<p dir="ltr">Yeah, I believe it was because we intended to leave it up to the specific certificate manager to determine what needs to be done -- we are treating it as a delete, and if the cert manager wants to do a true delete, they can. I'll agree the verb is not perfectly clear, but the driver author should make sure the correct action is taken regardless of the function name.</p>
<p dir="ltr">It's possible we should just rename the function to something like "unget_cert", which sounds a bit nonsensical but is possibly still clearer. I remember at the time I wrote this being frustrated with trying to name the function and wanting to just move on. T_T</p>
<p dir="ltr">   --Adam (rm_work)</p>
<p dir="ltr">PS: Did we remove the local cert manager yet? Now I need to check... I hope so, because it's not actually usable, nor can it be without API modifications (which we discussed but never actually implemented or even fully agreed on).</p>
<br><div class="gmail_quote"><div dir="ltr">On Wed, Jan 25, 2017, 17:50 Jiahao Liang (Frankie) <<a href="mailto:gzliangjiahao@gmail.com">gzliangjiahao@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="gmail_msg"><div class="gmail_msg">Thanks rm_work.</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">I also notice something need to be handled properly. </div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">For barbican, the delete_cert() only deregisters the cert without actually delete it. That's safe for us to call during delete_listener()/delete_loadbalancer().</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">But if the user uses other cert_manager by any chance, say the local_cert_manager, the same delete_cert() method will do a real delete of the cert.</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">Probably we need to implement register_consumer()/remove_consumer() method for cert_manager and call them in neutron_lbaas as well.</div></div><div dir="ltr" class="gmail_msg"><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"><div class="gmail_quote gmail_msg"><div class="gmail_msg">On Wed, Jan 25, 2017 at 10:48 Adam Harwell <<a href="mailto:flux.adam@gmail.com" class="gmail_msg" target="_blank">flux.adam@gmail.com</a>> wrote:<br class="gmail_msg"></div><blockquote class="gmail_quote gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">I've got this on my list of things to look at -- I don't know if it was you I was talking with on IRC the other day about this issue, but I'm definitely aware of it. As soon as we are past the Ocata feature freeze crunch, I'll take a closer look.</p>
<p class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">My gut says that we should be calling the delete (which is not a real delete) when the LB is deleted, and not doing so is a bug, but I'll need to double check the logic as it has been a while since I touched this.</p>
<p class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">    --Adam (rm_work)</p>
<br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><div class="gmail_quote m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="gmail_quote m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">On Mon, Jan 23, 2017, 18:38 Jiahao Liang (Frankie) <<a href="mailto:gzliangjiahao@gmail.com" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">gzliangjiahao@gmail.com</a>> wrote:<br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div></div><div class="gmail_quote m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><blockquote class="gmail_quote m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">Hi community,<div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">I created a loadbalancer with a listener with protocol as "TERMINATED_HTTPS" and specify --default-tls-container-ref with a ref of secret container from Barbican.</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">However, after I deleted the listener, the lbaas wasn't removed from barbican container consumer list.</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">$openstack secret container get <a href="http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4</a><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">+----------------+-----------------------------------------------------------------------------------------------------+</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| Field          | Value                                                                                               |</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">+----------------+-----------------------------------------------------------------------------------------------------+</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| Container href | <a href="http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4</a>                        |</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| Name           | tls_container2                                                                                      |</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| Created        | 2017-01-19 12:44:07+00:00                                                                           |</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| Status         | ACTIVE                                                                                              |</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| Type           | certificate                                                                                         |</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| Certificate    | <a href="http://192.168.20.24:9311/v1/secrets/bfc2bf01-0f23-4105-bf09-c75839b6b4cb" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">http://192.168.20.24:9311/v1/secrets/bfc2bf01-0f23-4105-bf09-c75839b6b4cb</a>                           |</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| Intermediates  | None                                                                                                |</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| Private Key    | <a href="http://192.168.20.24:9311/v1/secrets/c85d150e-ec84-42e0-a65f-9c9ec19767e1" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">http://192.168.20.24:9311/v1/secrets/c85d150e-ec84-42e0-a65f-9c9ec19767e1</a>                           |</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| PK Passphrase  | None                                                                                                |</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">| <b class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">Consumers      | {u'URL': u'lbaas://RegionOne/loadbalancer/5e7768b9-7aa9-4146-8a71-6291353b447e', u'name': u'lbaas'}</b></div></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">I went through the neutron-lbaas code base. We did register consumer during the creation of "TERMINATED_HTTPS" listener in [1]. But we somehow doesn't deregister it during the deletion in [1]: <a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L642" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L642</a></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">get_cert() register lbaas as a consumer for barbican cert_manager.  (<a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L177" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L177</a>)</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">[2]: <a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L805" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L805</a></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">we probably need to call delete_cert from barbican cert_manager to remove the consumer. (<a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L187" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L187</a>)</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">My questions are:</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">1. is that a bug?</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">2. or is it a <span style="font-family:roboto,arial,sans-serif" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">intentional </span>design letting the vendor driver to handle it?</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">It looks more like a bug to me.</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">Any thoughts?</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">Best,</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">Jiahao</div><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">-- <br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><div class="m_6721743541969961784gmail-m_-2102407136204268176m_-1974580634870267779m_5450193218513205940gmail_signature m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><div class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><div style="color:rgb(34,34,34);font-family:verdana,arial,helvetica,sans-serif;margin:0px 0px 8px" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><table border="0" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><tbody class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><tr valign="top" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><td style="font-family:arial,sans-serif;margin:0px" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></td><td style="font-family:arial,sans-serif;margin:0px" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><font size="2" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><strong style="font-family:georgia,palatino;color:rgb(0,0,128);background-color:rgb(192,192,192)" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><span style="background-color:rgb(255,255,255)" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">梁嘉豪/Jiahao LIANG</span><span style="background-color:rgb(255,255,255)" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"> (Frankie</span><span style="background-color:rgb(255,255,255)" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">)     <br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></span></strong></font><span style="font-size:small" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">Email: </span><a href="mailto:gzliangjiahao@gmail.com" style="font-size:small" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">gzliangjiahao@gmail.com</a></td></tr></tbody></table></div><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"></div></div></div></div>
</div></div></blockquote></div><div class="gmail_quote m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg"><blockquote class="gmail_quote m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
__________________________________________________________________________<br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">
OpenStack Development Mailing List (not for usage questions)<br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">
</blockquote></div>
__________________________________________________________________________<br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">
OpenStack Development Mailing List (not for usage questions)<br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br class="m_6721743541969961784gmail-m_-2102407136204268176gmail_msg gmail_msg">
</blockquote></div></div></div>
__________________________________________________________________________<br class="gmail_msg">
OpenStack Development Mailing List (not for usage questions)<br class="gmail_msg">
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" class="gmail_msg" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br class="gmail_msg">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br class="gmail_msg">
</blockquote></div>