try to also pick this up and do galera part in case you haven't started that yet 15:21:59 <jrosser> sure, that would be really nice validation if someone other than me could understand and use it 15:22:20 <noonedeadpunk> also massive part there would be documentation of the way we handle SSLs nowadays 15:22:36 <noonedeadpunk> but lets merge main things first 15:22:38 <jrosser> i did a small part on that in the latest WIP patch to openstack-ansible 15:22:52 <jrosser> but i think it needs some thought as it's kind of totally configurable 15:22:54 <noonedeadpunk> oh, I think I just haven't seen it yet :( 15:24:31 <noonedeadpunk> I think except rabbit/galera/haproxy would be awesome to finally encrypt live migrations as well, but I suspect that there might be pretty tricky things 15:25:38 <noonedeadpunk> oh, wait. don't we leverage https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/790078/5/tasks/haproxy_ssl_key_distribute.yml for let's encrypt? 15:25:51 <jrosser> no, each instance is independant 15:26:19 <noonedeadpunk> even when we first time issue? 15:26:23 <jrosser> i think with the PKI role it will run for each host 15:26:41 <jrosser> rather than need to distribute, and it puts in a SAN for the external_vip 15:27:06 <noonedeadpunk> but for sun you need dns-01? 15:27:19 <jrosser> no, only for wildcard 15:27:27 <jrosser> oh well hold on 15:27:29 <noonedeadpunk> ah, ok, agree, sorry 15:27:38 <jrosser> for the initial selfsigned kind of anything will do 15:27:43 <jrosser> just enough to make haproxy start 15:31:47 <noonedeadpunk> hm, I stopped understanding how lets encrypt works in our scenario :( to make it issue cert we need to stop all haproxy except one, so that VIP was moving between nodes? 15:32:13 <noonedeadpunk> otherwise how it's passing http-01 15:32:39 <noonedeadpunk> (without shared storage at least) 15:32:41 <jrosser> no they all run 15:32:56 <jrosser> there is a backend to haproxy which looks for N possible certbots running 15:33:07 <noonedeadpunk> oh 15:33:13 <jrosser> there will only ever be one running on one haproxy when the cert is issued / renewed for *that* node 15:33:33 <jrosser> we use haproxy to direct traffic from the VIP to the backend that needs it 15:33:45 <noonedeadpunk> yeah, agree 15:34:15 <noonedeadpunk> I kind of recalled why I did all sorts of nasty stuff when wanted let's encrypt to be issues certs behind haproxy 15:34:27 <noonedeadpunk> because that haproxy was in octavia, so disregard please:) 15:34:45 <jrosser> aah ok 15:35:34 <noonedeadpunk> I wonder if we can in some time also cover internal endpoints with ssl having pki role on hands 15:35:52 <jrosser> so i was thinking were do we want to call "done" for W 15:35:55 <noonedeadpunk> well, we can, technically, but I meant more about if it makes sense 15:36:09 <jrosser> it could be haproxy+rabbit then the rabbit and tempest problems go away 15:36:18 <jrosser> ssl for everything else could be for X 15:36:43 <noonedeadpunk> haproxy+rabbit+galera? 15:36:56 <jrosser> could do 15:37:19 <noonedeadpunk> we can stop actually just with rabbit. but want to play with role anyway) 15:37:25 <jrosser> haproxy might need some work to have different certs on the inside and outside 15:37:38 <jrosser> that would be ideal to terminate and re-encrypt with the private CA 15:38:12 <noonedeadpunk> I'd say let's do this for X ? 15:38:26 <jrosser> i would say yes, keep it minimal for W 15:38:42 <noonedeadpunk> For W I think we need to repair manila and adjutant at least 15:38:43 <jrosser> it also protects against problem / design issue with the PKI role as it's use is quite minimal 15:39:22 <noonedeadpunk> oh, well, Bullseye image has landed 15:39:32 <noonedeadpunk> so probably worth looking it's shape... 15:39:53 <jrosser> yeah, maybe even condsidering making W the transition if it was possible 15:40:07 <jrosser> to reduce the amount of stuff to cover for X 15:40:13 <noonedeadpunk> yeah... 15:40:24 <jrosser> could probably find in ~ 1 day if it's going to work or not 15:41:32 <noonedeadpunk> jsut found your comments on https://review.opendev.org/c/openstack/openstack-ansible/+/789376 - will take care of them 15:41:55 <noonedeadpunk> I also have pretty vague memories about distro upgrade path... 15:53:16 <openstackgerrit> Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Add Debian Bullseye support https://review.opendev.org/c/openstack/openstack-ansible/+/783606 15:57:24 <openstackgerrit> Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Add Debian Bullseye support https://review.opendev.org/c/openstack/openstack-ansible/+/783606 15:57:35 <noonedeadpunk> #endmeeting