#openstack-ansible log

15:00:24 <noonedeadpunk> #startmeeting openstack_ansible_meeting
15:00:24 <opendevmeet> Meeting started Tue Jul 20 15:00:24 2021 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:24 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:24 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting'
15:00:30 <noonedeadpunk> #topic rollcall
15:00:32 <noonedeadpunk> o/
15:01:56 <jrosser> o/ hello
15:03:27 <noonedeadpunk> #topic office hours
15:03:46 <noonedeadpunk> So, I think I have the only question for today - next PTG time...
15:04:35 <noonedeadpunk> Should I call for doodle vote or we can just go with same time/days that we previously did?
15:04:47 <noonedeadpunk> I think 2x2h slots were working really fine
15:07:50 <noonedeadpunk> there's ethercalc with other slots https://ethercalc.openstack.org/8tum5yl1bx43
15:08:48 <noonedeadpunk> So suggested from me slots are 15:00 - 17:00 UTC on Tuesday October 19 and 15:00 - 17:00 UTC on Wednesday October 20
15:09:06 * noonedeadpunk has a feeling that it's a bit too early now
15:11:00 * jrosser on vacation that week
15:11:06 <jrosser> oh
15:11:27 <noonedeadpunk> huh....
15:11:49 <jrosser> no sorry looking at wrong month /o\
15:11:56 <noonedeadpunk> haha)
15:12:36 <noonedeadpunk> well, October is perfect time for vacation overall )
15:13:57 <noonedeadpunk> Then for now I'm booking these timeframes and write ML to get other opinions if any
15:14:06 <jrosser> ok cool
15:14:32 <jrosser> is there stuff to go over which we need to fix for next W point release?
15:14:45 <jrosser> seems i made a bunch of typos in the rabbitmq SSL stuff :/
15:15:11 <noonedeadpunk> well. Octavia is still broken though when multiple containers are used
15:15:14 <noonedeadpunk> looking into it
15:15:25 <noonedeadpunk> and after that we can do point release
15:16:03 <noonedeadpunk> btw, I still haven't moved bump bot to github actions (as it got broken with travis policy change)
15:16:14 <noonedeadpunk> So will do these manually for now I guess
15:17:48 <noonedeadpunk> Created etherpad as well for ptg
15:19:05 <noonedeadpunk> Regarding octavia - https://bugs.launchpad.net/openstack-ansible/+bug/1936646
15:19:25 <noonedeadpunk> I'm trying to use delegate_facts and gain them from specific host
15:20:27 <noonedeadpunk> I think we should actually replace all of that with pki...
15:21:11 <jrosser> well i was going to say
15:21:19 <jrosser> all of that could just be deleted and go away
15:22:04 <jrosser> though just pushing out a new cert there in an existing deployment results in $bad-times
15:23:05 <noonedeadpunk> I'm not 100% sure I understand what these certs are for. For securing amphoras->api?
15:24:06 <jrosser> yes, there is mutal TLS between the service and the amphoras
15:24:23 <noonedeadpunk> then rotating this might be a disaster....
15:24:28 <jrosser> if you somehow lose or accidentally rotate it then things go super wierd
15:24:47 <jrosser> also this is where the deployment actually puts those certs in ~ of the deploy user
15:24:48 <noonedeadpunk> I can recall this now :)
15:25:09 <jrosser> we rebuilt a deploy host and lost ours
15:25:17 <noonedeadpunk> Yeah, I have overwriten this path everywhere
15:29:02 <jrosser> there is documentation here https://docs.openstack.org/octavia/latest/admin/guides/operator-maintenance.html
15:33:11 <jrosser> at some point we must deal with this as part of using the PKI role - but not sure how the best way to approach this is for a deployment
15:37:22 <noonedeadpunk> yeah, not sure either. It seems we have here a bit different concept (in terms that we have server and client partsd)
15:37:34 <noonedeadpunk> So might be worth doing just bugfix now?
15:39:34 <jrosser> can we just revert the patch that caused this trouble?
15:39:55 <noonedeadpunk> I already have fix:)
15:41:25 <opendevreview> Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_octavia master: Fix self-signed certs distribution  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/801505
15:41:27 <noonedeadpunk> ^
15:41:33 <jrosser> ahha
15:41:50 <johnsom> FYI, there is also a detailed certificate guide for Octavia here: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
15:43:51 <jrosser> johnsom: awesome thanks, we have a new ansible role here https://github.com/openstack/ansible-role-pki which we plan to replace all our ad-hoc cert generation with (including in our octavia role)
15:44:29 <noonedeadpunk> I tend to use PKI role for master only to not mess up ppl envs while backporting
15:44:32 <johnsom> Ok. I wrote that guide, so feel free to ping me if you have questions.
15:44:40 <noonedeadpunk> sure, thanks!
15:44:48 <noonedeadpunk> We never hesitate pinging ;)
15:44:58 <johnsom> grin
15:45:28 <jrosser> noonedeadpunk: yes agreed, this is likley to need a rotation of the CA I think, unless we can import existing certs under the PKI role as part of an upgrade
15:45:46 <noonedeadpunk> I think we can provide path to existing one?
15:46:13 <jrosser> we can certainly retrieve them from one of the containers and copy to /etc/openstack_deploy/pki/.....
15:46:32 <noonedeadpunk> yeah, it's for upgrade path for sure...
15:46:40 <jrosser> it would be like a user supplied one from that point on
15:46:40 <noonedeadpunk> and I gues we would need to set some vars as well
15:47:00 <noonedeadpunk> (to use that CA only for octavia?)
15:47:05 <jrosser> yes, and the vars being set would cause it to be installed from the copy with the regular PKI role
15:47:37 <jrosser> i think we have a choice, it can be it's own CA, or an intermediate off the one we have already, lots of ways to do it
15:48:49 <jrosser> sounds like we need to be really mindful of the upgrade path when adjusting the octavia role here
15:49:06 <jrosser> much more so than other places where it's not going to break stuff
15:50:50 <noonedeadpunk> yes, agreed
15:51:08 <noonedeadpunk> btw, regarding typos - mind merging https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/801072 ?:)
15:51:35 <noonedeadpunk> I guess for upgrade it would be required anyway
15:51:46 <noonedeadpunk> (on master gnocchi is failing for some reason)
15:52:05 <noonedeadpunk> https://bugs.launchpad.net/openstack-ansible/+bug/1936576
15:52:56 <jrosser> done
15:53:02 <noonedeadpunk> `SQLAlchemy===1.4.20` in u-c
15:53:36 <jrosser> oh there were a whole flurry of patches about updated sqalchemy recently i think
15:54:06 <noonedeadpunk> and there's a fix:) https://github.com/gnocchixyz/gnocchi/commit/62ee223b456fa8e185720c18439d929d0f8cb0d4
15:54:25 <noonedeadpunk> So I guess I will do master bump now
15:54:48 <noonedeadpunk> oh! btw, I've posted vault role I had
15:55:04 <noonedeadpunk> some weird things going is  CI  though
15:55:17 <noonedeadpunk> https://review.opendev.org/c/openstack/ansible-role-vault/+/800792
15:55:42 <noonedeadpunk> for some reason db_setup is not delegated or smth like that...
15:59:09 <jrosser> maybe it needs to be after utility_install
15:59:23 <jrosser> otherwise there is no galera_client yet to do the db setup?
15:59:55 <noonedeadpunk> oh, that's good point
16:00:15 <noonedeadpunk> #endmeeting