15:00:54 <mattmceuen> #startmeeting airship 15:00:55 <openstack> Meeting started Tue Mar 3 15:00:54 2020 UTC and is due to finish in 60 minutes. The chair is mattmceuen. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:58 <openstack> The meeting name has been set to 'airship' 15:01:02 <mattmceuen> #topic Rollcall 15:01:04 <Connoreika> o/ 15:01:08 <aaronsheffield> o/ 15:01:09 <howell> o/ 15:01:09 <mattmceuen> o/ everyone and good morning/evening! 15:01:11 <seaneagan> o/ 15:01:14 <nishantkr> o/ 15:01:17 <michael-beaver> o/ 15:01:18 <mattmceuen> Here's our agenda: https://etherpad.openstack.org/p/airship-meeting-2020-03-03 15:01:26 <dwalt> o/ 15:01:39 <alexanderhughes> o/ 15:01:54 <jamesgu> o/ 15:02:15 <airshipbot> <alex.bailey.1> o/ 15:02:29 <mattmceuen> Ok, let's get started: 15:02:33 <mattmceuen> #topic KubeCon update 15:02:46 <mattmceuen> First, a follow-up to kubecon discussion last week 15:03:11 <mattmceuen> Unfortunately, AT&T yesterday announced a hold on all international travel, so it joins Ericsson in that boat 15:03:13 <jemangs> o/ 15:03:23 <mattmceuen> And others will probably follow suit 15:03:32 <Connoreika> %( 15:03:36 <roman_g> o/ 15:03:48 <mattmceuen> So we will be forgoing the in-person meeting at KubeCon, sadly 15:03:53 <Connoreika> We dont follow. 15:04:19 <mattmceuen> We were planning on having an Airship Meetup in KubeCon during the summit 15:04:29 <mattmceuen> to hash through some design topics etc face to face 15:04:31 <Connoreika> i saw that 15:04:42 <mattmceuen> ok cool :) 15:05:03 <mattmceuen> We do still plan to have a strong PTG session at the open infra / PTG conference in Vancouver 15:05:40 <mattmceuen> In addition, we'd like to set up a "virtual meetup" for Airship around the same time as KubeCon, so we can have the same discussion we would have had, over telepresense 15:05:56 <mattmceuen> so please stay tuned for more info on that! 15:05:59 <Connoreika> Thats cool! 15:06:09 <mattmceuen> Yeah agree :) 15:06:09 <Connoreika> Zoom? 15:06:45 <mattmceuen> good question; zoom or webex or something similar 15:06:46 <roman_g> Zoom, WebEx, whatever. 15:06:58 <Connoreika> Cool 15:07:20 <mattmceuen> Anything else on this one before moving on? 15:07:28 <pramchan63> link #https://etherpad.openstack.org/p/airship-kubecon-amsterdam 15:07:38 <mattmceuen> let's deprecate that link please 15:07:40 <Connoreika> So we are not going on kubecon? 15:07:49 <pramchan63> OK 15:07:50 <mattmceuen> since airship will not be at kubecon in amsterdam 15:08:28 <mattmceuen> Connoreika: AT&T and E/// will not be, but I can't speak for all corporations -- last I heard the conference is still going to happen 15:08:43 <Connoreika> Vancouver is much more expensive than Amsterdam %) 15:09:30 <mattmceuen> I was looking forward to seeing amsterdam too, never been there. Oh well, can't complain given the global situation 15:09:38 <Connoreika> Ok, sorry that interrupted, lets move on. 15:09:43 <mattmceuen> Ok, next topic: 15:09:46 <mattmceuen> no worries :) 15:09:51 <mattmceuen> #topic Slack<-> IRC sync'ing 15:09:59 <mattmceuen> Another follow up from last week 15:10:13 <Connoreika> Why do we need it to be synced? 15:10:57 <mattmceuen> There are some folks who are interested in joining through slack instead of the IRC client, and slack is the norm in the CNCF world 15:11:04 <mattmceuen> on the other hand, IRC has a lot of benefits too 15:11:18 <mattmceuen> so I was going to look into ways to use both and mirror the conversation 15:11:45 <mattmceuen> I put together a rough helm chart for one of them and am currently running it off my laptop 15:11:48 <mattmceuen> o/ airshipbot 15:12:03 <roman_g> We have had Slack previously, it didn't work out. Conversation sync could help, though. 