15:00:24 #startmeeting openstack_ansible_meeting 15:00:24 Meeting started Tue Jul 20 15:00:24 2021 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:24 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:24 The meeting name has been set to 'openstack_ansible_meeting' 15:00:30 #topic rollcall 15:00:32 o/ 15:01:56 o/ hello 15:03:27 #topic office hours 15:03:46 So, I think I have the only question for today - next PTG time... 15:04:35 Should I call for doodle vote or we can just go with same time/days that we previously did? 15:04:47 I think 2x2h slots were working really fine 15:07:50 there's ethercalc with other slots https://ethercalc.openstack.org/8tum5yl1bx43 15:08:48 So suggested from me slots are 15:00 - 17:00 UTC on Tuesday October 19 and 15:00 - 17:00 UTC on Wednesday October 20 15:09:06 * noonedeadpunk has a feeling that it's a bit too early now 15:11:00 * jrosser on vacation that week 15:11:06 oh 15:11:27 huh.... 15:11:49 no sorry looking at wrong month /o\ 15:11:56 haha) 15:12:36 well, October is perfect time for vacation overall ) 15:13:57 Then for now I'm booking these timeframes and write ML to get other opinions if any 15:14:06 ok cool 15:14:32 is there stuff to go over which we need to fix for next W point release? 15:14:45 seems i made a bunch of typos in the rabbitmq SSL stuff :/ 15:15:11 well. Octavia is still broken though when multiple containers are used 15:15:14 looking into it 15:15:25 and after that we can do point release 15:16:03 btw, I still haven't moved bump bot to github actions (as it got broken with travis policy change) 15:16:14 So will do these manually for now I guess 15:17:48 Created etherpad as well for ptg 15:19:05 Regarding octavia - https://bugs.launchpad.net/openstack-ansible/+bug/1936646 15:19:25 I'm trying to use delegate_facts and gain them from specific host 15:20:27 I think we should actually replace all of that with pki... 15:21:11 well i was going to say 15:21:19 all of that could just be deleted and go away 15:22:04 though just pushing out a new cert there in an existing deployment results in $bad-times 15:23:05 I'm not 100% sure I understand what these certs are for. For securing amphoras->api? 15:24:06 yes, there is mutal TLS between the service and the amphoras 15:24:23 then rotating this might be a disaster.... 15:24:28 if you somehow lose or accidentally rotate it then things go super wierd 15:24:47 also this is where the deployment actually puts those certs in ~ of the deploy user 15:24:48 I can recall this now :) 15:25:09 we rebuilt a deploy host and lost ours 15:25:17 Yeah, I have overwriten this path everywhere 15:29:02 there is documentation here https://docs.openstack.org/octavia/latest/admin/guides/operator-maintenance.html 15:33:11 at some point we must deal with this as part of using the PKI role - but not sure how the best way to approach this is for a deployment 15:37:22 yeah, not sure either. It seems we have here a bit different concept (in terms that we have server and client partsd) 15:37:34 So might be worth doing just bugfix now? 15:39:34 can we just revert the patch that caused this trouble? 15:39:55 I already have fix:) 15:41:25 Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_octavia master: Fix self-signed certs distribution https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/801505 15:41:27 ^ 15:41:33 ahha 15:41:50 FYI, there is also a detailed certificate guide for Octavia here: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html 15:43:51 johnsom: awesome thanks, we have a new ansible role here https://github.com/openstack/ansible-role-pki which we plan to replace all our ad-hoc cert generation with (including in our octavia role) 15:44:29 I tend to use PKI role for master only to not mess up ppl envs while backporting 15:44:32 Ok. I wrote that guide, so feel free to ping me if you have questions. 15:44:40 sure, thanks! 15:44:48 We never hesitate pinging ;) 15:44:58 grin 15:45:28 noonedeadpunk: yes agreed, this is likley to need a rotation of the CA I think, unless we can import existing certs under the PKI role as part of an upgrade 15:45:46 I think we can provide path to existing one? 15:46:13 we can certainly retrieve them from one of the containers and copy to /etc/openstack_deploy/pki/..... 15:46:32 yeah, it's for upgrade path for sure... 15:46:40 it would be like a user supplied one from that point on 15:46:40 and I gues we would need to set some vars as well 15:47:00 (to use that CA only for octavia?) 15:47:05 yes, and the vars being set would cause it to be installed from the copy with the regular PKI role 15:47:37 i think we have a choice, it can be it's own CA, or an intermediate off the one we have already, lots of ways to do it 15:48:49 sounds like we need to be really mindful of the upgrade path when adjusting the octavia role here 15:49:06 much more so than other places where it's not going to break stuff 15:50:50 yes, agreed 15:51:08 btw, regarding typos - mind merging https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/801072 ?:) 15:51:35 I guess for upgrade it would be required anyway 15:51:46 (on master gnocchi is failing for some reason) 15:52:05 https://bugs.launchpad.net/openstack-ansible/+bug/1936576 15:52:56 done 15:53:02 `SQLAlchemy===1.4.20` in u-c 15:53:36 oh there were a whole flurry of patches about updated sqalchemy recently i think 15:54:06 and there's a fix:) https://github.com/gnocchixyz/gnocchi/commit/62ee223b456fa8e185720c18439d929d0f8cb0d4 15:54:25 So I guess I will do master bump now 15:54:48 oh! btw, I've posted vault role I had 15:55:04 some weird things going is CI though 15:55:17 https://review.opendev.org/c/openstack/ansible-role-vault/+/800792 15:55:42 for some reason db_setup is not delegated or smth like that... 15:59:09 maybe it needs to be after utility_install 15:59:23 otherwise there is no galera_client yet to do the db setup? 15:59:55 oh, that's good point 16:00:15 #endmeeting