*** zigo has quit IRC | 00:05 | |
*** hongbin has joined #openstack-meeting-3 | 01:00 | |
*** tsmith2 has quit IRC | 01:03 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 01:28 | |
*** iyamahat_ has joined #openstack-meeting-3 | 01:32 | |
*** jamesmcarthur has quit IRC | 01:33 | |
*** yamahata has quit IRC | 01:34 | |
*** iyamahat has quit IRC | 01:35 | |
*** iyamahat_ has quit IRC | 01:41 | |
*** iyamahat has joined #openstack-meeting-3 | 01:41 | |
*** iyamahat has quit IRC | 01:46 | |
*** iyamahat has joined #openstack-meeting-3 | 01:48 | |
*** diablo_rojo has quit IRC | 01:48 | |
*** iyamahat_ has joined #openstack-meeting-3 | 02:16 | |
*** iyamahat has quit IRC | 02:19 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 02:35 | |
*** iyamahat_ has quit IRC | 02:36 | |
*** psachin has joined #openstack-meeting-3 | 02:43 | |
*** jamesmcarthur has quit IRC | 03:23 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 03:24 | |
*** jamesmcarthur has quit IRC | 03:28 | |
*** e0ne has joined #openstack-meeting-3 | 04:28 | |
*** hongbin has quit IRC | 04:33 | |
*** yamamoto has quit IRC | 04:46 | |
*** yamamoto has joined #openstack-meeting-3 | 04:46 | |
*** e0ne has quit IRC | 04:51 | |
*** e0ne has joined #openstack-meeting-3 | 05:09 | |
*** e0ne has quit IRC | 05:10 | |
*** pcaruana has joined #openstack-meeting-3 | 05:41 | |
*** iyamahat has joined #openstack-meeting-3 | 05:48 | |
*** belmoreira has joined #openstack-meeting-3 | 05:59 | |
*** yamahata has joined #openstack-meeting-3 | 06:05 | |
*** slaweq has joined #openstack-meeting-3 | 06:18 | |
*** yamahata has quit IRC | 06:28 | |
*** Luzi has joined #openstack-meeting-3 | 06:53 | |
*** lpetrut has joined #openstack-meeting-3 | 06:54 | |
*** lpetrut has quit IRC | 06:56 | |
*** lpetrut has joined #openstack-meeting-3 | 06:56 | |
*** slaweq has quit IRC | 06:58 | |
*** slaweq has joined #openstack-meeting-3 | 07:11 | |
*** slaweq has quit IRC | 07:16 | |
*** iyamahat has quit IRC | 07:27 | |
*** psachin has quit IRC | 07:41 | |
*** alexchadin has joined #openstack-meeting-3 | 07:42 | |
*** psachin has joined #openstack-meeting-3 | 07:49 | |
*** e0ne has joined #openstack-meeting-3 | 07:52 | |
*** e0ne has quit IRC | 07:53 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 08:09 | |
*** jamesmcarthur has quit IRC | 08:13 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 08:30 | |
*** jamesmcarthur has quit IRC | 08:34 | |
*** slaweq has joined #openstack-meeting-3 | 08:49 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 08:50 | |
*** jamesmcarthur has quit IRC | 08:55 | |
*** e0ne has joined #openstack-meeting-3 | 08:59 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 09:11 | |
*** alexchadin has quit IRC | 09:12 | |
*** alexchadin has joined #openstack-meeting-3 | 09:16 | |
*** jamesmcarthur has quit IRC | 09:16 | |
*** tssurya has joined #openstack-meeting-3 | 09:17 | |
*** pbourke has quit IRC | 09:21 | |
*** pbourke has joined #openstack-meeting-3 | 09:22 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 09:32 | |
*** jamesmcarthur has quit IRC | 09:36 | |
*** e0ne has quit IRC | 10:12 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 10:13 | |
*** jamesmcarthur has quit IRC | 10:17 | |
*** yamamoto has quit IRC | 10:32 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 10:34 | |
*** jamesmcarthur has quit IRC | 10:38 | |
*** alexchadin has quit IRC | 10:52 | |
*** yamamoto has joined #openstack-meeting-3 | 10:57 | |
*** e0ne has joined #openstack-meeting-3 | 10:58 | |
*** pcaruana has quit IRC | 11:15 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 11:15 | |
*** jamesmcarthur has quit IRC | 11:20 | |
*** e0ne_ has joined #openstack-meeting-3 | 11:22 | |
*** e0ne has quit IRC | 11:25 | |
*** alexchadin has joined #openstack-meeting-3 | 11:56 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 11:57 | |
*** jamesmcarthur has quit IRC | 12:01 | |
*** psachin has quit IRC | 12:07 | |
*** raildo has joined #openstack-meeting-3 | 12:12 | |
*** yamamoto has quit IRC | 12:22 | |
*** lpetrut has quit IRC | 12:33 | |
*** alexchadin has quit IRC | 12:36 | |
*** lpetrut has joined #openstack-meeting-3 | 12:36 | |
*** alexchadin has joined #openstack-meeting-3 | 12:37 | |
*** alexchadin has quit IRC | 12:37 | |
*** alexchadin has joined #openstack-meeting-3 | 12:37 | |
*** alexchadin has quit IRC | 12:38 | |
*** alexchadin has joined #openstack-meeting-3 | 12:38 | |
*** alexchadin has quit IRC | 12:38 | |
*** alexchadin has joined #openstack-meeting-3 | 12:39 | |
*** alexchadin has quit IRC | 12:39 | |
*** alexchadin has joined #openstack-meeting-3 | 12:49 | |
*** alexchadin has quit IRC | 12:54 | |
*** yamamoto has joined #openstack-meeting-3 | 12:59 | |
*** moguimar has quit IRC | 13:00 | |
*** tssurya has quit IRC | 13:01 | |
*** tssurya has joined #openstack-meeting-3 | 13:01 | |
*** bobh has joined #openstack-meeting-3 | 13:03 | |
*** belmoreira has quit IRC | 13:05 | |
*** moguimar has joined #openstack-meeting-3 | 13:13 | |
*** alexchadin has joined #openstack-meeting-3 | 13:16 | |
*** yamamoto has quit IRC | 13:22 | |
*** belmoreira has joined #openstack-meeting-3 | 13:29 | |
*** munimeha1 has joined #openstack-meeting-3 | 13:37 | |
*** iyamahat has joined #openstack-meeting-3 | 13:38 | |
*** yamamoto has joined #openstack-meeting-3 | 13:42 | |
*** yamamoto has quit IRC | 13:42 | |
*** yamamoto has joined #openstack-meeting-3 | 13:45 | |
*** hongbin has joined #openstack-meeting-3 | 13:57 | |
*** alexchadin has quit IRC | 14:07 | |
*** e0ne_ has quit IRC | 14:10 | |
*** e0ne has joined #openstack-meeting-3 | 14:10 | |
*** alexchadin has joined #openstack-meeting-3 | 14:12 | |
*** alexchadin has quit IRC | 14:17 | |
*** alexchadin has joined #openstack-meeting-3 | 14:19 | |
*** mjturek has joined #openstack-meeting-3 | 14:25 | |
*** Luzi has quit IRC | 14:33 | |
*** alexchadin has quit IRC | 14:57 | |
*** redrobot has joined #openstack-meeting-3 | 14:58 | |
moguimar | ping dhellmann bnemec redrobot raildo | 15:00 |
---|---|---|
bnemec | o/ | 15:00 |
raildo | #startmeeting oslo-config-plaintext-secrets | 15:00 |
openstack | Meeting started Tue Sep 25 15:00:12 2018 UTC and is due to finish in 60 minutes. The chair is raildo. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
*** openstack changes topic to " (Meeting topic: oslo-config-plaintext-secrets)" | 15:00 | |
openstack | The meeting name has been set to 'oslo_config_plaintext_secrets' | 15:00 |
raildo | #link https://etherpad.openstack.org/p/oslo-config-plaintext-secrets | 15:00 |
moguimar | waaa | 15:00 |
moguimar | raildo was faster than me this time with the link xD | 15:00 |
raildo | :) | 15:01 |
redrobot | o/ | 15:01 |
raildo | I think we can getting it started | 15:02 |
raildo | #topic PTG feedback | 15:03 |
