21:05:04 #startmeeting containers 21:05:05 Meeting started Tue Aug 7 21:05:04 2018 UTC and is due to finish in 60 minutes. The chair is strigazi. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:05:06 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 21:05:08 The meeting name has been set to 'containers' 21:05:16 #topic Roll Call 21:05:27 o/ 21:05:31 greetings 21:05:33 o/ 21:05:55 o/ 21:06:01 #topic Announcements 21:06:19 wb strigazi :) 21:06:56 been working on keystone auth/rbac on clusters 21:07:05 Since I was having a look, to avoid problems when login in to Freenode and openstack channels, you can add a wait after the identify cmd 21:07:10 imdigitaljim: :) 21:07:12 started some cleanup 21:07:27 I have one more announcement: 21:07:52 python-magnumclient 2.10.0 is out and the rocky branch is cut 21:08:40 we still have freedom to add things to rocky, it is on the project, but we had to cut the branch to sync constraints and requirements with all OS projects 21:08:57 Questions about that? 21:09:03 nope 21:09:04 sounds godo 21:09:11 good* 21:09:22 no 21:09:25 cool 21:09:29 #topic Blueprints/Bugs/Ideas 21:09:35 o/ 21:09:42 imdigitaljim: since you started, please continue 21:09:51 cbrumm: o/ 21:10:27 sorry, I was just saying I'm late but here 21:10:33 sure, our org is getting permissions to contribute to k8s org and we'll be making a few upstream changes for magnum to take advantage of for kubernetes created resources and some keystone/rbac cluster usage 21:10:37 imdigitaljim: yeah i know. but i'm not sure why 21:10:39 bad timing to raise my hand 21:10:44 cbrumm: no worries :) 21:11:14 markguz: are you making an api call/cli/ui? 21:11:37 I'm looking forward to the keystone rbac usage 21:11:45 imdigitaljim: running "openstack coe cluster config " 21:12:41 They only part I have to work a bit was kubeconfig, the rest is working 21:13:12 markguz_: could we tell kubectl to execute openstack token issue in kubeconfig? 21:14:43 I was using kubectl like so: kubectl --token=$(openstack token issue --format json | jq .id -r) --kubeconfig=config get po -n kube-system 21:15:13 ive got it where a user can access the cluster using os credentials on another machine with mainly just the ca of the cluster 21:15:18 The plan is add a param to cluster config to generate the appropriate output right? 21:16:11 like this: http://paste.openstack.org/show/727576/ ? 21:16:29 imdigitaljim: ^^ 21:17:18 using this approach https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-client-keystone-auth.md 21:17:48 imdigitaljim: you used the extra binary? 21:17:54 i have so far 21:18:16 this binary client-keystone-auth 21:18:26 yes 21:18:59 with the kubeconfig I pasted and the cmd above you don't need another binary 21:19:28 ill try it out 21:19:37 for CERN and maybe other orgs using osc means kerberos auth 21:20:37 markguz_: imdigitaljim for keystone/authNZ what do you plan to add? 21:21:39 flwang: proposed some stuff so far 21:21:39 strigazi: i've stumbled on here in the middle of your meeting. I'm not involved in the meeting sorry 21:22:00 going to see what i finish with and compare notes 21:22:11 markguz_: np 21:22:32 imdigitaljim: ok cool 21:23:30 imdigitaljim: Do you want to add anything else? About the roles for master nodes etc 21:23:47 also 21:23:55 i tested that config 21:23:56 WARNING: in-tree openstack auth plugin is now deprecated. please use the "client-keystone-auth" kubectl/client-go credential plugin instead 21:24:16 longterm we'll be moved out of tree 21:24:34 the one I shared? 21:24:37 yes 21:24:49 for v1.11.0 21:24:59 it worked but its appears to be deprecated? 21:25:04 I tried with 1.10 I think 21:25:41 but because of the oot we might have to use the binary 21:25:46 since you are investigating, can you check if and how we could use OSC instead of client-keystone-auth 21:25:58 yeah ill keep investigated 21:26:02 investigating* 21:26:31 the binary doesnt even do that much 21:26:46 anyways thats all for me 21:27:13 Thanks 21:28:09 For me, I'm trying to finish with flwang the changes to use 1.11.x, a minor bug for multimaster 21:28:45 the proper tls certs for the serviceaccount, I required quite some digging to find the root cause. 