<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:palatino;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
p.m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg, li.m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg, div.m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg
{mso-style-name:m_3954780794741139961m_6721743541969961784gmail-m_-2102407136204268176gmail_msg;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg1
{mso-style-name:m_3954780794741139961m_6721743541969961784gmail-m_-2102407136204268176gmail_msg1;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">The idea was that we would like to let the user know in Barbican when the certificate is being used with LBaaS. Therefore, we added the register and de-register logic. I don’t know of any
use case where a certificate needs to be deleted in Barbican when LBaaS doesn’t need it any longer.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">So I agree with Andrey – it’s the same semantic as images.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">German <o:p>
</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">From: </span>
</b><span style="font-family:Calibri;color:black">Andrey Grebennikov <agrebennikov@mirantis.com><br>
<b>Reply-To: </b>"OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org><br>
<b>Date: </b>Friday, January 27, 2017 at 12:07 PM<br>
<b>To: </b>"OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org><br>
<b>Cc: </b>Subrahmanyam Ongole <songole@oneconvergence.com><br>
<b>Subject: </b>Re: [openstack-dev] [neutron-lbaas][barbican][octavia]certs don't get deregistered in barbican after lbaas listener delete<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Frankie, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">What is the reason why the cert has to be deleted on the balancer deletion?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The entire workflow, if I'm not mistaken, is to first work with Barbican API in order to create the cert bundle. And technically it is not yet connected to anything else.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">After that you create the balancer, specifying the link to where the cert bundle is.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">From this perspective, why one should expect the cert bundle to be deleted?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For me personally it is the same as deletion of the image automatically once the instance got deleted :/<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Sorry if I'm missing the context.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Fri, Jan 27, 2017 at 2:19 AM, Adam Harwell <<a href="mailto:flux.adam@gmail.com" target="_blank">flux.adam@gmail.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p>Yeah, I believe it was because we intended to leave it up to the specific certificate manager to determine what needs to be done -- we are treating it as a delete, and if the cert manager wants to do a true delete, they can. I'll agree the verb is not perfectly
clear, but the driver author should make sure the correct action is taken regardless of the function name.<o:p></o:p></p>
<p>It's possible we should just rename the function to something like "unget_cert", which sounds a bit nonsensical but is possibly still clearer. I remember at the time I wrote this being frustrated with trying to name the function and wanting to just move
on. T_T<o:p></o:p></p>
<p> --Adam (rm_work)<o:p></o:p></p>
<p>PS: Did we remove the local cert manager yet? Now I need to check... I hope so, because it's not actually usable, nor can it be without API modifications (which we discussed but never actually implemented or even fully agreed on).<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Wed, Jan 25, 2017, 17:50 Jiahao Liang (Frankie) <<a href="mailto:gzliangjiahao@gmail.com" target="_blank">gzliangjiahao@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Thanks rm_work.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I also notice something need to be handled properly. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For barbican, the delete_cert() only deregisters the cert without actually delete it. That's safe for us to call during delete_listener()/delete_loadbalancer().<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">But if the user uses other cert_manager by any chance, say the local_cert_manager, the same delete_cert() method will do a real delete of the cert.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Probably we need to implement register_consumer()/remove_consumer() method for cert_manager and call them in neutron_lbaas as well.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Wed, Jan 25, 2017 at 10:48 Adam Harwell <<a href="mailto:flux.adam@gmail.com" target="_blank">flux.adam@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg">
I've got this on my list of things to look at -- I don't know if it was you I was talking with on IRC the other day about this issue, but I'm definitely aware of it. As soon as we are past the Ocata feature freeze crunch, I'll take a closer look.<o:p></o:p></p>
<p class="m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg">
My gut says that we should be calling the delete (which is not a real delete) when the LB is deleted, and not doing so is a bug, but I'll need to double check the logic as it has been a while since I touched this.<o:p></o:p></p>
<p class="m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg">
--Adam (rm_work)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Mon, Jan 23, 2017, 18:38 Jiahao Liang (Frankie) <<a href="mailto:gzliangjiahao@gmail.com" target="_blank">gzliangjiahao@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Hi community, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I created a loadbalancer with a listener with protocol as "TERMINATED_HTTPS" and specify --default-tls-container-ref with a ref of secret container from Barbican.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">However, after I deleted the listener, the lbaas wasn't removed from barbican container consumer list.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">$openstack secret container get <a href="http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4" target="_blank">
http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">+----------------+-----------------------------------------------------------------------------------------------------+<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| Field | Value |<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">+----------------+-----------------------------------------------------------------------------------------------------+<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| Container href | <a href="http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4" target="_blank">
http://192.168.20.24:9311/v1/containers/453e8905-d42b-43bd-9947-50e3acf499f4</a> |<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| Name | tls_container2 |<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| Created | 2017-01-19 12:44:07+00:00 |<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| Status | ACTIVE |<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| Type | certificate |<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| Certificate | <a href="http://192.168.20.24:9311/v1/secrets/bfc2bf01-0f23-4105-bf09-c75839b6b4cb" target="_blank">
http://192.168.20.24:9311/v1/secrets/bfc2bf01-0f23-4105-bf09-c75839b6b4cb</a> |<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| Intermediates | None |<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| Private Key | <a href="http://192.168.20.24:9311/v1/secrets/c85d150e-ec84-42e0-a65f-9c9ec19767e1" target="_blank">
http://192.168.20.24:9311/v1/secrets/c85d150e-ec84-42e0-a65f-9c9ec19767e1</a> |<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| PK Passphrase | None |<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">| <b>Consumers | {u'URL': u'lbaas://RegionOne/loadbalancer/5e7768b9-7aa9-4146-8a71-6291353b447e', u'name': u'lbaas'}</b><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I went through the neutron-lbaas code base. We did register consumer during the creation of "TERMINATED_HTTPS" listener in [1]. But we somehow doesn't deregister it during the deletion in [1]: <a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L642" target="_blank">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L642</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">get_cert() register lbaas as a consumer for barbican cert_manager. (<a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L177" target="_blank">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L177</a>)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">[2]: <a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L805" target="_blank">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/services/loadbalancer/plugin.py#L805</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">we probably need to call delete_cert from barbican cert_manager to remove the consumer. (<a href="https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L187" target="_blank">https://github.com/openstack/neutron-lbaas/blob/stable/mitaka/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L187</a>)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">My questions are:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1. is that a bug?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2. or is it a <span class="m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg1"><span style="font-family:Arial">intentional </span></span>design letting the vendor driver to handle it?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It looks more like a bug to me.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Any thoughts?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Best,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Jiahao<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<div>
<div>
<div style="margin-bottom:6.0pt">
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:.75pt .75pt .75pt .75pt"></td>
<td valign="top" style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span class="m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg1"><b><span style="font-size:10.0pt;font-family:"MS Mincho";color:navy;background:white">梁嘉豪</span></b></span><span class="m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg1"><b><span style="font-size:10.0pt;font-family:"palatino","serif";color:navy;background:white">/Jiahao
LIANG (Frankie) </span></b></span><b><span style="font-size:10.0pt;font-family:"palatino","serif";color:navy;background:white"><br>
</span></b><span style="font-family:Arial"><br>
<span class="m3954780794741139961m6721743541969961784gmail-m-2102407136204268176gmailmsg1">Email: </span><a href="mailto:gzliangjiahao@gmail.com" target="_blank">gzliangjiahao@gmail.com</a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal">__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
<p class="MsoNormal">__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Andrey Grebennikov <o:p></o:p></p>
<div>
<p class="MsoNormal">Principal Deployment Engineer<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Mirantis Inc, Austin TX<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>