15:12:08 <mattmceuen> My scrum master has joined from slack world as well 15:12:29 <airshipbot> <aw442m> I exist in both worlds 15:12:41 <mattmceuen> Yeah, I think the reason it didn't work out was that it was run kind of ad-hoc; that's why I wanted to have dependable k8s orchestration of it 15:12:43 <pramchan63> which workspace in slack with which github - the sync? 15:12:44 <airshipbot> <aw442m> this is dwalt btw 15:12:49 <howell> which slack channel is that? 15:13:13 <mattmceuen> pramchan63: it's the "airshipproject" workspace in slack 15:13:30 <mattmceuen> I haven't made a push to invite everyone because I'm waiting to get it running somewhere besides my laptop :) 15:13:40 <mattmceuen> as it is not open 24 hours a day 15:14:38 <mattmceuen> Once we have a lab up and running (there are a couple in progress) then we can home the bot there permanently, otherwise I'll plan get it running on my home machine as a stopgap 15:15:17 <mattmceuen> Here's the chart, which links to the tool itself: https://github.com/mattmceuen/slack-irc-chart 15:15:28 <mattmceuen> That's all I had on this one. Any questions? 15:15:55 <roman_g> Nope. Thanks, Matt. 15:15:58 <Connoreika> Dont like slack. I like discord and telegram %) 15:16:03 <mattmceuen> That's fair 15:16:03 <dwalt> Thanks for working on this Matt 15:16:09 <Connoreika> :) 15:16:29 <mattmceuen> If you'd like to integrate with those tools as well, that would be great Connoreika :) the more bots the merrier 15:17:04 <mattmceuen> #topic airshipctl non-descriptive variables 15:17:13 <Connoreika> Im too stupid to write asuch a bot :) 15:17:14 <mattmceuen> (ie: https://opendev.org/airship/airshipctl/src/branch/master/pkg/config/cmds.go#L26) use of single letter, or two letter variables 15:17:30 <mattmceuen> it may already exist, who knows! 15:17:47 <mattmceuen> alexanderhughes: I think this one is yours! 15:18:55 <alexanderhughes> just a gentle suggestion, we have more and more developers joining the project daily. as they try to get up to speed making code easy to read I think is valuable. when we are initializing variables as things like "o" or "fo" it makes code more difficult to read, resulting in more frequent tracebacks to where the variable was initialized and what it is supposed to mean 15:19:25 <howell> so this is something that's pretty typical in go code 15:19:39 <howell> the rule in general is that the longer a variable is in use, the longer its name should be 15:19:41 <howell> but, 15:19:45 <mattmceuen> I mean the language is called "go" ;-) 15:19:53 <howell> I agree that it could get confusing 15:19:58 <mattmceuen> that's only one g better than o 15:20:31 <mattmceuen> that's - an interesting convention - I'd never heard it before, and kinda like the philosophy 15:20:38 <howell> I have no issue with disregarding the above rule. It's a bit weird anyway 15:21:08 <mattmceuen> yeah, "options" wouldn't be that many more keystrokes 15:21:10 <howell> mattmceuen: it makes sense at first 15:21:12 <alexanderhughes> there's no line limit length in go, so extra characters to make things clear would be helpful - especially for things we're passing in like func RunGetAuthInfo(o *AuthInfoOptions, out io.Writer, airconfig *Config) error { 15:21:12 <alexanderhughes> o here, to me should be something like authOptions 15:21:50 <alexanderhughes> throw away variables like when looping for i:=0, but things that are important to the function would be nice to be more legible 15:22:13 <mattmceuen> I think that's a very fair public service announcement, and a good thing to keep in mind as developers 15:22:20 <howell> ^This makes a lot of sense to me 15:22:27 <howell> specifically for function parameters 15:22:34 <howell> that will appear in documentation 15:22:36 <mattmceuen> ++ 15:22:52 <Connoreika> + with Alexander 15:23:16 <alexanderhughes> in any case that's my rant, I want to make things as easy as they can get for code reviewers, and for onboarding new developers. you may see a patchset from me here soon acting on that rant if the community is okay with more verbose variables 15:23:27 <mattmceuen> lol 15:23:46 <mattmceuen> no objections here, as long as we don't go to the other extreme 15:23:56 <howell> I think we can be a bit lax with variables declared within a functoin, but certainly any variable that is exposed should be more descriptive 15:24:01 * mattmceuen shudders and remembers iphone programming APIs 15:24:09 <alexanderhughes> yeah I'm not implementing authInfoOptionsForFunctionXonLineNumberTwentySevenUsedOnlyOneTime 15:24:28 <howell> lol or java. Get yourself a JavaBeanFactoryFactory 15:24:31 <alexanderhughes> but I think just a few more chars on most of these vars would be helpful 15:24:44 <roman_g> alexanderhughes: would you submit a patch to coding conventions in docs repo? Then we can add devs who do Go development work to +2/+1 it and collect feedback. 