21:05:04 <strigazi> #startmeeting containers
21:05:05 <openstack> Meeting started Tue Aug  7 21:05:04 2018 UTC and is due to finish in 60 minutes.  The chair is strigazi. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:05:06 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
21:05:08 <openstack> The meeting name has been set to 'containers'
21:05:16 <strigazi> #topic Roll Call
21:05:27 <strigazi> o/
21:05:31 <colin-> greetings
21:05:33 <canori01> o/
21:05:55 <imdigitaljim> o/
21:06:01 <strigazi> #topic Announcements
21:06:19 <imdigitaljim> wb strigazi :)
21:06:56 <imdigitaljim> been working on keystone auth/rbac on clusters
21:07:05 <strigazi> Since I was having a look, to avoid problems when login in to Freenode and openstack channels, you can add a wait after the identify cmd
21:07:10 <strigazi> imdigitaljim: :)
21:07:12 <imdigitaljim> started some cleanup
21:07:27 <strigazi> I have one more announcement:
21:07:52 <strigazi> python-magnumclient 2.10.0 is out and the rocky branch is cut
21:08:40 <strigazi> we still have freedom to add things to rocky, it is on the project, but we had to cut the branch to sync constraints and requirements with all OS projects
21:08:57 <strigazi> Questions about that?
21:09:03 <imdigitaljim> nope
21:09:04 <imdigitaljim> sounds godo
21:09:11 <imdigitaljim> good*
21:09:22 <colin-> no
21:09:25 <strigazi> cool
21:09:29 <strigazi> #topic Blueprints/Bugs/Ideas
21:09:35 <cbrumm> o/
21:09:42 <strigazi> imdigitaljim: since you started, please continue
21:09:51 <strigazi> cbrumm: o/
21:10:27 <cbrumm> sorry, I was just saying I'm late but here
21:10:33 <imdigitaljim> sure, our org is getting permissions to contribute to k8s org and we'll be making a few upstream changes for magnum to take advantage of for kubernetes created resources and some keystone/rbac cluster usage
21:10:37 <markguz_> imdigitaljim: yeah i know. but i'm not sure why
21:10:39 <cbrumm> bad timing to raise my hand
21:10:44 <strigazi> cbrumm: no worries :)
21:11:14 <imdigitaljim> markguz: are you making an api call/cli/ui?
21:11:37 <canori01> I'm looking forward to the keystone rbac usage
21:11:45 <markguz_> imdigitaljim: running "openstack coe cluster config <clustername>"
21:12:41 <strigazi> They only part I have to work a bit was kubeconfig, the rest is working
21:13:12 <strigazi> markguz_: could we tell kubectl to execute openstack token issue in kubeconfig?
21:14:43 <strigazi> I was using kubectl like so: kubectl --token=$(openstack token issue --format json | jq .id -r) --kubeconfig=config get po -n kube-system
21:15:13 <imdigitaljim> ive got it where a user can access the cluster using os credentials on another machine with mainly just the ca of the cluster
21:15:18 <strigazi> The plan is add a param to cluster config to generate the appropriate output right?
21:16:11 <strigazi> like this: http://paste.openstack.org/show/727576/ ?
21:16:29 <strigazi> imdigitaljim: ^^
21:17:18 <imdigitaljim> using this approach https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-client-keystone-auth.md
21:17:48 <strigazi> imdigitaljim: you used the extra binary?
21:17:54 <imdigitaljim> i have so far
21:18:16 <strigazi> this binary client-keystone-auth
21:18:26 <imdigitaljim> yes
21:18:59 <strigazi> with the kubeconfig I pasted and the cmd above you don't need another binary
21:19:28 <imdigitaljim> ill try it out
21:19:37 <strigazi> for CERN and maybe other orgs using osc means kerberos auth
21:20:37 <strigazi> markguz_: imdigitaljim for keystone/authNZ what do you plan to add?
21:21:39 <imdigitaljim> flwang: proposed some stuff so far
21:21:39 <markguz_> strigazi: i've stumbled on here in the middle of your meeting. I'm not involved in the meeting sorry
21:22:00 <imdigitaljim> going to see what i finish with and compare notes
21:22:11 <strigazi> markguz_: np
21:22:32 <strigazi> imdigitaljim: ok cool
21:23:30 <strigazi> imdigitaljim: Do you want to add anything else? About the roles for master nodes etc
21:23:47 <imdigitaljim> also
21:23:55 <imdigitaljim> i tested that config
21:23:56 <imdigitaljim> WARNING: in-tree openstack auth plugin is now deprecated. please use the "client-keystone-auth" kubectl/client-go credential plugin instead
21:24:16 <imdigitaljim> longterm we'll be moved out of tree
21:24:34 <strigazi> the one I shared?
21:24:37 <imdigitaljim> yes
21:24:49 <imdigitaljim> for v1.11.0
21:24:59 <imdigitaljim> it worked but its appears to be deprecated?
21:25:04 <strigazi> I tried with 1.10 I think
21:25:41 <imdigitaljim> but because of the oot we might have to use the binary
21:25:46 <strigazi> since you are investigating, can you check if and how we could use OSC instead of client-keystone-auth
21:25:58 <imdigitaljim> yeah ill keep investigated
21:26:02 <imdigitaljim> investigating*
21:26:31 <imdigitaljim> the binary doesnt even do that much
21:26:46 <imdigitaljim> anyways thats all for me
21:27:13 <strigazi> Thanks
21:28:09 <strigazi> For me, I'm trying to finish with flwang the changes to use 1.11.x, a minor bug for multimaster
21:28:45 <strigazi> the proper tls certs for the serviceaccount, I required quite some digging to find the root cause.