*** openstack changes topic to "PTG feedback (Meeting topic: oslo-config-plaintext-secrets)" | 15:03 | |
raildo | bnemec, dhellmann how was the PTG for you guys? | 15:03 |
bnemec | Good. I think we had some useful discussions. | 15:03 |
raildo | any discussion/updates about this topic on Denver? | 15:03 |
*** david-lyle has quit IRC | 15:04 | |
*** lpetrut has quit IRC | 15:04 | |
bnemec | Yes, although I think it mostly consisted of "this is happening, next step is implementation of the castellan driver". | 15:04 |
bnemec | Oh, we did decide to continue deferring the issue of mutability too. | 15:05 |
*** dklyle has joined #openstack-meeting-3 | 15:05 | |
bnemec | Basically we're going to ignore it until someone complains. :-) | 15:05 |
*** jamesmcarthur has joined #openstack-meeting-3 | 15:05 | |
raildo | bnemec, yeah, that makes sense for now :) let's keep that in mind to add a note for that in the castellan driver docs later | 15:05 |
moguimar | sounds like a plan | 15:05 |
raildo | in the tripleO side, I was remotely in the meeting, tripleo folks liked the idea of having that as a driver for castellan, but they think that we still a bit raw with the implementation details | 15:06 |
raildo | and I kinda agree with that :) | 15:07 |
raildo | for example, we should avoid duplicating the secrets in other places (like heat or ansible) where it could end up unencrypted, even using the castellan driver | 15:07 |
raildo | to fix that one of the ideas was to bring up a temporary instance of Vault where we would store all the sensitive data, and eventually copy the encrypted database to the overcloud | 15:08 |
raildo | but it's something that we'll need to spend more time during this release, and start writing some PoC for TripleO, so we can understand more how it will works | 15:09 |
raildo | anything else on this topic? | 15:10 |
moguimar | sounds good to me | 15:10 |
raildo | #topic (moguimar) Castellan driver | 15:11 |
*** openstack changes topic to "(moguimar) Castellan driver (Meeting topic: oslo-config-plaintext-secrets)" | 15:11 | |
moguimar | the driver works | 15:11 |
moguimar | I'm trying to write some unit tests to it | 15:11 |
moguimar | to make sure it keeps working and to have a notion of code coverage | 15:12 |
bnemec | +1000 | 15:12 |
moguimar | I'm confident with the vault part of castellan | 15:12 |
moguimar | still reading the barbican bits | 15:13 |
raildo | so... one of the ideas that we had was to write a gate job with some functional tests for it. how feasible it will be to write some functional tests for it? | 15:13 |
moguimar | idk, haven't write any functional tests at all so far | 15:14 |
moguimar | so I can't estimate | 15:14 |
raildo | are we able to create a simple vault server using tempest stuff or having barbican running on tempest? | 15:14 |
moguimar | castellan has a vault functional test | 15:14 |
moguimar | and it uses pifpaf to run the vault server | 15:15 |
raildo | I would love to have an idea on how we can test this driver over tempest before merge it, since we can set some next steps for a gate job for castellan during this release | 15:16 |
redrobot | so Castellan doesn't have any functional gates at the moment | 15:16 |
redrobot | the Barbican team agreed to set one up during the PTG | 15:16 |
raildo | redrobot, is there any specific reason? | 15:16 |
raildo | ah, great | 15:16 |
redrobot | so I'll be helping make that happen | 15:16 |
redrobot | I think for sure we'll want a Vault gate | 15:16 |
