| *** dosaboy has joined #openstack-lbaas | 00:23 | |
| *** yamamoto has quit IRC | 00:33 | |
| *** tobberydberg has quit IRC | 00:35 | |
| *** tobberydberg has joined #openstack-lbaas | 00:37 | |
| *** rcernin has joined #openstack-lbaas | 00:48 | |
| lxkong | johnsom, rm_work yeah, we are in the testing phrase in a new private cloud, met with issue for lb creation failure. From my expeirnce, the agent service may raise some exception with lead to communication between controller and amphora timeout | 00:55 |
|---|---|---|
| johnsom | lxkong: if the agent raises an exception the controller will log it. | 00:56 |
| lxkong | johnsom, rm_work with `disable_revert`, can the lb deletion still work? | 00:56 |
| rm_work | Yes | 00:57 |
| rm_work | I believe it should be ok | 00:57 |
| rm_work | ... might want to check for extra resources after though | 00:57 |
| lxkong | cool, will try. thanks | 00:58 |
| *** yamamoto has joined #openstack-lbaas | 02:49 | |
| *** psachin has joined #openstack-lbaas | 03:33 | |
| *** yamamoto has quit IRC | 03:42 | |
| *** yamamoto has joined #openstack-lbaas | 03:55 | |
| *** psachin has quit IRC | 04:48 | |
| *** zainub_wahid has joined #openstack-lbaas | 05:12 | |
| openstackgerrit | Hidekazu Nakamura proposed openstack/octavia master: Add install guide for Ubuntu https://review.opendev.org/672842 | 05:28 |
| *** gcheresh has joined #openstack-lbaas | 05:36 | |
| *** gcheresh has quit IRC | 05:54 | |
| *** pcaruana has joined #openstack-lbaas | 06:02 | |
| *** ataraday has joined #openstack-lbaas | 06:09 | |
| *** ramishra has joined #openstack-lbaas | 06:45 | |
| *** lemko has joined #openstack-lbaas | 06:59 | |
| *** logan- has quit IRC | 07:09 | |
| *** logan_ has joined #openstack-lbaas | 07:10 | |
| *** logan_ is now known as logan- | 07:10 | |
| *** rcernin has quit IRC | 07:41 | |
| *** tesseract has joined #openstack-lbaas | 07:43 | |
| openstackgerrit | Merged openstack/octavia stable/stein: Accept oslopolicy-policy-generator path arguments https://review.opendev.org/698432 | 08:38 |
| *** spatel has joined #openstack-lbaas | 08:50 | |
| *** spatel has quit IRC | 08:54 | |
| *** maciejjozefczyk has joined #openstack-lbaas | 09:03 | |
| openstackgerrit | Merged openstack/octavia stable/train: Accept oslopolicy-policy-generator path arguments https://review.opendev.org/698431 | 09:11 |
| openstackgerrit | Merged openstack/octavia stable/rocky: Accept oslopolicy-policy-generator path arguments https://review.opendev.org/698433 | 09:11 |
| *** rcernin has joined #openstack-lbaas | 09:14 | |
| *** tkajinam has quit IRC | 09:19 | |
| *** yamamoto has quit IRC | 09:49 | |
| *** rcernin has quit IRC | 09:53 | |
| *** salmankhan has joined #openstack-lbaas | 10:06 | |
| *** salmankhan1 has joined #openstack-lbaas | 10:22 | |
| *** salmankhan has quit IRC | 10:25 | |
| *** salmankhan1 is now known as salmankhan | 10:25 | |
| hkominos | morning all. A quick question about Octavia . is it possible to use it without having barbican installed (i.e. provide only a set of SSL certificates) ? | 10:40 |
| zainub_wahid | hkominos: yes! | 10:47 |
| cgoncalves | hkominos, morning. Aside from Barbican as certificate manager, Octavia also has support for Castellan (https://wiki.openstack.org/wiki/Castellan) and local. The local cert manager is *not* recommended for any sorts of deployments, just for internal testing. | 10:49 |
| hkominos | cgoncalves. Thx Is there any diagram or something which explains the use of SSL within barbican ? The documentation is a bit confusing | 11:12 |
| hkominos | sorry | 11:12 |
| hkominos | within Octavia I mean | 11:12 |
| cgoncalves | hkominos, just to be clear, you're talking about the use-case of TLS-terminated listeners right? | 11:14 |
| cgoncalves | aka TLS-terminated load balancers :) | 11:14 |
