15:02:55 #startmeeting openstack_ansible_meeting 15:02:56 Meeting started Tue May 11 15:02:55 2021 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:57 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:03:00 The meeting name has been set to 'openstack_ansible_meeting' 15:03:00 #topic office hours 15:03:03 o/ 15:12:46 o/ sorry in another meeting for a while 15:12:52 np) 15:13:08 so, the main thing from me, is that this week we move train to EM 15:14:05 also https://review.opendev.org/c/openstack/openstack-ansible/+/790042 is super close, but upgrade jobs fail in pretty frustrating way tbh 15:15:30 oh, well, once I said that, I got the reason:) 15:16:28 I had pretty short previous week because of public holidays here, so didn't acomplish much 15:17:06 centos failure for manila is an issue btw, which prevents from fixing a lot of the stuff for the role 15:17:45 and it's failing with connection timeouts, like it's oom, but see nothing that would point to it in logs 15:18:49 and test_mount_share_one_vm passes there... 15:19:09 so really not sure what's wrong there - probably should spawn an aio to check out 15:19:21 Regarding PKI role - looks really awesome. 15:19:39 I think I will try it out during the week and check how things look like with it 15:19:56 i need to push a few syntax fixes later 15:20:09 probably worth slowly removing wip? 15:20:13 but i think i'm very happy with how it's slotted into rabbitmq and haproxy 15:20:30 yeah, roles are now soooo much cleaner 15:20:48 with amount of stuff dropped from them 15:21:33 will try to also pick this up and do galera part in case you haven't started that yet 15:21:59 sure, that would be really nice validation if someone other than me could understand and use it 15:22:20 also massive part there would be documentation of the way we handle SSLs nowadays 15:22:36 but lets merge main things first 15:22:38 i did a small part on that in the latest WIP patch to openstack-ansible 15:22:52 but i think it needs some thought as it's kind of totally configurable 15:22:54 oh, I think I just haven't seen it yet :( 15:24:31 I think except rabbit/galera/haproxy would be awesome to finally encrypt live migrations as well, but I suspect that there might be pretty tricky things 15:25:38 oh, wait. don't we leverage https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/790078/5/tasks/haproxy_ssl_key_distribute.yml for let's encrypt? 15:25:51 no, each instance is independant 15:26:19 even when we first time issue? 15:26:23 i think with the PKI role it will run for each host 15:26:41 rather than need to distribute, and it puts in a SAN for the external_vip 15:27:06 but for sun you need dns-01? 15:27:19 no, only for wildcard 15:27:27 oh well hold on 15:27:29 ah, ok, agree, sorry 15:27:38 for the initial selfsigned kind of anything will do 15:27:43 just enough to make haproxy start 15:31:47 hm, I stopped understanding how lets encrypt works in our scenario :( to make it issue cert we need to stop all haproxy except one, so that VIP was moving between nodes? 15:32:13 otherwise how it's passing http-01 15:32:39 (without shared storage at least) 15:32:41 no they all run 15:32:56 there is a backend to haproxy which looks for N possible certbots running 15:33:07 oh 15:33:13 there will only ever be one running on one haproxy when the cert is issued / renewed for *that* node 15:33:33 we use haproxy to direct traffic from the VIP to the backend that needs it 15:33:45 yeah, agree 15:34:15 I kind of recalled why I did all sorts of nasty stuff when wanted let's encrypt to be issues certs behind haproxy 15:34:27 because that haproxy was in octavia, so disregard please:) 15:34:45 aah ok 15:35:34 I wonder if we can in some time also cover internal endpoints with ssl having pki role on hands 15:35:52 so i was thinking were do we want to call "done" for W 15:35:55 well, we can, technically, but I meant more about if it makes sense 15:36:09 it could be haproxy+rabbit then the rabbit and tempest problems go away 15:36:18 ssl for everything else could be for X 15:36:43 haproxy+rabbit+galera? 15:36:56 could do 15:37:19 we can stop actually just with rabbit. but want to play with role anyway) 15:37:25 haproxy might need some work to have different certs on the inside and outside 15:37:38 that would be ideal to terminate and re-encrypt with the private CA 15:38:12 I'd say let's do this for X ? 15:38:26 i would say yes, keep it minimal for W 15:38:42 For W I think we need to repair manila and adjutant at least 15:38:43 it also protects against problem / design issue with the PKI role as it's use is quite minimal 15:39:22 oh, well, Bullseye image has landed 15:39:32 so probably worth looking it's shape... 15:39:53 yeah, maybe even condsidering making W the transition if it was possible 15:40:07 to reduce the amount of stuff to cover for X 15:40:13 yeah... 15:40:24 could probably find in ~ 1 day if it's going to work or not 15:41:32 jsut found your comments on https://review.opendev.org/c/openstack/openstack-ansible/+/789376 - will take care of them 15:41:55 I also have pretty vague memories about distro upgrade path... 15:53:16 Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Add Debian Bullseye support https://review.opendev.org/c/openstack/openstack-ansible/+/783606 15:57:24 Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Add Debian Bullseye support https://review.opendev.org/c/openstack/openstack-ansible/+/783606 15:57:35 #endmeeting