15:02:13 #startmeeting openstack_ansible_meeting 15:02:13 Meeting started Tue Oct 7 15:02:13 2025 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:13 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:13 The meeting name has been set to 'openstack_ansible_meeting' 15:02:17 #topic rollcall 15:02:20 o/ 15:02:29 o/ 15:02:40 o/ 15:03:04 hi! 15:03:08 courtesy ping: jrosser 15:03:16 o/ hello 15:03:32 #topic office hours 15:04:02 so releases 15:04:38 for 2025.1 I think only rocky left 15:04:42 #link https://review.opendev.org/q/parentproject:openstack/openstack-ansible+branch:%5Estable/2025.1+status:open+ 15:04:47 *rocky 10 backport 15:05:19 2024.2 is waiting for another vote on bump 15:05:31 and 2024.1 had issues yesterday with Rocky 9 mirrors 15:06:34 I'm considering to backport https://review.opendev.org/c/openstack/openstack-ansible/+/935362 as well if it's not gonna pass today 15:06:51 yeah i think that would make sense 15:06:57 yes it looked like a big mess yesterday 15:07:44 for 2025.2 beta I've pushed freeze https://review.opendev.org/c/openstack/openstack-ansible/+/963189 - will push unfreeze today right after the meeting 15:07:53 ideally I should have done that yesterday 15:09:04 I;ve also spotted a copy-paste issue during refactoring of releasing script while doing freeze, so pushed small path for it 15:09:58 Also run some tests/played with facts gathering yesterday evening. As today we basically are collecting all facts, as ANSIBLE_GATHER_SUBSET not respected anymore 15:10:13 that patch looked basically ok 15:10:14 got quite a massive patch out for playbooks: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/963204 15:10:34 I was thinking if I should simplify it 15:10:44 and drop `ANSIBLE_GATHER_SUBSET` altogether 15:11:22 as it could be `gather_subset: "{{ osa_gather_subset | default('!all,min') }}"` instead 15:12:01 really no reason except some compatability concerns not to do that 15:12:12 but we're now on non-slurp, so eh 15:12:14 the env var is no longer a thing in actual ansible so yes makes sense to simplify 15:12:16 that all feels rather fine 15:13:09 I guess my thinking was that I didn't intend to add ansible var in place at the begining, but then realized it might be good to do it with anisble var 15:13:28 but left env var in place 15:13:54 I will check on that and I guess simplify it indeed 15:14:35 * noonedeadpunk having several envs which would need to convert from env var to ansible var 15:14:38 * noonedeadpunk is lazy 15:15:03 ok, we got some progress on pki route I believe 15:15:33 There were some comments in IRC about the last patch bringing in the new driver from jrosser yesterday 15:15:45 damiandabrowski: have you seen them and was able to process? 15:15:55 do we want to discuss them now? 15:15:55 yeah there still is vault_ vars in places 15:16:17 i already left comments on the patch a long time ago 15:16:52 yeah, i think it's related to: https://review.opendev.org/c/openstack/ansible-role-pki/+/948881/comment/ee0404e1_b5ac6aae/ 15:17:07 I tried to explain there why I've implemented it like this 15:19:38 yeah, I hardly dealt with vault so it's hard to judge for me without deeper dive into specifics 15:20:18 at glance explanation kinda make sense 15:20:53 btw it's in merge conflict now 15:21:51 yeah, I'll handle it during the evening 15:23:27 Will put some effort into reviewing this. As I was postponing this last bit for too long 15:24:02 But I think my main problem is that I'm really not sure what is the most widespread or reasonable pattern of vault usage is 15:24:36 yeah, me neither. Didn't really have any experience with Vault before I started working on this integration 15:25:30 okok, I'm currently adoping sevice roles to recent pki changes we made(type, dynamic permission/owner etc.) 15:26:03 it's going slower than I expected but today I aim to finish patching and start testing it locally 15:26:13 ok, sounds good then 15:26:29 Debian 13 - I don't have any updates so far. Was not looking there :( 15:26:32 btw. how can I upload a new patchset to the propsoed change but avoid triggerring CI jobs? Would workflow -1 do the job? 15:26:48 nope, I don't think you can do this 15:27:12 as jobs are triggered based of file changes and the trigger is new patchset 15:27:26 ahh okok :/ thanks 15:27:27 labels do not really matter afaik 15:27:48 you can make a typo in zuul.d so that they instantly fail :D 15:28:05 or comment out jobs in project.yaml 15:28:07 but yeah 15:30:04 I wanna check on Debian 13 this week, but really no time to be frank, as need to prepare plenty of stuff for the summit 15:35:11 anything else for today? 15:40:21 sorry fire alarm here - back now 15:40:34 my only objection to the vault_* vars is that they look mandatory 15:40:56 if they defaulted to some sensible value and did not need always to be in the input data to the pki role it would be much cleaner 15:41:40 i also don't see why we can't use signed_by for either backend 15:44:08 hmm, I can define some default values for vault_path and vault_root_ca_path, so they won't have to be explicitly defined 15:45:06 I was thinking about getting rid of vault_root_ca_path and using signed_by for both backends, but I was afraid it would be too confusing for users 15:45:34 vault_root_ca_path specifies a vault path where the root certificate is stored. It doesn't point to the issuing certificate directly 15:46:09 so that's quite a difference, comparing to how signed_by is used in standalone backend 16:02:02 #endmeeting