| hkominos | I am 99% sure that is what I am looking for. | 11:15 |
| hkominos | The start of this issue is me trying to undertsand the following terminology (maybe tripleO) | 11:16 |
| hkominos | OctaviaCaCert, OctaviaCaKey, OctaviaClientCert ,OctaviaCaKeyPassphrase: | 11:17 |
| cgoncalves | oh, that. there's no Barbican involved whatsoever there | 11:17 |
| hkominos | I assumed that these are keys so my LB can communicate with the Octavia controllers | 11:18 |
| cgoncalves | TripleO does not have documentation about that, sorry. OSP (Red Hat's commercial OpenStack offering) documents those parameters | 11:18 |
| cgoncalves | for reference, this is the upstream Octavia certificate guide: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html | 11:19 |
| hkominos | !. I can start there | 11:19 |
| openstack | hkominos: Error: "." is not a valid command. | 11:19 |
| cgoncalves | https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/networking_guide/sec-octavia#configuring_octavia_certificates_and_keys | 11:19 |
| cgoncalves | please note that this documentation section in OSP is not much clear. there's work underway to improve it | 11:20 |
| hkominos | Yes I saw that. My question is more like: What do these values represent exactly. | 11:20 |
| hkominos | CA certificate for whom to talk to whom ? | 11:20 |
| cgoncalves | hkominos, may I ask why do you want to bring your own certificates? | 11:20 |
| cgoncalves | TripleO can handle that for you out of the box | 11:20 |
| cgoncalves | the certificate configuration guide provide good info on that | 11:21 |
| cgoncalves | https://docs.openstack.org/octavia/latest/admin/guides/certificates.html#two-way-tls-authentication-in-octavia | 11:21 |
| *** yamamoto has joined #openstack-lbaas | 11:23 | |
| hkominos | I think tripleo provides a self signed certificate. | 11:24 |
| hkominos | I needed a certificate from a CA | 11:24 |
| hkominos | for business reasons. minimum of which is horizon working without having to accept a "risky" self -signed certificate | 11:25 |
| cgoncalves | the self-signed certificate provided by TripleO is exclusively used between the octavia controller services and amphorae | 11:25 |
| *** yamamoto has quit IRC | 11:26 | |
| hkominos | Ok.So assume this must be done by OctaviaGenerateCerts: | 11:29 |
| hkominos | Or is this some other value ? | 11:29 |
| cgoncalves | setting it to false disables the automatice certificate and key generation | 11:30 |
| cgoncalves | so if you really have to due to e.g. business reasons, set it to false, yes | 11:30 |
| hkominos | But true requires barbican to be installed right ? | 11:31 |
| cgoncalves | no | 11:31 |
| cgoncalves | Barbican is only required if you want to have TLS-terminated load balancers. | 11:32 |
| *** yamamoto has joined #openstack-lbaas | 11:32 | |
| *** yamamoto has quit IRC | 11:32 | |
| cgoncalves | Barbican is used to store user secrets that are then consumed by Octavia to set up TLS-terminated load balancers | 11:33 |
| cgoncalves | https://docs.openstack.org/octavia/ocata/specs/version0.5/tls-data-security.html | 11:34 |
| cgoncalves | this is an old spec and it has already been implemented. I believe this is not what you're looking for at this moment, though, but wanted to share for future reference | 11:35 |
| hkominos | ok. But i will read it. Just to understand | 11:35 |
| hkominos | what might be happening behind the scenes | 11:35 |
| hkominos | thx for all the URls | 11:43 |
| openstackgerrit | Gregory Thiemonge proposed openstack/octavia master: DNM improving amphora boot time on Centos https://review.opendev.org/698885 | 11:49 |
| *** zainub_wahid has quit IRC | 11:51 | |
| *** yamamoto has joined #openstack-lbaas | 11:54 | |
| *** yamamoto has quit IRC | 11:54 | |
| *** yamamoto has joined #openstack-lbaas | 11:55 | |
| *** yamamoto has quit IRC | 12:01 | |
