15:02:12 #startmeeting openstack_ansible_meeting 15:02:12 Meeting started Tue Jun 22 15:02:12 2021 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:12 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:12 The meeting name has been set to 'openstack_ansible_meeting' 15:02:18 #topic rollcall 15:02:31 o/ 15:12:34 #topic office hours 15:13:41 So currently what holds us a bit is haproxy patch https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/796940 regarding SSL. I didn't have any time today but going to spend next few days on landing stuff 15:18:20 Also, I'm going to push deprecation patch for nspawn repos tomorrow (before branching) 15:18:36 I should have done far ago but clean forgot about it 15:21:12 another topic is monasca - there're patches that were internaly tested and should be working I guess. They need some work at glance, but hope they should be doable 15:21:54 https://review.opendev.org/c/openstack/openstack-ansible-os_monasca/+/796616 and https://review.opendev.org/c/openstack/openstack-ansible-os_monasca-agent/+/796620 15:22:29 It's basiucally re-adding roles in state they were with some adjustments from what I already saw 15:29:46 I think I will take a look on them once we release 15:30:11 o/ hello 15:31:35 \o/ 15:34:05 i will try to find some time to look again at the SSL stuff 15:34:11 though this will be tomorrow 15:35:06 I think it's super close actually, but yeah, I will most likely ping you asking for some advice :) 15:35:56 I believe I should have enough time tomorrow for that, if nothing else will happen 15:36:33 the idea is to make the internal VIP https as well? 15:36:58 I think so. otherwise we will test nothing 15:37:14 as we use internal only everywhere 15:38:02 eventually how I saw that smth weird is going on - senlin tempest patch - it was still failing tempest because of untrusted SSL 15:38:29 oh yes and the whole business with tempestconf too 15:38:34 yeah 15:39:03 so I think internal vip over ssl is a good marker and test for pki role at least 15:39:12 theres also another step later, to make the services in the venvs be https too 15:39:50 well, yes... but lets at least make services be happy with haproxy ssl :) 15:41:09 it would be a bit more tricky I guess as well 15:41:38 eventually I think we mostly need to adjust uwsgi role? 15:42:56 hm, might be not so tough... except maybe haproxy balancing part? 15:44:45 as we'd need smth like l3 balancing, so we won't be able to figure out if service is alive or returning 500 for $reason (or etc) - as far as uwsgi listens on port it will be considered as okeyish 15:47:14 i think we can have haproxy act as MITM 15:47:38 decrypt/re-crypt and stay as L7 LB 15:49:02 I wonder if it makes sense to cover services with ssl.... 15:49:33 https://www.gilesorr.com/blog/reencrypting-haproxy.html 15:49:57 i guess it depends what paperwork you need to comply with 15:50:13 well, yes 15:51:09 I think that encrypting live migrations might be more interesting goal though, but dunno... 15:51:51 anyway agree, that cover services with SSL should be implemented 15:52:21 as well as adding some support for toolings for managing CA 15:53:34 but yeah, let's handle at least what we already have :) 16:00:19 #endmeeting