Wednesday, 2018-12-12

*** xek__ has joined #openstack-barbican00:37
*** xek_ has quit IRC00:39
*** AB2019 has quit IRC00:56
*** dave-mccowan has joined #openstack-barbican01:14
*** dave-mccowan has quit IRC03:52
*** dayou has quit IRC06:22
*** dayou has joined #openstack-barbican06:23
*** Luzi has joined #openstack-barbican07:01
*** moguimar has joined #openstack-barbican07:07
*** redrobot has quit IRC07:11
*** openstackgerrit has quit IRC07:29
*** velizarx has joined #openstack-barbican07:49
*** moguimar has quit IRC07:52
*** dayou has quit IRC08:10
*** dayou has joined #openstack-barbican08:28
rm_workoh no, i'm off the courtesy-ping list!08:38
rm_workalso, your meeting is too early T_T so early T_T08:38
Luzirm_work, i think redrobot wanted to create an etherpad for the agenda, maybe he can add the courtesy-oing list there, so people can add themself again?08:42
*** dayou has quit IRC08:43
*** dayou has joined #openstack-barbican08:44
*** moguimar has joined #openstack-barbican08:47
*** salmankhan has joined #openstack-barbican09:00
*** salmankhan has quit IRC09:24
*** salmankhan has joined #openstack-barbican09:38
*** moguimar has quit IRC09:59
*** salmankhan has quit IRC10:14
*** salmankhan has joined #openstack-barbican10:16
*** salmankhan has quit IRC10:21
*** salmankhan has joined #openstack-barbican10:21
*** pbourke has quit IRC10:26
*** pbourke has joined #openstack-barbican10:28
*** velizarx has quit IRC11:48
*** salmankhan1 has joined #openstack-barbican12:02
*** velizarx has joined #openstack-barbican12:03
*** salmankhan has quit IRC12:03
*** salmankhan1 is now known as salmankhan12:03
*** salmankhan has quit IRC12:11
*** raildo has joined #openstack-barbican12:20
*** dave-mccowan has joined #openstack-barbican12:41
*** velizarx has quit IRC13:00
*** moguimar has joined #openstack-barbican13:04
*** redrobot has joined #openstack-barbican13:08
*** velizarx has joined #openstack-barbican13:10
*** salmankhan has joined #openstack-barbican13:14
*** salmankhan has quit IRC13:35
*** salmankhan has joined #openstack-barbican13:35
*** salmankhan has quit IRC13:36
*** salmankhan has joined #openstack-barbican13:37
*** irclogbot_0 has quit IRC14:36
*** mmethot has quit IRC14:43
*** mmethot has joined #openstack-barbican14:46
*** irclogbot_0 has joined #openstack-barbican14:51
*** salmankhan has quit IRC15:42
*** Luzi has quit IRC15:57
*** velizarx has quit IRC16:35
*** velizarx has joined #openstack-barbican16:47
*** moguimar has quit IRC16:53
*** moguimar has joined #openstack-barbican17:03
*** moguimar has quit IRC17:03
*** velizarx has quit IRC17:08
*** raildo has quit IRC17:58
*** raildo has joined #openstack-barbican17:58
rm_workit's fine, I just want to mess with redrobot :P18:09
redrobotohai rm_work !18:09
rm_workredrobot: your meetings are too early18:11
redrobotrm_work, you West Coast again?18:19
rm_workpresently sunnyvale18:19
redrobotrm_work, nice!  ... yeah, maybe we can change the meeting time.  As it is only Luzi and I show up regularly18:20
rm_workI mean that said, I probably don't have a whole lot to add ATM18:20
rm_workoctavia cleaned up its barbican story a lot18:20
rm_workwe just store a single pkcs12 file as one secret now <_<18:20
rm_workand auto-create ACLs18:22