redrobot | and probably a Barbican gate as well | 15:17 |
redrobot | for Castellan->Barbican | 15:17 |
moguimar | I'm also planning on adding a new param for a prefix in the secret id | 15:17 |
moguimar | will I need a spec for that? | 15:17 |
raildo | redrobot, yeah, that will bring more confidence to justify the driver work when we start working in the tripleo side of this feature | 15:17 |
moguimar | right now, the secret_id is generated by uuid | 15:17 |
redrobot | moguimar, seems like the kind of change that would be good to flesh out on a spec | 15:18 |
moguimar | I just need some more reading on the barbican bits of castellan | 15:18 |
moguimar | it is feasible on vault | 15:18 |
raildo | moguimar, yeah, that's like the pattern across generation of ids across the openstack services | 15:18 |
moguimar | if it is feasible as well in barbican I will write it | 15:18 |
raildo | what reason this prefix will be needed for? | 15:19 |
moguimar | so the key_manager.store() returns the secret_id | 15:19 |
moguimar | and the idiea is to have key_manager.store(prefix="node_xyz_") | 15:20 |
moguimar | to get a secret_id like "node_xyz_891273123" | 15:20 |
raildo | so... shouldn't we create a resource node over secret and collect that date over there? usually I'm against to have any kind of useful data over the ids | 15:21 |
raildo | that why we use uuid, so it'll be a totally random number | 15:21 |
moguimar | the prefix could also be the node id | 15:22 |
raildo | but, let's write some spec about it, and we can keep the discussion over there :) sounds like something useful | 15:22 |
moguimar | it would reduce the policy files size having a single policy for all secrets from one node | 15:23 |
moguimar | instead of a policy for each secret of that node | 15:23 |
moguimar | that's all on my end | 15:24 |
moguimar | for this topic | 15:24 |
raildo | #action moguimar will write up a spec about adding a new param for a prefix in the secret id for castellan | 15:25 |
raildo | #topic Getting back to our weekly meeting or should we keep as a bi-weekly meeting? | 15:25 |
*** openstack changes topic to "Getting back to our weekly meeting or should we keep as a bi-weekly meeting? (Meeting topic: oslo-config-plaintext-secrets)" | 15:25 | |
moguimar | if feasible in the barbican side as well | 15:25 |
moguimar | +1 weekly | 15:25 |
raildo | the topic already say everything | 15:25 |
raildo | any other thoughts? | 15:27 |
raildo | I'd rather the weekly meetings as well, just trying to have the everyone's opinion on it :) | 15:28 |
moguimar | redrobot bnemec dhellmann | 15:28 |
moguimar | +1 weekly or +1 biweekly | 15:28 |
bnemec | I don't have a strong preference. If you think it would be helpful to meet every week that's fine with me. | 15:28 |
raildo | let's come back to the weekly meetings, if we notice that we don't have enough topics to be discussing in 30 min, we can push it for bi-weekly again | 15:30 |
redrobot | Weekly seems like a good cadence to stay on the same page. 🤷 | 15:30 |
moguimar | same feelings redrobot | 15:30 |
moguimar | or we can just skip one week | 15:30 |
moguimar | we've done that once | 15:30 |
raildo | also, I already updated our meeting's invite to be weekly, so you guys should receive the notification every week :) | 15:31 |
moguimar | then if we keep skipping, we talk about going biweekly again | 15:31 |
raildo | #topic Open Discussion | 15:31 |
