| opendevreview | Takashi Kajinami proposed openstack/python-barbicanclient master: Update default envlist https://review.opendev.org/c/openstack/python-barbicanclient/+/939023 | 05:05 |
|---|---|---|
| opendevreview | Takashi Kajinami proposed openstack/barbican master: Update default envlist https://review.opendev.org/c/openstack/barbican/+/939039 | 05:20 |
| Rajiv | Hi, is there a meeting today ? | 14:17 |
| xek | #startmeeting barbican | 15:01 |
| opendevmeet | Meeting started Mon Jan 13 15:01:00 2025 UTC and is due to finish in 60 minutes. The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'barbican' | 15:01 |
| xek | #topic Roll Call | 15:01 |
| xek | Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar | 15:01 |
| xek | o/ | 15:01 |
| xek | As usual our agenda can be found here: | 15:01 |
| xek | #link https://etherpad.openstack.org/p/barbican-weekly-meeting | 15:01 |
| rajiv | Hey | 15:03 |
| dmendiza[m] | 🙋 | 15:03 |
| xek | #topic Review Past Meeting Action Items | 15:04 |
| xek | #link https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-12-16-15.01.html | 15:04 |
| xek | There were no action items | 15:04 |
| xek | #topic Liaison Updates | 15:05 |
| xek | QA update - I added the patch to make the octavia job non-voting | 15:06 |
| xek | #link https://review.opendev.org/c/openstack/barbican/+/938221 | 15:06 |
| mharley[m] | o/ | 15:07 |
| xek | although https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/937366 is merged | 15:08 |
| xek | so octavia should be passing | 15:08 |
| xek | #topic Open Discussion | 15:09 |
| rajiv | Hi, in my pursuit to support multi-vendor/device HSM devices, i was testing a POST API and was blocked by https://opendev.org/openstack/barbican/src/branch/master/barbican/model/models.py#L1576-L1581, if i remove this constraint, backend is not initialised | 15:10 |
| rajiv | any suggestions on how to go forward ? | 15:10 |
| xek | did you also add some entries breaking the initial constraint? | 15:13 |
| xek | I wouldn't expect it to fail if only these lines were removed | 15:14 |
| rajiv | testing with __table_args__ = () also failed | 15:14 |
| xek | but maybe it's checking if the definitions are consistent with the database | 15:14 |
| xek | you probably have to prepare a database migration to test this change | 15:14 |
| rajiv | oh ok, a alembic procedure ? is there any docu on how to do it ? | 15:15 |
| rajiv | as HSM devices communicate over pkcs11, i felt its better to enhance the existing functionality instead of writing a custom plugin, is this the best approach ? | 15:16 |
| xek | there might be in other projects | 15:16 |
| xek | the procedure should be the same or very similar | 15:16 |
| rajiv | okay | 15:17 |
| xek | it probably mostly depends on whether you will want to propose it to be merged into barbican, or maintain it yourself | 15:18 |
| rajiv | would this functionality help others ? or worth creating a blueprint ? | 15:18 |
| rajiv | lastly, to support this, creating a multiple secret stores is the ideal option right ? or is there any other approach ? | 15:19 |
| xek | I think it's better to propose it, you'll also can expect more feedback than when keeping it in house, ending up with a better implementation in the end | 15:20 |
| rajiv | cool :) | 15:20 |
| xek | dmendizamaybe you have some pointers on that? | 15:21 |
| rajiv | this is my first proposal, it worked locally but further reviews are welcome : https://review.opendev.org/c/openstack/barbican/+/938186 | 15:23 |
| xek | I see you've alreday got some feedback :) | 15:26 |
| xek | don't be discuraged by the -1, it's just an annotation that changes are needed | 15:27 |
| rajiv | sure :) | 15:27 |
| rajiv | dmendiza[m]: i also mailed the multi-device support query, it will be of great help if you could reply :) | 15:28 |
| * dmendiza[m] catches up on scrollback | 15:28 | |
| dmendiza[m] | Barbican already has a way of instantiating multiple backends. However, the StoreCryptoAdapter class is/was limited to a single instance. I don't remember the details of the limitation. | 15:29 |
| dmendiza[m] | Removing that constraint may or may not work, you'll just have to test it. | 15:29 |
| rajiv | removing the constraint failed to initialise the backend | 15:30 |
| dmendiza[m] | Right, so you'll have to dig into why that happens. 🤷 | 15:30 |
| dmendiza[m] | I think the main issue will be with oslo config | 15:31 |
| rajiv | oh ok | 15:31 |
| dmendiza[m] | because there is a 1-to-1 config for StoreCryptoAdapter to PKCS#11 device | 15:31 |
| dmendiza[m] | I think you can do two StoreCryptoAdapters with one using SimpleCrypto and the other one using PKCS#11 | 15:32 |
| dmendiza[m] | but yeah, two with two PKCS#11 adapter will need to have different configuration stanzas and that's not currently possible | 15:32 |
| rajiv | i see, seems to be more complicate than i expected. | 15:33 |
| rajiv | lastly, is it better to create multiple secretstores to support this functionality or is there any other option ? | 15:34 |
| dmendiza[m] | the easier option is to have two deployments | 15:35 |
| dmendiza[m] | then the user can choose a deployment based on what HSM they want to use | 15:35 |
| rajiv | two deployments of barbican in 1 openstack cloud ? this means more endpoints, more issues in k8s ingresses, right ? | 15:36 |
| rajiv | is it possible to implement multiple barbican instances in 1 openstack deployment ? is there any documentation ? | 15:36 |
| xek | it might be possible, but I guess you would have to duplicate other services which depend on barbican, since they will each point to one instance | 15:38 |
| rajiv | oh yes, keystone, nfs, etc seems to be more work than the above :( | 15:39 |
| dmendiza[m] | https://docs.openstack.org/barbican/latest/configuration/plugin_backends.html#enabling-multiple-barbican-backends | 15:41 |
| dmendiza[m] | Oh, I misread your question | 15:42 |
| dmendiza[m] | They link is probably not helpful. 😅 | 15:42 |
| rajiv | np :) | 15:42 |
| xek | let's continue to the last topic | 15:47 |
| xek | #topic Bug Review | 15:48 |
| xek | There were no new bugs reported since our last meeting | 15:48 |
| xek | This concludes our first meeting in 2025 :) | 15:49 |
| xek | That's it for today, see y'all next week! | 15:49 |
| xek | #endmeeting | 15:49 |
| opendevmeet | Meeting ended Mon Jan 13 15:49:51 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:49 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-01-13-15.01.html | 15:49 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-01-13-15.01.txt | 15:49 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-01-13-15.01.log.html | 15:49 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!