Wednesday, 2018-07-25

« Tuesday, 2018-07-24 Index Thursday, 2018-07-26 »
*** nchakrab has joined #softwarefactory05:36
*** sfbender has joined #softwarefactory06:29
sfbenderTristan de Cacqueray created software-factory/sf-config master: openshift: update base jobs  https://softwarefactory-project.io/r/1317506:29
*** nchakrab has quit IRC08:20
*** nchakrab has joined #softwarefactory08:44
janguttertristanC: I'm looking at get_or_generate_CA in sfconfig/components.py and I think I found two bugs that cancel each other out, but I'd like to run it by someone understanding the localCA first.08:53
tristanCjangutter: yes sure08:54
janguttertristanC: it's to do with the chain cert. In https://softwarefactory-project.io/cgit/software-factory/sf-config/tree/sfconfig/components.py#n119 a pem is generated with the public and private key. That is really confusing to me.08:55
janguttertristanC: but in https://softwarefactory-project.io/cgit/software-factory/sf-config/tree/sfconfig/components.py#n123 luckily that pem is not used as the chain.08:55
janguttertristanC: would "open(cert_crt).read(), open(args.ca_file).read()))" and "args.glue["%s_chain" % name] = open(cert_pem).read()" make more sense for the respective lines?08:56
janguttertristanC: the examples I've seen use a localCA, an intermediary (where the chain comes in) an an end-user cert. I guess a chain is not necessary if you directly sign the end-user certs (as in this case).08:58
tristanCjangutter: hum, it seems like the cert_pem is actually not used, maybe it's a legacy variable that could just be removed?08:58
janguttertristanC: I don't think it should be removed, actually, since otherwise you can't supply your own 3rd party SSL certs.08:58
janguttertristanC: for example, we added gateway.crt, gateway.pem and gateway.key, deploy using sfconfig, and the certs are populated, not generated.08:59
tristanCi mean the variable and the file doesn't seems to be used08:59
janguttertristanC: gateway_chain expands into the apache config for the chain.09:00
sfbenderTristan de Cacqueray created software-factory/sf-config master: gateway: remove unused confusing cert_pem variable  https://softwarefactory-project.io/r/1317709:00
tristanCjangutter: yes, but gateway_chain is actually gateway_crt, not gateway_pem. It seems like 13177 is correct and we could just drop that variable and file09:02
janguttertristanC: if that happens, then we can't add our own SSL cert into /var/lib/software-factory/bootstrap-data/certs/09:02
janguttertristanC: gateway_chain could work as gateway_crt if you don't have an intermediary cert.09:03
janguttertristanC: but if you do, you have to pass the chain. I had a look at the letsencrypt config and compared it to ours.09:04
tristanCjangutter: docs doesn't mention a pem file, only .crt, .key and .chain, see https://softwarefactory-project.io/docs/operator/configuration.html#ssl-certificates09:04
janguttertristanC: yep, but I think the docs are incorrect. I could not find where the .chain file is picked up?09:05
tristanCjangutter: oh i see, then there is a bug indeed09:05
janguttertristanC: well, 3 at this point :-p09:06
janguttertristanC: that's why I'm a bit unsure at this point: my workaround was to 1) use .pem  in stead of .chain 2) change how the localCA generates .pem 3) use the .pem file for the chain.09:07
janguttertristanC: alternate fix would be 1) use .chain 2) don't generate .pem for localCA 3) use ".crt" for chain if localCA, use ".pem" for chain if provided.09:09
janguttertristanC: but the trouble is that identifying if a localCA is generated or cached is tricky for 3)09:10
tristanCjangutter: either solution sounds good to me09:10
tristanCjangutter: then supporting user provided certs is indeed not good atm, i think we need to add file path options in sfconfig.yaml so that user can add the files to /etc/software-factory09:11
tristanCjangutter: e.g. https://softwarefactory-project.io/cgit/software-factory/sf-config/tree/ansible/roles/sf-gateway/meta/sfconfig.py#n3509:12
tristanCjangutter: one moment, let me propose something quickly09:13
janguttertristanC: cool.09:13
tristanCjangutter: i haven't tested it yet, but https://softwarefactory-project.io/r/#/c/13177/ should add proper support for user provided tls certs09:27
*** apevec has joined #softwarefactory09:29
janguttertristanC: is the localCA used for anything internal?09:29
*** apevec has quit IRC09:29
*** apevec has joined #softwarefactory09:29
tristanCjangutter: yes, it used for zuul gearman certificate and the influxdb configuration09:30
sfbenderTristan de Cacqueray created software-factory/sf-docs master: Update operator SSL documentation  https://softwarefactory-project.io/r/1317809:31
tristanCjangutter: thanks for the report!09:31
janguttertristanC: So you can't skip generating it....09:31
tristanChum, is that an issue?09:32
janguttertristanC: not.... sure. Commenting on the review.09:35
janguttertristanC: as long as that else: doesn't skip creating the localCA somehow, then I think it's fine. Haven't checked where it's built in detail.09:39