15:24:57 <alexanderhughes> roman_g: 15:25:00 <alexanderhughes> yeah I can take this action 15:25:11 <mattmceuen> only thing I'd caution is, I'd suggest we call it a guideline instead of a rule 15:25:19 <roman_g> alexanderhughes: that would be very good. Thank you. 15:25:22 <mattmceuen> as I'm sure there are exceptions 15:25:40 <mattmceuen> yeah, thanks for bringing up alexanderhughes, good discussion 15:25:57 <mattmceuen> next topic: 15:26:04 <mattmceuen> #topic gate enhancement idea (alexanderhughes) 15:26:13 <mattmceuen> "make update-golden" to ensure tests are updated with test modifying changeset before code merges 15:26:13 <mattmceuen> https://review.opendev.org/#/c/710085/ for example does not modify config cmd "set-context" but when running make update-golden for new test addition unused test was removed 15:26:27 <roman_g> mattmceuen: Yes, coding guidelines, of course. Native exceptions are i,j,k,n,x,y,z in cycles, for an example. 15:26:45 <mattmceuen> roman_g: yep exactly 15:27:57 <alexanderhughes> so this was me as well. in our python projects such as Pegleg we implemented YAPF as a gate. basically ensuring that the code being submitted matched the formatting we expected with YAPF. I think a gate that did something similar ensuring that the test cases present in patch match what make update-golden would do (which updates the golden test data for each test) 15:28:31 <alexanderhughes> so that we don't have missing, or inaccurate tests for a future patchset. our tests are only valuable if they are up to date and accurate 15:28:37 <howell> I'm not sure I understand 15:28:39 <mattmceuen> alexanderhughes: we should be wary of things that use codebase to generate the expected output of the current codebase -- do we avoid a "the code does what the code does" scenario? 15:28:48 <howell> golden files are just the "expected" output from unit tests 15:29:18 <dwalt> Shouldn't the unit tests fail if the golden files are not updated? 15:29:28 <dwalt> In this case, it just appeared that we had an extra one 15:29:30 <alexanderhughes> so from the example patch here, https://review.opendev.org/#/c/710085/ there was no change to config command "set-context" but I did update a new unit test. when I ran make update-golden it modified set-context 15:29:43 <mattmceuen> Agree, I think golden output changes need to be intentional, to guard against output changes that are accidental (bugs) 15:29:44 <alexanderhughes> this should have happened in a previous patchset 15:29:45 <howell> the above PS is unique in that it is the first time that we have /removed/ a golden file 15:29:49 <pramchan63> Does removal of kubectl impact CI in Zuul? for testing 15:30:06 <howell> we should implement something to make sure there are no unused files 15:30:30 <alexanderhughes> I don't want to automatically update our codebase using zuul, I want to ensure that the tools we have to update are being run locally by devs and match expected results before merging 15:31:06 <dwalt> I think that's what howell is suggesting. Adding that check to the unit tests command 15:31:38 <alexanderhughes> that's fair, as the unit tests command is present in the gates 15:33:31 <alexanderhughes> any other opinions on this? 15:33:38 <Connoreika> nope 15:33:45 <howell> any idea on how to implement? 