#openstack-meeting-3 log

15:00:13 <raildo> #startmeeting oslo-config-plaintext-secrets
15:00:13 <openstack> Meeting started Tue Aug 21 15:00:13 2018 UTC and is due to finish in 60 minutes.  The chair is raildo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:14 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:16 <raildo> o/
15:00:17 <openstack> The meeting name has been set to 'oslo_config_plaintext_secrets'
15:00:23 <moguimar> o/
15:01:08 <spilla> o/
15:01:38 <electrichead> o/
15:01:45 * electrichead is aka redrobot
15:01:51 <electrichead> having bouncer issues ... :-\
15:01:58 <raildo> #link https://etherpad.openstack.org/p/oslo-config-plaintext-secrets
15:02:11 <moguimar> dhellmann bnemec
15:02:24 <dhellmann> o/
15:02:38 <raildo> hey folks :)
15:02:52 <raildo> #topic status update
15:03:34 <raildo> I updated the spec for stein: https://review.openstack.org/#/c/474304/ updating the phase 0 status and moving that spec for the stein repo
15:04:05 <raildo> we still need wait for the Denver PTG to get some agreements about the mutable values, so we can focus on approve this spec
15:04:37 <raildo> moguimar, do you want to talk about the PoC for testing oslo.config driver?
15:04:47 <bnemec> o/
15:04:54 <moguimar> sure
15:05:16 <moguimar> I've setup a remote_file server using docker, nginx and flask
15:05:34 <moguimar> https://github.com/moisesguimaraes/oslo.config-drivers-samples
15:05:39 <moguimar> #link https://github.com/moisesguimaraes/oslo.config-drivers-samples
15:06:04 <moguimar> the nginx does the tls checks
15:06:12 <moguimar> the flask app has a crud for configs
15:06:38 <moguimar> the config is a simple (id, domain_name, conf)
15:06:43 * gagehugo lurks
15:07:18 <moguimar> so the server returns configs based on the subject domain name of the client certificate
15:08:03 <dhellmann> are you planning to implement a CI job based on that?
15:08:04 <moguimar> that can be used to demo the remote_file driver
15:08:28 <moguimar> should I?
15:08:45 <dhellmann> oh, I don't know, I was just curious
15:09:15 <moguimar> I'll work on a demo on my own, just for curiosity
15:09:48 <raildo> dhellmann, that would be great, but I'm not sure if we'll be able to that upstream, like setting an nginx server and so on, maybe we can evaluate how to adjust it for a CI job
15:10:20 <bnemec> Python has a very simple HTTP server built in.  Seems like we should be able to use that for a test job.
15:10:20 <dhellmann> yeah, upstream might just want to reuse whatever devstack does to configure a web front-end for the services
15:10:20 <moguimar> as I'd like to learn a little about datadog, I would like to see nodes status and they trying to fetch config every x seconds
15:10:32 <dhellmann> bnemec : that's a good idea, too, although I don't know about the SSL stuff for that
15:10:36 <bnemec> https://docs.python.org/2/library/simplehttpserver.html
15:10:58 <bnemec> Yeah, I was thinking just to have basic coverage of this functionality.
15:11:17 <raildo> #action raildo to investigate more about https://docs.python.org/2/library/simplehttpserver.html
15:13:20 <moguimar> simplehttpserver does that job well, the PoC I was working on is something more visual
15:13:21 <raildo> the next steps for now, will be investigating/playing with castellan-vault and other backends, so we can be more understand more about castellan and start the castellan driver implementation
15:13:41 <moguimar> I did that castellan deep dive today
15:14:09 <moguimar> can you set the topic for it raildo ?
15:14:17 <moguimar> after status update
15:14:23 <raildo> #topic castellan deep dive
15:14:27 <moguimar> good
15:14:42 <moguimar> I cloned the castellan repo and looked into the code
15:15:09 <moguimar> it stores/retrieves values from vault with a unique ID
15:15:36 <moguimar> the IDs are generated with uuid.uuid4().hex
15:16:14 <moguimar> so I think that the mapping file using the castellan driver should contain option_name=option_id
15:16:41 <moguimar> then we just forward the get to castellan
15:16:53 <moguimar> using the secret's id
15:17:13 <dhellmann> that makes sense
15:17:56 <moguimar> I hope this approach doesn't care which backend castellan is talking to
15:18:14 <moguimar> so the castellan driver would work for both vault and barbican
15:18:21 <moguimar> I
15:18:24 <dhellmann> do the id values change format based on the driver at all?
15:18:29 <raildo> moguimar, yeah, that's why we have to use the castellan reference_id
15:18:34 <dhellmann> like sometimes they are uuid and sometimes just numbers?
15:18:34 <moguimar> will check that
15:18:49 <moguimar> haven't poked the barbican_key_manager file yet
15:18:51 <dhellmann> ok
15:19:00 <dhellmann> I suspect they don't, but wouldn't want to assume so
15:19:20 <dhellmann> I guess if we just don't worry about what's in the string for the value it won't matter if the format changes
15:19:30 <dhellmann> as long as it can be expressed as a value in an ini file we should be safe reading it
15:19:40 <raildo> dhellmann, I think that all of that are using uuid, but would be nice double check that as well
15:19:46 <raildo> dhellmann, ++
15:20:09 <moguimar> I still have a lot of tests being skipped in tox for castellan
15:20:40 <moguimar> so I'll poke the castellan folks to find out how to setup vault and barbican for the skipped castellan tests
15:21:05 <raildo> moguimar, notice that you have to explicitly enable the vault tests for castellan on tox
15:21:26 <raildo> there is an option on tox for castellan to run the vault tests
15:21:59 <raildo> #link https://github.com/openstack/castellan/blob/master/tox.ini#L75
15:22:10 <moguimar> yup
15:22:32 <moguimar> I'll try that one
15:22:37 <raildo> great
15:23:09 <raildo> #topic Open Discussion
15:23:12 <moguimar> I supose the full tests also test vault, but it looks for some ENV vars
15:23:23 <moguimar> as I can see the skipped message
15:23:41 <moguimar> that's all I have
15:23:49 <raildo> it doesn't since it's necessary a vault server, and root key for vault
15:24:39 <raildo> so it'll run the functional tests, other else, it will just execute the unit tests for that code
15:25:15 <moguimar> yeah, I have a vault server running, it gets the addr and token from env vars
15:25:45 <raildo> so, let's try that option and we can see the result with that
15:25:52 <moguimar> yep
15:25:58 <raildo> awesome
15:26:46 <raildo> ok, so if we don't have nothing else to talk, see you guys in two weeks :)
15:26:56 <raildo> thanks everyone!
15:27:10 <moguimar> o/
15:27:23 <raildo> #endmeeting