21:28:51 <strigazi> the proper tls certs for the serviceaccount, It required quite some digging to find the root cause.
21:29:43 <strigazi> Also this week, I'm adding kube-proxy to the master nodes plus missing parameter for kube-proxy.
21:30:04 <strigazi> kube-proxy needs --cluster-cidr to be set to the pod-cidr
21:30:55 <strigazi> for pods with host-network it required so that they can resolve other pod IPs eg the coredns pod
21:30:56 <imdigitaljim> since you're doing those pieces please checkout https://review.openstack.org/#/c/589214/
21:31:40 <imdigitaljim> otherwise i can push the master kube-proxy shortly as well
21:32:12 <strigazi> imdigitaljim: I was also thinking about this: https://review.openstack.org/#/c/589214/3/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh@131
21:32:51 <imdigitaljim> what about it?
21:33:11 <strigazi> I like, to clean the parameters.
21:33:15 <strigazi> I like it, to clean the parameters.
21:33:18 <imdigitaljim> yeah definitely
21:33:37 <imdigitaljim> i plan to "cleanup" each file with a heavy pass
21:33:41 <imdigitaljim> then a final pass with small changes
21:33:54 <imdigitaljim> but mostly for readability and not really any functional changes
21:34:09 <strigazi> we also need to use as much as possible the params in kubecofig, in 1.11 many params are deprecated
21:34:19 <imdigitaljim> yeah did you see the bottom
21:34:33 <imdigitaljim> https://review.openstack.org/#/c/589214/3/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh@288
21:34:45 <imdigitaljim> staging that here for later
21:35:02 <imdigitaljim> so we can collectively validate it works
21:35:55 <strigazi> ok, I think we can add kube-proxy first and then add the heavy patches
21:36:16 <imdigitaljim> if you want, i can provide them as part of the updates
21:36:34 <strigazi> in the same commit you mean?
21:36:47 <imdigitaljim> no we'll do this one, then my next one is make-cert.sh as a cleanup
21:36:54 <imdigitaljim> then the kube-proxy patch
21:37:07 <strigazi> ok
21:37:13 <strigazi> I
21:37:21 <imdigitaljim> i have them ready to go just need them pushed incrementally
21:37:22 <strigazi> I'll test tomorrow then
21:37:28 <imdigitaljim> yeah that'd be great
21:37:50 <strigazi> I left for a weak and found my devstack env dead...
21:37:56 <imdigitaljim> oh no!
21:38:17 <strigazi> not a big deal, super annoying
21:38:27 <imdigitaljim> yeah that might take a bit to recover
21:38:38 <colin-> probably run better in docker containers as k8s deployments ;)
21:38:47 <strigazi> imdigitaljim: never recover devsstack, only replace
21:39:09 <imdigitaljim> sure, i just mean get back to operational :p
21:39:11 <strigazi> colin-: :)
21:40:02 <canori01> For me, regarding the work I've been doing to fix the CoreOS driver, I found this story: https://storyboard.openstack.org/#!/story/1490334. So I pinged yatin and he said I could take the story. Would you be able to reassign it strigazi?
21:40:05 <strigazi> also, I'll push the changes for in-place upgrades to have them in rocky, to see how we can move forward.
21:40:51 <strigazi> canori01: you are Rick Cano?
21:40:58 <canori01> yeah
21:41:10 <strigazi> assinged
21:41:29 <canori01> Ricardo actually, but I go by rick :D
21:41:29 <strigazi> fyi, you appear two times in storyboard
21:42:12 <canori01> I'm not sure why that is
21:42:41 <strigazi> speaking of coreos and atomic, I'm in flocktofedora.org seeking answears for our future with fedora atomic
21:42:52 <canori01> Other than that, I would just need reviews on that change https://review.openstack.org/#/c/579026/6
21:43:30 <strigazi> canori01: I'll do my best to test it
21:43:32 <imdigitaljim> strigazi: great, please keep us posted
21:43:51 <canori01> strigazi: is that regarding the RedHat acquisition of coreos?
21:44:39 <strigazi> canori01: we don't actually care about the acquisition, but coreos and fedora atomic will become Fedora Core
21:45:01 <canori01> ah, yes. that will be interesting
21:45:36 <strigazi> the only certain thing is that instead of gentoo builds they will do builds with rpms
21:45:51 <strigazi> let's see
21:46:44 <strigazi> imdigitaljim: feel free to push a patchset to https://review.openstack.org/#/c/582955/ to take it in
21:48:02 <strigazi> We have concensus on the solution, I'm not pushing to minimize the patches that I approve and contribute too
21:48:33 <imdigitaljim> wonderful
21:48:34 <imdigitaljim> i will
21:49:31 <strigazi> Before we start to wrap, Just a question
21:50:18 <strigazi> imdigitaljim: do you use fedora atomic? (if you can answer)
21:50:45 <strigazi> canori01: You have evaluated both coreos and fedora atomic?>
21:50:57 <imdigitaljim> yes, as we sit right now its fedora atomic
21:51:01 <canori01> strigazi: yes, I have
21:52:18 <strigazi> canori01: You have selected coreos?
21:53:17 <canori01> Well, my organization has. If it were up to me personally, I would use either
21:53:41 <strigazi> canori01: yeap, I get it
21:54:10 <strigazi> @all Anything else?
21:54:22 <colin-> nope
21:54:27 <canori01> nope
21:56:13 <strigazi> Thanks for joining the meeting everyone, see you indentified with your nick in #openstack-contianers :)
21:56:36 <colin-> ttyl
21:56:48 <strigazi> #endmeeting