15:02:12 <noonedeadpunk> #startmeeting openstack_ansible_meeting 15:02:12 <opendevmeet> Meeting started Tue Jun 22 15:02:12 2021 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:12 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:12 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting' 15:02:18 <noonedeadpunk> #topic rollcall 15:02:31 <noonedeadpunk> o/ 15:12:34 <noonedeadpunk> #topic office hours 15:13:41 <noonedeadpunk> So currently what holds us a bit is haproxy patch https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/796940 regarding SSL. I didn't have any time today but going to spend next few days on landing stuff 15:18:20 <noonedeadpunk> Also, I'm going to push deprecation patch for nspawn repos tomorrow (before branching) 15:18:36 <noonedeadpunk> I should have done far ago but clean forgot about it 15:21:12 <noonedeadpunk> another topic is monasca - there're patches that were internaly tested and should be working I guess. They need some work at glance, but hope they should be doable 15:21:54 <noonedeadpunk> https://review.opendev.org/c/openstack/openstack-ansible-os_monasca/+/796616 and https://review.opendev.org/c/openstack/openstack-ansible-os_monasca-agent/+/796620 15:22:29 <noonedeadpunk> It's basiucally re-adding roles in state they were with some adjustments from what I already saw 15:29:46 <noonedeadpunk> I think I will take a look on them once we release 15:30:11 <jrosser> o/ hello 15:31:35 <noonedeadpunk> \o/ 15:34:05 <jrosser> i will try to find some time to look again at the SSL stuff 15:34:11 <jrosser> though this will be tomorrow 15:35:06 <noonedeadpunk> I think it's super close actually, but yeah, I will most likely ping you asking for some advice :) 15:35:56 <noonedeadpunk> I believe I should have enough time tomorrow for that, if nothing else will happen 15:36:33 <jrosser> the idea is to make the internal VIP https as well? 15:36:58 <noonedeadpunk> I think so. otherwise we will test nothing 15:37:14 <noonedeadpunk> as we use internal only everywhere 15:38:02 <noonedeadpunk> eventually how I saw that smth weird is going on - senlin tempest patch - it was still failing tempest because of untrusted SSL 15:38:29 <jrosser> oh yes and the whole business with tempestconf too 15:38:34 <noonedeadpunk> yeah 15:39:03 <noonedeadpunk> so I think internal vip over ssl is a good marker and test for pki role at least 15:39:12 <jrosser> theres also another step later, to make the services in the venvs be https too 15:39:50 <noonedeadpunk> well, yes... but lets at least make services be happy with haproxy ssl :) 15:41:09 <noonedeadpunk> it would be a bit more tricky I guess as well 15:41:38 <noonedeadpunk> eventually I think we mostly need to adjust uwsgi role? 15:42:56 <noonedeadpunk> hm, might be not so tough... except maybe haproxy balancing part? 15:44:45 <noonedeadpunk> as we'd need smth like l3 balancing, so we won't be able to figure out if service is alive or returning 500 for $reason (or etc) - as far as uwsgi listens on port it will be considered as okeyish 15:47:14 <jrosser> i think we can have haproxy act as MITM 15:47:38 <jrosser> decrypt/re-crypt and stay as L7 LB 15:49:02 <noonedeadpunk> I wonder if it makes sense to cover services with ssl.... 15:49:33 <jrosser> https://www.gilesorr.com/blog/reencrypting-haproxy.html 15:49:57 <jrosser> i guess it depends what paperwork you need to comply with 15:50:13 <noonedeadpunk> well, yes 15:51:09 <noonedeadpunk> I think that encrypting live migrations might be more interesting goal though, but dunno... 15:51:51 <noonedeadpunk> anyway agree, that cover services with SSL should be implemented 15:52:21 <noonedeadpunk> as well as adding some support for toolings for managing CA 15:53:34 <noonedeadpunk> but yeah, let's handle at least what we already have :) 16:00:19 <noonedeadpunk> #endmeeting