<div dir="ltr"><div>Thanks rm_work.</div><div><br></div><div>I also notice something need to be handled properly. </div><div><br></div><div>For barbican, the delete_cert() only deregisters the cert without actually delete it. That's safe for us to call during delete_listener()/delete_loadbalancer().</div><div><br></div><div>But if the user uses other cert_manager by any chance, say the local_cert_manager, the same delete_cert() method will do a real delete of the cert.</div><div><br></div><div>Probably we need to implement register_consumer()/remove_consumer() method for cert_manager and call them in neutron_lbaas as well.</div><div><br></div><div><br><div class="gmail_quote"><div>On Wed, Jan 25, 2017 at 10:48 Adam Harwell <<a href="mailto:flux.adam@gmail.com" target="_blank">flux.adam@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p class="gmail-m_-2102407136204268176gmail_msg">I've got this on my list of things to look at -- I don't know if it was you I was talking with on IRC the other day about this issue, but I'm definitely aware of it. As soon as we are past the Ocata feature freeze crunch, I'll take a closer look.</p>
<p class="gmail-m_-2102407136204268176gmail_msg">My gut says that we should be calling the delete (which is not a real delete) when the LB is deleted, and not doing so is a bug, but I'll need to double check the logic as it has been a while since I touched this.</p>
<p class="gmail-m_-2102407136204268176gmail_msg"> --Adam (rm_work)</p>
<br class="gmail-m_-2102407136204268176gmail_msg"><div class="gmail_quote gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail_quote gmail-m_-2102407136204268176gmail_msg"><div class="gmail-m_-2102407136204268176gmail_msg">On Mon, Jan 23, 2017, 18:38 Jiahao Liang (Frankie) <<a href="mailto:gzliangjiahao@gmail.com" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">gzliangjiahao@gmail.com</a>> wrote:<br class="gmail-m_-2102407136204268176gmail_msg"></div></div><div class="gmail_quote gmail-m_-2102407136204268176gmail_msg"><blockquote class="gmail_quote gmail-m_-2102407136204268176gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail-m_-2102407136204268176gmail_msg">Hi community,<div class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg">I created a loadbalancer with a listener with protocol as "TERMINATED_HTTPS" and specify --default-tls-container-ref with a ref of secret container from Barbican.</div><div class="gmail-m_-2102407136204268176gmail_msg">However, after I deleted the listener, the lbaas wasn't removed from barbican container consumer list.</div><div class="gmail-m_-2102407136204268176gmail_msg"><div class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg">$openstack secret container get <a href="http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">http://192.168.20.24:9311/v1/<wbr>containers/453e8905-d42b-43bd-<wbr>9947-50e3acf499f4</a><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg">+----------------+------------<wbr>------------------------------<wbr>------------------------------<wbr>-----------------------------+</div><div class="gmail-m_-2102407136204268176gmail_msg">| Field | Value |</div><div class="gmail-m_-2102407136204268176gmail_msg">+----------------+------------<wbr>------------------------------<wbr>------------------------------<wbr>-----------------------------+</div><div class="gmail-m_-2102407136204268176gmail_msg">| Container href | <a href="http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">http://192.168.20.24:9311/v1/<wbr>containers/453e8905-d42b-43bd-<wbr>9947-50e3acf499f4</a> |</div><div class="gmail-m_-2102407136204268176gmail_msg">| Name | tls_container2 |</div><div class="gmail-m_-2102407136204268176gmail_msg">| Created | 2017-01-19 12:44:07+00:00 |</div><div class="gmail-m_-2102407136204268176gmail_msg">| Status | ACTIVE |</div><div class="gmail-m_-2102407136204268176gmail_msg">| Type | certificate |</div><div class="gmail-m_-2102407136204268176gmail_msg">| Certificate | <a href="http://192.168.20.24:9311/v1/secrets/bfc2bf01-0f23-4105-bf09-c75839b6b4cb" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">http://192.168.20.24:9311/v1/<wbr>secrets/bfc2bf01-0f23-4105-<wbr>bf09-c75839b6b4cb</a> |</div><div class="gmail-m_-2102407136204268176gmail_msg">| Intermediates | None |</div><div class="gmail-m_-2102407136204268176gmail_msg">| Private Key | <a href="http://192.168.20.24:9311/v1/secrets/c85d150e-ec84-42e0-a65f-9c9ec19767e1" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">http://192.168.20.24:9311/v1/<wbr>secrets/c85d150e-ec84-42e0-<wbr>a65f-9c9ec19767e1</a> |</div><div class="gmail-m_-2102407136204268176gmail_msg">| PK Passphrase | None |</div><div class="gmail-m_-2102407136204268176gmail_msg">| <b class="gmail-m_-2102407136204268176gmail_msg">Consumers | {u'URL': u'lbaas://RegionOne/<wbr>loadbalancer/5e7768b9-7aa9-<wbr>4146-8a71-6291353b447e', u'name': u'lbaas'}</b></div></div><div class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg">I went through the neutron-lbaas code base. We did register consumer during the creation of "TERMINATED_HTTPS" listener in [1]. But we somehow doesn't deregister it during the deletion in [1]: <a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L642" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">https://github.com/<wbr>openstack/neutron-lbaas/blob/<wbr>stable/mitaka/neutron_lbaas/<wbr>services/loadbalancer/plugin.