| *** nicolasbock has joined #openstack-lbaas | 12:04 | |
| *** spatel has joined #openstack-lbaas | 12:48 | |
| *** spatel has quit IRC | 12:55 | |
| *** goldyfruit has joined #openstack-lbaas | 13:07 | |
| *** yamamoto has joined #openstack-lbaas | 13:14 | |
| rm_work | hkominos: if you haven't figured it out yet, I can answer questions too | 13:29 |
| rm_work | hkominos: but it sounds like you are conflating two things: | 13:29 |
| rm_work | 1. The set of certificates that Octavia uses as a service to do internal communications (what TripleO will provide out of the box) | 13:30 |
| rm_work | 2. User certificates, used to create LoadBalancers that can terminate the user's TLS traffic (provided by the user, stored in Barbican) | 13:30 |
| rm_work | for #1, self-signed is totally fine, because it will never be user facing -- and in fact, it will be VERY hard to get a real certificate that will work, because that needs to be *CA Signing* certificate, and almost no one is going to be willing to issue you one of those | 13:31 |
| rm_work | for #2, you don't need to worry about that as a cloud provider -- that's a user-facing thing, they provide them and store them in Barbican | 13:32 |
| rm_work | if you don't have Barbican, you can disable TLS-Termination as an option in the config: [api_settings] allow_tls_terminated_listeners = False | 13:32 |
| rm_work | you will still be able to deploy Octavia though, and it will function correctly | 13:33 |
| *** maciejjozefczyk has quit IRC | 13:43 | |
| *** maciejjozefczyk has joined #openstack-lbaas | 13:45 | |
| *** TrevorV has joined #openstack-lbaas | 14:29 | |
| *** maciejjozefczyk_ has joined #openstack-lbaas | 14:36 | |
| *** dmellado has quit IRC | 14:36 | |
| *** ramishra has quit IRC | 14:37 | |
| *** dmellado has joined #openstack-lbaas | 14:39 | |
| *** maciejjozefczyk has quit IRC | 14:39 | |
| openstackgerrit | Gregory Thiemonge proposed openstack/octavia master: DNM improving amphora boot time on Centos https://review.opendev.org/698885 | 14:44 |
| openstackgerrit | Carlos Goncalves proposed openstack/octavia-tempest-plugin master: DNM: CentOS 8 controller and amphora job https://review.opendev.org/698450 | 14:45 |
| *** spatel has joined #openstack-lbaas | 15:29 | |
| *** spatel has quit IRC | 15:41 | |
| *** baffle has quit IRC | 15:54 | |
| *** yamamoto has quit IRC | 15:55 | |
| *** yamamoto has joined #openstack-lbaas | 15:56 | |
| *** yamamoto has quit IRC | 16:01 | |
| *** tesseract has quit IRC | 16:53 | |
| *** openstackgerrit has quit IRC | 17:29 | |
| *** sapd1 has quit IRC | 17:34 | |
| *** lemko has quit IRC | 18:48 | |
| *** gcheresh has joined #openstack-lbaas | 19:13 | |
| *** maciejjozefczyk_ has quit IRC | 19:41 | |
| *** nicolasbock has quit IRC | 19:43 | |
| *** gcheresh has quit IRC | 19:50 | |
| *** salmankhan has quit IRC | 20:00 | |
| *** gmann is now known as gmann_afk | 20:13 | |
| *** salmankhan has joined #openstack-lbaas | 20:20 | |
| *** salmankhan has quit IRC | 20:40 | |
| *** yamamoto has joined #openstack-lbaas | 20:40 | |
| *** yamamoto has quit IRC | 20:44 | |
| *** gcheresh has joined #openstack-lbaas | 20:50 | |
| *** TrevorV has quit IRC | 20:58 | |
| *** gcheresh has quit IRC | 21:09 | |
| *** logan- has quit IRC | 22:04 | |
| *** logan- has joined #openstack-lbaas | 22:06 | |
| *** KeithMnemonic1 has joined #openstack-lbaas | 22:15 | |
| *** KeithMnemonic has quit IRC | 22:19 | |
| *** pcaruana has quit IRC | 22:48 | |
| *** openstackgerrit has joined #openstack-lbaas | 23:11 | |
| openstackgerrit | Adam Harwell proposed openstack/octavia-lib master: Missed some flavor references in the AZ methods https://review.opendev.org/699047 | 23:11 |
| *** KeithMnemonic1 has quit IRC | 23:19 | |
| *** yamamoto has joined #openstack-lbaas | 23:55 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!