| opendevreview | Carlos Gonçalves proposed openstack/octavia stable/victoria: Fix race conditions between API and worker DB calls https://review.opendev.org/c/openstack/octavia/+/798256 | 08:45 |
|---|---|---|
| opendevreview | Merged openstack/octavia-dashboard stable/victoria: Change the Octavia Barbican namespace https://review.opendev.org/c/openstack/octavia-dashboard/+/800640 | 08:57 |
| opendevreview | Merged openstack/octavia-dashboard stable/ussuri: Change the Octavia Barbican namespace https://review.opendev.org/c/openstack/octavia-dashboard/+/800641 | 08:57 |
| opendevreview | Merged openstack/octavia-dashboard stable/wallaby: Change the Octavia Barbican namespace https://review.opendev.org/c/openstack/octavia-dashboard/+/800639 | 08:57 |
| opendevreview | Merged openstack/octavia-dashboard stable/train: Change the Octavia Barbican namespace https://review.opendev.org/c/openstack/octavia-dashboard/+/800642 | 08:57 |
| opendevreview | Merged openstack/octavia-dashboard master: Fix deleting multiple resources https://review.opendev.org/c/openstack/octavia-dashboard/+/784880 | 08:57 |
| opendevreview | Merged openstack/octavia-dashboard stable/victoria: Imported Translations from Zanata https://review.opendev.org/c/openstack/octavia-dashboard/+/799412 | 08:57 |
| opendevreview | Merged openstack/octavia-dashboard master: Remove unicode to adapt to python3 https://review.opendev.org/c/openstack/octavia-dashboard/+/769057 | 08:57 |
| *** njohnston_ is now known as njohnston | 17:58 | |
| rm_work | johnsom do you remember, do https health checks just use insecure mode or do they check certificates somehow? If you've got a listener doing https passthrough and try to do a health monitor on https ... | 20:17 |
| rm_work | I seem to recall maybe the health check template ignoring certs? | 20:18 |
| johnsom | rm_work So, there are TLS-HELLO checks that ignore the cert. But if you have configured a CA for backend re-encrypt the health check will use it. | 20:19 |
| rm_work | Ah yeah ok | 20:20 |
| rm_work | But if there's no decrypt | 20:20 |
| rm_work | The Listener won't have any certs | 20:20 |
| rm_work | So does that mean https checks just aren't valid? | 20:20 |
| johnsom | If you do a HTTPS but don't load a CA, it will not validate the cert (If I remember right, would need to look in the template to make sure) | 20:21 |
| johnsom | The CA would be on the pool for the backend health check. | 20:21 |
| rm_work | Hmm no template looks like I remember it | 20:22 |
| johnsom | Yeah, so HTTPS with no CA on the pool, will TLS connect but not verify the cert. HTTPS with a CA on the pool, it will verify the cert. | 20:23 |
| johnsom | https://github.com/openstack/octavia/blob/master/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2#L253 | 20:23 |
| rm_work | I don't see that | 20:23 |
| rm_work | Sec | 20:23 |
| rm_work | Trying to link but internet being wonky | 20:23 |
| johnsom | Those darn networking people | 20:23 |
| rm_work | https://github.com/openstack/octavia/blob/master/octavia/common/jinja/haproxy/split_listeners/templates/macros.j2#L175-L176 | 20:25 |
| johnsom | https://www.irccloud.com/pastebin/NcvHcBDw/ | 20:25 |
| johnsom | split listeners is deprecated | 20:25 |
| rm_work | bah lol | 20:26 |
| rm_work | i always forget which one is the main one | 20:26 |
| rm_work | is it different tho? | 20:26 |
| rm_work | https://github.com/openstack/octavia/blob/master/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2#L201-L202 | 20:26 |
| johnsom | I have to stop and think about it too | 20:26 |
| rm_work | it is not different | 20:26 |
| johnsom | I sent the jinja in the pastebin and the first link | 20:27 |
| rm_work | ok but none of that is on the monitor opts? | 20:28 |
| johnsom | Right, they follow the pool config | 20:29 |
| rm_work | hmm | 20:30 |
| rm_work | not sure I follow that lol | 20:30 |
| rm_work | monitor ssl opts are just overrides? | 20:31 |
| rm_work | but wouldn't the code I linked ALWAYS be on there? and thus always ignore certs for monitors? | 20:31 |
| johnsom | The HTTP health checks, by default, will follow the pool (backend) configuration settings for TLS | 20:31 |
| rm_work | so how do they avoid that `monitor_ssl_opt` being added? | 20:31 |
| rm_work | it looks like it will be added regardless | 20:32 |
| rm_work | and no matter how the pool is configured, once `check-ssl verify none` is on there... it's not verifying | 20:32 |
| johnsom | Hmm, you have a point | 20:32 |
| johnsom | Yeah, that is a bug IMO | 20:34 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!