*** raildo_ has joined #openstack-barbican18:35
*** raildo has quit IRC18:35
*** AB2019_ has joined #openstack-barbican19:09
*** AB2019 has joined #openstack-barbican19:14
*** salmankhan has joined #openstack-barbican19:20
*** salmankhan has quit IRC20:18
*** AB2019_ has quit IRC20:22
*** salmankhan has joined #openstack-barbican20:31
*** jmlowe has quit IRC21:10
*** jmlowe has joined #openstack-barbican21:11
FrankZhangrm_work: recently I'm doing some experiment on enabling TLS lb on Octavia with Barbican in openstack ansible setup. While barbican has strict policy that won't allow Octavia has access to the PKCS12 secret. Does this happen on your side?21:13
*** jmlowe has quit IRC21:13
*** jmlowe has joined #openstack-barbican21:14
rm_workwhich release?21:16
rm_workhopefully rocky?21:16
rm_workFrankZhang: wait are you at RAX21:17
rm_workif so, queens may have some issue? johnsom is looking at it <_<21:17
FrankZhangyeah I'm, I was testing queens, rocky should be quite similar21:17
rm_worki'm aware of your problem :P21:18
FrankZhangrm_work: I'm working with johnsom21:18
rm_workrocky has different patches21:18
rm_workwith regard to barbican ACL work, I *think*21:18
*** xek__ has quit IRC21:18
rm_workbut yeah, i'd just wait for michael's research21:18
FrankZhangrm_work: osa barbican has one flaw which public endpoint won't allow admin GET secret normally but have to give '--insecure' flag21:19
FrankZhangI'm guessing the weird cert requirement causing other service has trouble communicating to barbican21:20
rm_workyeah, so I fixed the barbican-client issue with using alternative endpoints a few months ago21:21
rm_workit should be released now21:21
rm_workso you should be able to use the internal/admin endpoint21:21
FrankZhangrm_work: yeah, thanks for the patching, it got merged to queens weeks ago. The href of secret is still marked as public endpoint, though I don't think it matters.21:23
rm_workright, the client will now respect the setting of the current config21:23
rm_workreplacing the endpoint in the stored secret21:23
rm_workso you shouldn't have to deal with --insecure or the cert issue at all21:23
FrankZhangOpenstack Ansible stable queens didn't have your barbican client patch, so I was working on finding the way to get OSA barbican client up-to-date21:24
rm_workyou can ping xgerman for OSA issues, right? :P21:25
FrankZhangcool, I believed he knew the issue already. Since folks in RAX all didn't have successful instance to implement TLS octavia lb with barbican, johnsom mentioned you have some experience. Like to hear any tip of conifg you did.21:29
johnsomThe --insecure issue is an OSA deployment issue. Somehow that barbican public endpoint is using the wrong cert. But that is an openstack-ansible channel question/bug IMO.21:32
johnsomThe other endpoints don't need the --insecure even though they are also HTTPS, so I think something just isn't getting setup right.21:33
johnsomThe RBAC issue with the 403's, that one is going to take some time to figure out. I threw every role at the account I could think of, but I still got 403, so just need to set it up local and dig.21:34
FrankZhangjohnsom: I can setup one queens vm without octavia and barbican. And you can do some experiment on it.21:36
*** salmankhan has quit IRC22:03
*** AB2019_ has joined #openstack-barbican22:22
*** AB2019 has quit IRC22:29
*** AB2019_ is now known as AB201922:29
*** raildo_ has quit IRC23:06
*** ade_lee has quit IRC23:12
*** ade_lee has joined #openstack-barbican23:13
*** dave-mccowan has quit IRC23:19
*** ade_lee has quit IRC23:20
*** ade_lee_ has joined #openstack-barbican23:21
*** ade_lee_ has quit IRC23:21
*** ade_lee has joined #openstack-barbican23:21
*** ade_lee has quit IRC23:45
*** ade_lee has joined #openstack-barbican23:46

Generated by 2.15.3 by Marius Gedminas - find it at!