15:34:30 <howell> that's a detail, we can take that offline 15:34:46 <pramchan63> May be bring it to design call? 15:34:53 <alexanderhughes> at a high level sounds like we run make unit-tests to ensure current code matches test cases, then make update-golden to see if anything gets deleted after the tests have passed. if there is a deletion fail the make command and advise user to run make update-golden 15:35:14 <jtwill98> Unit test can be used to expose abandoned files in a report, but the team should take action to remove them with a PR. 15:35:41 <howell> alexanderhughes: that sounds like it should work 15:35:59 <mattmceuen> alexanderhughes: agree with that 15:36:07 <dwalt> that's a good idea 15:36:14 <dwalt> but then we need to add gate logic, right? 15:36:28 <dwalt> Since someone could unknowingly push without the updated golden files 15:36:38 <mattmceuen> pramchan63: sure, feel free to add to the design call agenda 15:36:40 <alexanderhughes> yes, the gate would have to run the logic above 15:36:46 <howell> dwalt: we could probably cram it all into the `unit-tests` target 15:36:48 <mattmceuen> but I think we can hash through it here (hopefully) 15:37:09 <dwalt> gotcha. So if some golden files get deleted, it just fails the test command? 15:37:22 <howell> that's what I would think 15:37:34 <alexanderhughes> we could move this into a new make command: test-and-update or similar. runs make unit-tests, runs make update-golden, searches for deletions, if present alert. update gate to use the new make target 15:37:42 <dwalt> Ok. That may be confusing to someone running locally, but it's better than having extra files. 15:38:15 <dwalt> Oh I like the new target idea alexanderhughes 15:38:36 <dwalt> That one gets run in the gate; dev can run make tests locally 15:38:53 <alexanderhughes> yes, gives granularity locally but achieves same end goal at the gate 15:39:10 <dwalt> awesome. Good idea 15:39:57 <alexanderhughes> +/- votes on implementation? would like to get an issue created to summarize our thoughts and track the work 15:40:03 <dwalt> +1 15:40:05 <mattmceuen> +1 15:40:13 <Connoreika> + 15:40:38 <alexanderhughes> great thanks all, I'll get an issue created shortly 15:40:48 <pramchan63> +1 15:41:07 <mattmceuen> awesome - ty alex 15:41:07 <alexanderhughes> if there's more discussion needed on this we can followup @ flight plan call tomorrow 15:41:09 <pramchan63> so I don't need this to be brought to design call? 15:41:23 <pramchan63> Ok 15:41:28 <mattmceuen> I think we reached consensus here, probably no need to bring it up there 15:41:43 <mattmceuen> Ok, moving on: 15:41:50 <mattmceuen> #topic baremetal renaming changes merging tomorrow (04-March) (alexanderhughes) 15:42:02 <mattmceuen> per Jaakko Kuuskoski during 03-March Airship design call 15:42:02 <mattmceuen> https://github.com/metal3-io/cluster-api-provider-baremetal/pull/268 15:42:02 <mattmceuen> https://github.com/metal3-io/metal3-dev-env/pull/239 15:42:03 <mattmceuen> https://github.com/metal3-io/metal3-io.github.io/pull/153 15:42:26 <alexanderhughes> just a quick announcement, Jaakko mentioned these are merging tomorrow during design call. just want to make sure anyone who wasn't present on that call has an opportunity to see it here 15:42:45 <mattmceuen> good idea. 15:43:28 <mattmceuen> The gist is that all the references to a generic "bare metal provider" are being renamed more specifically to "metal3 provider"-related naming 15:43:58 <mattmceuen> that will allow for the existance multiple bare metal providers 15:44:21 <pramchan63> namesapce change in capi from CAPBM to CAPM3 - noted 15:44:27 <howell> I think it's more clear too. this is a good change 15:44:49 <Connoreika> + 15:45:14 <mattmceuen> Alright, moving on unless there's anything else on this topic? 15:45:30 <mattmceuen> #topic: how i can put trusted root ca in pods of airsloop installation? (Connoreika) 15:45:47 <Connoreika> Yep 15:45:49 <mattmceuen> Connoreika's asked this a couple times in the chat, let's get him on the right direction: 15:45:59 <mattmceuen> I have MITM when i trying to download something from internet, and git doesn't want to clone repos. 