*** openstack changes topic to "Open Discussion (Meeting topic: oslo-config-plaintext-secrets)" | 15:31 | |
moguimar | none on my end | 15:31 |
raildo | anything else? | 15:31 |
*** yamamoto has quit IRC | 15:31 | |
*** yamamoto has joined #openstack-meeting-3 | 15:32 | |
raildo | ok, so thank you all for you time, have an amazing week everyone! | 15:32 |
raildo | #endmeeting | 15:32 |
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/" | 15:32 | |
openstack | Meeting ended Tue Sep 25 15:32:39 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:32 |
openstack | Minutes: http://eavesdrop.openstack.org/meetings/oslo_config_plaintext_secrets/2018/oslo_config_plaintext_secrets.2018-09-25-15.00.html | 15:32 |
moguimar | o/ | 15:32 |
openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/oslo_config_plaintext_secrets/2018/oslo_config_plaintext_secrets.2018-09-25-15.00.txt | 15:32 |
openstack | Log: http://eavesdrop.openstack.org/meetings/oslo_config_plaintext_secrets/2018/oslo_config_plaintext_secrets.2018-09-25-15.00.log.html | 15:32 |
*** yamamoto has quit IRC | 15:32 | |
*** e0ne has quit IRC | 15:37 | |
*** yamamoto has joined #openstack-meeting-3 | 15:44 | |
*** yamamoto has quit IRC | 15:49 | |
*** belmoreira has quit IRC | 15:52 | |
*** yamahata has joined #openstack-meeting-3 | 15:52 | |
*** bobh_ has joined #openstack-meeting-3 | 16:03 | |
*** bobh has quit IRC | 16:06 | |
*** pcaruana has joined #openstack-meeting-3 | 16:07 | |
*** yamamoto has joined #openstack-meeting-3 | 16:21 | |
*** iyamahat has quit IRC | 16:33 | |
*** yamahata has quit IRC | 16:33 | |
*** dklyle has quit IRC | 16:40 | |
*** dklyle has joined #openstack-meeting-3 | 16:44 | |
*** iyamahat has joined #openstack-meeting-3 | 16:50 | |
*** yamahata has joined #openstack-meeting-3 | 16:51 | |
*** diablo_rojo has joined #openstack-meeting-3 | 17:12 | |
*** jamesmcarthur has quit IRC | 17:21 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 17:34 | |
*** jamesmcarthur has quit IRC | 17:46 | |
*** tssurya has quit IRC | 17:51 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 17:55 | |
*** macza has joined #openstack-meeting-3 | 18:11 | |
*** raildo_ has joined #openstack-meeting-3 | 18:53 | |
*** raildo has quit IRC | 18:55 | |
*** bobh_ has quit IRC | 18:55 | |
*** bobh has joined #openstack-meeting-3 | 18:56 | |
*** bobh has quit IRC | 19:01 | |
*** toabctl has quit IRC | 19:05 | |
*** bobh has joined #openstack-meeting-3 | 19:11 | |
*** bobh has quit IRC | 19:15 | |
*** jamesmcarthur has quit IRC | 19:29 | |
*** e0ne has joined #openstack-meeting-3 | 19:41 | |
*** bobh has joined #openstack-meeting-3 | 19:44 | |
*** e0ne has quit IRC | 20:05 | |
*** e0ne has joined #openstack-meeting-3 | 20:19 | |
*** pcaruana has quit IRC | 20:43 | |
*** e0ne has quit IRC | 20:43 | |
*** raildo_ has quit IRC | 21:17 | |
*** slaweq has quit IRC | 21:27 | |
*** slaweq has joined #openstack-meeting-3 | 21:27 | |
*** bobh has quit IRC | 21:31 | |
*** munimeha1 has quit IRC | 22:03 | |
*** bobh has joined #openstack-meeting-3 | 22:23 | |
*** jamesmcarthur has joined #openstack-meeting-3 | 22:23 | |
*** dklyle has quit IRC | 22:48 | |
*** bobh has quit IRC | 23:08 | |
*** jamesmcarthur has quit IRC | 23:10 | |
*** macza has quit IRC | 23:17 | |
*** macza has joined #openstack-meeting-3 | 23:17 | |
*** macza has quit IRC | 23:22 | |
*** hongbin has quit IRC | 23:27 | |
*** mjturek has quit IRC | 23:42 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!