<wbr>py#L642</a></div><div class="gmail-m_-2102407136204268176gmail_msg">get_cert() register lbaas as a consumer for barbican cert_manager. (<a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L177" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">https://github.com/<wbr>openstack/neutron-lbaas/blob/<wbr>stable/mitaka/neutron_lbaas/<wbr>common/cert_manager/barbican_<wbr>cert_manager.py#L177</a>)</div><div class="gmail-m_-2102407136204268176gmail_msg">[2]: <a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L805" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">https://github.com/<wbr>openstack/neutron-lbaas/blob/<wbr>stable/mitaka/neutron_lbaas/<wbr>services/loadbalancer/plugin.<wbr>py#L805</a></div><div class="gmail-m_-2102407136204268176gmail_msg">we probably need to call delete_cert from barbican cert_manager to remove the consumer. (<a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L187" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">https://github.com/openstack/<wbr>neutron-lbaas/blob/stable/<wbr>mitaka/neutron_lbaas/common/<wbr>cert_manager/barbican_cert_<wbr>manager.py#L187</a>)</div><div class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg">My questions are:</div><div class="gmail-m_-2102407136204268176gmail_msg">1. is that a bug?</div><div class="gmail-m_-2102407136204268176gmail_msg">2. or is it a <span style="font-family:roboto,arial,sans-serif" class="gmail-m_-2102407136204268176gmail_msg">intentional </span>design letting the vendor driver to handle it?</div><div class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg">It looks more like a bug to me.</div><div class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg">Any thoughts?</div><div class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg"></div><div class="gmail-m_-2102407136204268176gmail_msg">Best,</div><div class="gmail-m_-2102407136204268176gmail_msg">Jiahao</div><div class="gmail-m_-2102407136204268176gmail_msg">-- <br class="gmail-m_-2102407136204268176gmail_msg"><div class="gmail-m_-2102407136204268176m_-1974580634870267779m_5450193218513205940gmail_signature gmail-m_-2102407136204268176gmail_msg"><div class="gmail-m_-2102407136204268176gmail_msg"><div class="gmail-m_-2102407136204268176gmail_msg"><div class="gmail-m_-2102407136204268176gmail_msg"><div style="color:rgb(34,34,34);font-family:verdana,arial,helvetica,sans-serif;margin:0px 0px 8px" class="gmail-m_-2102407136204268176gmail_msg"><table border="0" class="gmail-m_-2102407136204268176gmail_msg"><tbody class="gmail-m_-2102407136204268176gmail_msg"><tr valign="top" class="gmail-m_-2102407136204268176gmail_msg"><td style="font-family:arial,sans-serif;margin:0px" class="gmail-m_-2102407136204268176gmail_msg"></td><td style="font-family:arial,sans-serif;margin:0px" class="gmail-m_-2102407136204268176gmail_msg"><font size="2" class="gmail-m_-2102407136204268176gmail_msg"><strong style="font-family:georgia,palatino;color:rgb(0,0,128);background-color:rgb(192,192,192)" class="gmail-m_-2102407136204268176gmail_msg"><span style="background-color:rgb(255,255,255)" class="gmail-m_-2102407136204268176gmail_msg">梁嘉豪/Jiahao LIANG</span><span style="background-color:rgb(255,255,255)" class="gmail-m_-2102407136204268176gmail_msg"> (Frankie</span><span style="background-color:rgb(255,255,255)" class="gmail-m_-2102407136204268176gmail_msg">) <br class="gmail-m_-2102407136204268176gmail_msg"></span></strong></font><span style="font-size:small" class="gmail-m_-2102407136204268176gmail_msg"><br class="gmail-m_-2102407136204268176gmail_msg">Email: </span><a href="mailto:gzliangjiahao@gmail.com" style="font-size:small" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">gzliangjiahao@gmail.com</a></td></tr></tbody></table></div><br class="gmail-m_-2102407136204268176gmail_msg"></div></div></div></div>
</div></div></blockquote></div><div class="gmail_quote gmail-m_-2102407136204268176gmail_msg"><blockquote class="gmail_quote gmail-m_-2102407136204268176gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
______________________________<wbr>______________________________<wbr>______________<br class="gmail-m_-2102407136204268176gmail_msg">
OpenStack Development Mailing List (not for usage questions)<br class="gmail-m_-2102407136204268176gmail_msg">
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br class="gmail-m_-2102407136204268176gmail_msg">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br class="gmail-m_-2102407136204268176gmail_msg">
</blockquote></div>
______________________________<wbr>______________________________<wbr>______________<br class="gmail-m_-2102407136204268176gmail_msg">
OpenStack Development Mailing List (not for usage questions)<br class="gmail-m_-2102407136204268176gmail_msg">
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br class="gmail-m_-2102407136204268176gmail_msg">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" class="gmail-m_-2102407136204268176gmail_msg" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br class="gmail-m_-2102407136204268176gmail_msg">
</blockquote></div></div></div>