15:46:17 <pramchan63> on metal3.io side it's still on hold? 15:46:30 <mattmceuen> This one is an airship 1 topic 15:46:49 <mattmceuen> Does anyone have a good reference at their fingertips for adding custom CAs to a deployment? 15:46:57 <dwalt> can you elaborate on what the man-in-the-middle is? A proxy server? 15:47:15 <pramchan63> you mean airsloop of airship 1.x 15:47:24 <Connoreika> No, its security team, they listen all the traffic in company. 15:48:16 <uzumaki> dwalt, yeah, the proxy server, sort of 15:48:16 <dwalt> Do you still have a direct connection to the internet? 15:48:52 <Connoreika> Yes, direct connection. But they change certs on fly. 15:49:00 <dwalt> Uzumaki: if it's a proxy server, do you know its address? And does it require a certificate? 15:49:27 <uzumaki> well, the thing with MITM is, it's principally hidden from the client and server 15:49:42 <Connoreika> No, its not proxy. 15:49:53 <uzumaki> It's like Server <... SSLA...> MITM <...SSLB...> Client 15:50:05 <mattmceuen> Have you seen this example doc, Connoreika?: https://github.com/airshipit/treasuremap/blob/master/site/seaworthy/secrets/certificates/certificates.yaml 15:50:08 <Connoreika> Yes. exactly. 15:50:32 <mattmceuen> That one defines the certs, CAs for the seaworthy site 15:51:01 <mattmceuen> That might not apply for the "armada reaching out" case though 15:51:10 <Connoreika> But im not shure what to put in that example and where? 15:51:15 <pramchan63> what does MITM mean ? #link https://airship-treasuremap.readthedocs.io/en/latest/airsloop.html 15:51:18 <mattmceuen> yeah, I retract that one 15:51:37 <uzumaki> pramchan63, Man-In-The-Middle, a way to snoop on SSL traffic 15:51:51 <Connoreika> And first problem is with armada :( 15:52:34 <pramchan63> thanks so question of avoiding attacks through proxy is causing issues 15:52:55 <Connoreika> No. 15:53:10 <Connoreika> I have a root ca cert. 15:53:38 <Connoreika> Usually, i put it into the host system, and cert, that security team become signed. 15:53:55 <Connoreika> And trusted 15:54:15 <Connoreika> Althow it's selfsigned. 15:54:29 <uzumaki> yeah, just like server BMC https certs 15:55:06 <Connoreika> But, when we setup airship, it's startind armada in pod, and in that pod, it's doing git clone. 15:55:31 <Connoreika> That pod, doesnt know anything about my selfsignet cert. 15:55:47 <pramchan63> i see 15:55:55 <Connoreika> So git clone - failed. Coz of fake cert. 15:56:14 <mattmceuen> is there any chance you can use a non-self-signed CA, e.g. letsencrypt? 15:56:41 <mattmceuen> I'm not sure this has been solved for within Airship unfortunately 15:56:48 <Connoreika> It's not me. Im in bank, and it's bank security team. 15:56:53 <mattmceuen> yeah, makes sense 15:56:54 <mattmceuen> hmm 15:57:22 <Connoreika> They listen that way alll the trafic from and to our bank. 15:58:07 <mattmceuen> lol I guess SSL is working as designed.. now I understand the MITM reference 15:58:20 <uzumaki> haha 15:58:51 <uzumaki> is there a way to force local git client to accept self-signed certs? 15:59:06 <mattmceuen> can the MITM use a CA that's has a chain of trust back to the root CAs maybe? I know that's probably outside your control 15:59:24 <dwalt> #link https://stackoverflow.com/questions/11621768/how-can-i-make-git-accept-a-self-signed-certificate 15:59:27 <dwalt> it appears so 15:59:28 <mattmceuen> We're out of time for the meeting, but let's please keep the conversation going here... 15:59:43 <mattmceuen> Requests for review: 15:59:44 <mattmceuen> https://review.opendev.org/#/c/711019/ - drydock, security alert for 2 CVEs relating to old packages 15:59:44 <mattmceuen> https://review.opendev.org/#/c/710085/ - remove kubectl subcommand from airshipctl 15:59:44 <mattmceuen> https://review.opendev.org/#/c/710469/ - refactor of airshipctl types to be golint compliant 15:59:45 <uzumaki> it can actually, but the thing is, going back to root ca might cost you a license 15:59:48 <Connoreika> What i do usually 15:59:51 <mattmceuen> Review on those please :) ^^ 15:59:58 <uzumaki> and on the flip side, that will make the MITM even more sneaky 16:00:02 <mattmceuen> #endmeeting