Tuesday, 2019-02-12

redrobot#startmeeting barbican13:00
openstackMeeting started Tue Feb 12 13:00:36 2019 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.13:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.13:00
*** openstack changes topic to " (Meeting topic: barbican)"13:00
openstackThe meeting name has been set to 'barbican'13:00
redrobot#topic Roll Call13:01
*** openstack changes topic to "Roll Call (Meeting topic: barbican)"13:01
redrobotCourtesy ping for ade_lee hrybacki jamespage Luzi lxkong moguimar raildo rm_work xek13:02
redrobotGood morning y'all!13:02
redrobotAs usual our agenda can be found here:13:02
redrobot#link https://etherpad.openstack.org/p/barbican-weekly-meeting13:03
rm_workOMG o/13:03
redrobotrm_work, you made it!!!13:04
rm_workyes I'm still awake somehow 😑13:04
redrobot#topic Review Past Meeting Action Items13:04
*** openstack changes topic to "Review Past Meeting Action Items (Meeting topic: barbican)"13:04
redrobot#link http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-02-05-13.00.html13:05
redrobotrm_work, yikes!  Well, I'm glad to have you here. 😬13:05
redrobotok, let's see about these action items13:05
redrobotFirst one:13:06
redrobotredrobot to add a story to fix functional tests to be run in parallel13:06
redrobotI did do this13:07
redrobot#link https://storyboard.openstack.org/#!/story/200491513:07
redrobotI added it as a task to the gates story13:07
rm_workSuccess! Now to do the actual work :D13:08
redrobotI was talking to ade_lee_ about it, and he was suggesting that each tests needs to create its own project13:08
redrobotwhich makes sense13:08
redrobotrm_work, exactly!13:08
redrobotnext one:13:08
redrobotredrobot to check with ade_lee about adding Vault features to Barbican for Rocky13:08
rm_workYou can also just clean up better, or account for other objects existing13:08
rm_workWe have some examples of this in the Octavia tempest tests13:09
rm_workNot sure which is easier13:09
redrobotI did not do this.  My bad 😔13:09
redrobotrm_work, problem is quota tests that are counting # of secrets13:09
rm_workMaybe in functional tests, making new projects is trivial13:09
redrobotrm_work, obvs doesn't work when run in parallel13:09
rm_workYeah you do need multiple, we use two13:09
redrobotyeah, this is for functional tests13:09
rm_workWhen you say functionalll13:09
rm_workDoes that mean tempest? Against a real backend? Or is it still a fake in-memory thing13:10
redrobotrm_work, not tempest.  The functional tests in the barbican server that run on every gate13:11
redrobotincluding simple crypto, kmip, and hopefully soon softhsm13:11
rm_workYeah but do you spin up a real API or is it just a pecan-test-scaffold thing?13:12
redrobotit's a real api13:12
rm_workI forget how yours work but I seem to recall them being more heavyweight than oura13:12
redrobotso keystone is available for us to create projects on the fly13:12
rm_work*our Octavia functionals13:12
rm_workHmm k13:12
rm_workWell whatever, this is kinda a pointless discussion, whoever does it can do whichever option they want :D13:13
redrobotback to the second action item that I did not do13:13
redrobotI think that the safe call is to make new Vault stuff for Train13:13
redrobotbut I'll check with ade_lee_ for sure13:13
redrobot#action redrobot to check with ade_lee about adding Vault features to Barbican for Rocky (1)13:13
rm_workWait, so ditch the existing vault driver?13:14
redrobotthe (1) is for me to keep track of how many times I kick these things13:14
redrobotrm_work, no, I can't recall exactly what was needed, but it's an enhancement to the Vault driver13:14
redrobotnew features if you will13:14
rm_workAh k13:14
* redrobot has not had his coffee yet13:15
redrobotok, moving on13:15
redrobotnext action item13:15
redrobotredrobot to check with ade_lee about releasing Castellan13:15
redrobotI did do this13:15
redrobotbut I'm not sure if ade_lee_ got a chance to talk to the oslo folks about it13:16
redrobotso I'll ping him again about it13:16
redrobot#action redrobot to check with ade_lee about releasing Castellan (1)13:16
moguimarredrobot: I can do that13:16
redrobotawesome, thanks moguimar13:16
moguimarbnemec was talking about releases on our last Oslo meeting13:17
openstackRemoving item from minutes: #action redrobot to check with ade_lee about releasing Castellan (1)13:17
moguimaremail me what you need and I'll bring it up with them13:17
redrobot#action moguimar to check with oslo team about releasing Castellan13:17
redrobotmoguimar, sounds good13:18
redrobotok, moving on13:18
redrobotWe don't have any topics on the agenda13:18
redrobotso we'll have to play it by ear13:19
redrobotanything y'all want to talk about?13:19
graebI write a Barbican patch for https://storyboard.openstack.org/#!/story/200483313:19
graebIt is for review.13:19
redrobot#topic Reviews13:19
*** openstack changes topic to "Reviews (Meeting topic: barbican)"13:19
redrobotgraeb, awesome, do you want to post a link to the patch?13:20
graeb#link https://review.openstack.org/#/c/635736/13:20
rm_workI'm contemplating finishing the work I started four years ago and doing secret consumers XD13:20
redrobotrm_work, heh... go for it!13:20
rm_workBut probably it wouldn't be supported by castellan sooooo13:20
redrobotThat definitely sounds like a Train feature tho13:21
rm_workMaybe no point13:21
rm_workSince Octavia migrated to using the castellan interface to speak barbican13:21
redrobotHow does an octavia user upload a cert when the Castellan backend is not Barbican?13:22
rm_workNow we store a single secret that is a pkcs12 bundle, so13:22
rm_workIt's up to the operator13:22
*** whoami-rajat has joined #openstack-barbican13:22
rm_workAt GD they had a custom API/UI13:22
rm_workAnd it would spit out a path that worked to retrive, so13:23
redrobotso reimplemented barbican?13:23
rm_workLol yes13:23
rm_workBecause they're dumb13:23
rm_workI yelled at them13:23
rm_workAnd no longer work there13:23
rm_workSo ...13:23
* rm_work shrugs13:23
rm_workPoint being, it is actually kinda reasonable13:24
rm_workPlaces have their own vault storage for example13:24
rm_workAlready implemented outside of openstack13:24
redrobotgraeb, added to my review queue13:24
rm_workSo as long as permissions are right and paths are configured sanely... It works13:24
redrobotsure...  though I'm still a fan of deploying Barbican->Vault13:25
rm_workOr it should in theory, I haven't really seen a successful full implementation in the wild yet13:25
rm_workYes same13:25
graebredrobot, nice! :)13:25
redrobotfor obvious reasons 😜13:25
rm_workMultitenancy and openstack auth ftw13:25
redrobotAny other reviews that need to be mentioned?13:26
redrobotOr other topics?13:26
rm_workApparently not? Or I bet 😉13:28
rm_work*or I netsplit13:28
redrobotI'm gonna go with we're out of topics13:30
redrobotthanks for coming, everyone!13:31
redrobotespecially rm_work! 😘13:31
redrobotsee y'all next time!13:31
*** openstack changes topic to "OpenStack PTG Denver - https://etherpad.openstack.org/p/barbican-stein-ptg"13:31
openstackMeeting ended Tue Feb 12 13:31:56 2019 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)13:31
openstackMinutes:        http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-02-12-13.00.html13:31
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-02-12-13.00.txt13:32
openstackLog:            http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-02-12-13.00.log.html13:32
