15:00:21 <gagehugo> #startmeeting openstack-helm
15:00:23 <openstack> Meeting started Tue May 19 15:00:21 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:24 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:26 <openstack> The meeting name has been set to 'openstack_helm'
15:00:33 <gagehugo> #link https://etherpad.opendev.org/p/openstack-helm-weekly-meeting agenda
15:02:03 <gagehugo> o/
15:02:16 <lamt> \o
15:02:39 <portdirect> o/
15:05:07 <stevthedev> Hello
15:05:07 <gagehugo> Lets get started
15:05:16 <gagehugo> #topic next week meeting
15:05:50 <gagehugo> I plan on canceling next week's meeting since I will be out, if anyone wants to host then lemme know
15:06:10 <gagehugo> #topic virtual ptg - june
15:06:22 <gagehugo> Reminder that the OpenDev PTG is coming up in < 2 weeks
15:06:25 <gagehugo> #link https://etherpad.opendev.org/p/openstack-helm-ptg-victoria
15:06:40 <gagehugo> ^ add topics to discuss there, otherwise it might be a quiet conference call
15:06:41 <gagehugo> :)
15:06:55 <gagehugo> #topic TLS
15:07:02 <gagehugo> pordirect: I assume this is you
15:07:08 <portdirect> :)
15:07:35 <portdirect> so - it think the planets are alining for internal tls
15:07:43 <portdirect> we have had a few rough starts on this before
15:08:10 <portdirect> but evaluating jetstacks cert manager, it looks to be the missing link in what was attempted before
15:08:30 <portdirect> id therefore like to propose that we use that to get this effort moving again
15:08:49 <portdirect> which we could break down into a couple of steps:
15:09:18 <portdirect> 1) Jetstack Cert Manager
15:09:18 <portdirect> a) Chart
15:09:18 <portdirect> b) Deploy in gate with snakeoil ca
15:09:18 <portdirect> 2) Chart updates
15:09:18 <portdirect> a) Add in option to create TLS cr, with required hostnames - ideally via htk macro similar to the ingress rule generator
15:09:19 <portdirect> b) Get tls certs generated for all internal services
15:09:19 <portdirect> c) Mount secrets into api pods
15:09:20 <portdirect> d) Enable tls and also set the ingress rule to support secure backends
15:10:09 <gagehugo> jetstack looks interesting
15:10:49 <portdirect> its used by the cluster api and several other projects
15:11:53 <gagehugo> hmm
15:12:15 <portdirect> any thoughts on this approach?
15:12:36 <gagehugo> It's the best one we have so far
15:12:40 <lamt> I need to read up on it
15:12:43 <gagehugo> same
15:12:59 <portdirect> ok - please do
15:13:07 <gagehugo> I assume this means we don't need that sidecar stuff from years ago?
15:13:08 <lamt> I read about kube-lego before
15:13:12 <lamt> but it has been a while
15:13:21 <portdirect> gagehugo: i think thats the next phase following this
15:13:25 <portdirect> lets make it simple
15:13:34 <lamt> I guess they already have a chart
15:13:36 <portdirect> and then optimise
15:13:46 <lamt> I will play around with it
15:14:09 <portdirect> this is a pretty similar approach to what i did on another openstack-on-k8s project
15:14:16 <portdirect> and it worked very well there
15:14:25 <gagehugo> nice
15:14:29 <portdirect> though i was using dogtag/freeipa then ;)
15:15:07 <lamt> if we can load the certs with the correct CN as secret, the rest should follow
15:16:13 <lamt> but lemme play around with jetstack and read up on the docs
15:16:22 <gagehugo> I will read up on it as well
15:16:34 <gagehugo> and look at that chart
15:16:55 <stevthedev> Me too. Would be cool to get mTLS working
15:18:13 <lamt> we just need tls not mtls right?
15:20:01 <gagehugo> I assume just TLS
15:21:38 <stevthedev> Sorry, did I misunderstand? Is this for TLS within the cluster?
15:22:01 <stevthedev> Maybe I a mixing my acronyms :)
15:23:00 <stevthedev> Gotta read up in any case
15:24:18 <gagehugo> portdirect: anything else for TLS? I think the path forward is to read up on jetstack for now
15:29:18 <gagehugo> thanks everyone, have a good rest of the week
15:29:22 <gagehugo> #endmeeting