tristanCjangutter: the localCA is generated for the install-server role, e.g. https://softwarefactory-project.io/cgit/software-factory/sf-config/tree/ansible/roles/sf-install-server/meta/sfconfig.py#n5609:39
janguttertristanC: aah, cool, then my paranoia is satisfied.09:40
tristanCjangutter: thanks again, those tls settings are hard :)09:41
janguttertristanC: tell me about it! Thanks also for checking this out!09:42
tristanCjangutter: hum, the patch doesn't work, i'll propose another PS shortly09:48
sfbenderFabien Boucher created software-factory/managesf master: resources/projects: do not set a default tenant name to 'local'  https://softwarefactory-project.io/r/1317909:54
tristanCjangutter: new PS should work as expected, it even checks that the key file more are secured :)10:05
tristanCs/more/mode/10:07
*** sshnaidm|ruck is now known as sshnaidm|afk10:29
*** sshnaidm|afk is now known as sshnaidm|ruck11:00
sfbenderMerged software-factory/managesf master: managesf/configurations: repoxplorer get connections from conf  https://softwarefactory-project.io/r/1305012:05
sfbenderMerged software-factory/managesf master: managesf/configuration: zuul tenant_resources cache do proper get to avoid keyerror  https://softwarefactory-project.io/r/1313412:36
sfbenderMerged software-factory/sf-docs master: Update operator SSL documentation  https://softwarefactory-project.io/r/1317812:58
*** ssbarnea has quit IRC13:05
janguttertristanC: In another weird stroke of fate, I accidentally deployed sf-3.0 with epel, and pulled in an intermediate version of testinfra.13:07
janguttertristanC: everything works OK, but it turns out that the newer version in epel is not quite new enough to test udp socket listening. So just a heads up if you rev testinfra one day, remember to switch to the latest version.13:08
janguttertristanC: ensure https://github.com/philpep/testinfra/commit/e5b007072954182d1662fe8d8b03c11838683c8d is in any future version if you upgrade.13:10
tristanCjangutter: ho, that's good to know, i bumped the version here: https://softwarefactory-project.io/r/1318013:24
tristanCjangutter: also, sf-3.1 will warn about epel presence and eventually ask to remove the repository13:24
tristanCzuul is getting close to release 3.1.1, and we'll be able to publish sf-3.1 in one or two week13:25
janguttertristanC: yep, but aside from some minor niggles things are working surprisingly "ok"13:25
sfbenderTristan de Cacqueray created software-factory/sf-config master: nodepool: add missing cache directory creation  https://softwarefactory-project.io/r/1318113:26
janguttertristanC: so, is there still some time to fix some minor "papercuts" for us? I need to go a bit through some of my local changes to see which one are still valid.13:27
tristanCjangutter: sure, now or even after the release, we can backport13:29
janguttertristanC: there's some stuff I haven't tested in clouds.yaml for nodepool that aids in private nodepools - I'll have to check a bit more if it'll work. That will cut out a local nodepool hack.13:31
tristanCjangutter: there is now a nodepool.clouds_file option in sfconfig you can use to provide your own clouds.yaml13:32
janguttertristanC: hah. Story of my life. Spend an hour looking at code, find out it's a simple config option.13:33
tristanChere is a preview of the sf-3.1 release notes: https://softwarefactory-project.io/logs/99/12899/2/check/build-pages/3fb7cd6/pages/releases/3.1/13:33
tristanCit's not well stated, but sf-3.1 comes with a gerrit upgrade to version 2.14.713:34
janguttertristanC: is there an RPM repo I can try a test install on? Not sure where to find a URL that points to "latest CI version".13:38
janguttertristanC: or should I just kick off a build following https://softwarefactory-project.io/docs/contributor/prepare_dev_environment.html ?13:40
tristanCjangutter: "latest CI version" to be released as sf-3.1 would be this repository: https://softwarefactory-project.io/kojifiles/repos/sf-master-el7/13:42
sfbenderTristan de Cacqueray created software-factory/sf-config master: (DNM) tenant: correctly import connections from master instance  https://softwarefactory-project.io/r/1318213:44
janguttertristanC: ah, excellent! Thanks!13:44
*** nchakrab has quit IRC14:13
*** nchakrab has joined #softwarefactory14:14
*** ssbarnea has joined #softwarefactory14:18
*** sshnaidm|ruck is now known as sshnaidm15:46
sfbenderMerged software-factory/sf-config master: runC: integrate automatic packages installation  https://softwarefactory-project.io/r/1312015:49
*** sshnaidm is now known as sshnaidm|bbl15:56
*** chkumar|rover is now known as chandankumar16:24
sfbenderMerged software-factory/sf-config master: nodepool: add missing cache directory creation  https://softwarefactory-project.io/r/1318116:52
*** sshnaidm|bbl is now known as sshnaidm17:16
*** apevec has quit IRC17:24
*** nchakrab has quit IRC18:19
*** sshnaidm is now known as sshnaidm|afk22:38
*** jangutter has quit IRC23:48
« Tuesday, 2018-07-24 Index Thursday, 2018-07-26 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!