21:28:51 the proper tls certs for the serviceaccount, It required quite some digging to find the root cause. 21:29:43 Also this week, I'm adding kube-proxy to the master nodes plus missing parameter for kube-proxy. 21:30:04 kube-proxy needs --cluster-cidr to be set to the pod-cidr 21:30:55 for pods with host-network it required so that they can resolve other pod IPs eg the coredns pod 21:30:56 since you're doing those pieces please checkout https://review.openstack.org/#/c/589214/ 21:31:40 otherwise i can push the master kube-proxy shortly as well 21:32:12 imdigitaljim: I was also thinking about this: https://review.openstack.org/#/c/589214/3/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh@131 21:32:51 what about it? 21:33:11 I like, to clean the parameters. 21:33:15 I like it, to clean the parameters. 21:33:18 yeah definitely 21:33:37 i plan to "cleanup" each file with a heavy pass 21:33:41 then a final pass with small changes 21:33:54 but mostly for readability and not really any functional changes 21:34:09 we also need to use as much as possible the params in kubecofig, in 1.11 many params are deprecated 21:34:19 yeah did you see the bottom 21:34:33 https://review.openstack.org/#/c/589214/3/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh@288 21:34:45 staging that here for later 21:35:02 so we can collectively validate it works 21:35:55 ok, I think we can add kube-proxy first and then add the heavy patches 21:36:16 if you want, i can provide them as part of the updates 21:36:34 in the same commit you mean? 21:36:47 no we'll do this one, then my next one is make-cert.sh as a cleanup 21:36:54 then the kube-proxy patch 21:37:07 ok 21:37:13 I 21:37:21 i have them ready to go just need them pushed incrementally 21:37:22 I'll test tomorrow then 21:37:28 yeah that'd be great 21:37:50 I left for a weak and found my devstack env dead... 21:37:56 oh no! 21:38:17 not a big deal, super annoying 21:38:27 yeah that might take a bit to recover 21:38:38 probably run better in docker containers as k8s deployments ;) 21:38:47 imdigitaljim: never recover devsstack, only replace 21:39:09 sure, i just mean get back to operational :p 21:39:11 colin-: :) 21:40:02 For me, regarding the work I've been doing to fix the CoreOS driver, I found this story: https://storyboard.openstack.org/#!/story/1490334. So I pinged yatin and he said I could take the story. Would you be able to reassign it strigazi? 21:40:05 also, I'll push the changes for in-place upgrades to have them in rocky, to see how we can move forward. 21:40:51 canori01: you are Rick Cano? 21:40:58 yeah 21:41:10 assinged 21:41:29 Ricardo actually, but I go by rick :D 21:41:29 fyi, you appear two times in storyboard 21:42:12 I'm not sure why that is 21:42:41 speaking of coreos and atomic, I'm in flocktofedora.org seeking answears for our future with fedora atomic 21:42:52 Other than that, I would just need reviews on that change https://review.openstack.org/#/c/579026/6 21:43:30 canori01: I'll do my best to test it 21:43:32 strigazi: great, please keep us posted 21:43:51 strigazi: is that regarding the RedHat acquisition of coreos? 21:44:39 canori01: we don't actually care about the acquisition, but coreos and fedora atomic will become Fedora Core 21:45:01 ah, yes. that will be interesting 21:45:36 the only certain thing is that instead of gentoo builds they will do builds with rpms 21:45:51 let's see 21:46:44 imdigitaljim: feel free to push a patchset to https://review.openstack.org/#/c/582955/ to take it in 21:48:02 We have concensus on the solution, I'm not pushing to minimize the patches that I approve and contribute too 21:48:33 wonderful 21:48:34 i will 21:49:31 Before we start to wrap, Just a question 21:50:18 imdigitaljim: do you use fedora atomic? (if you can answer) 21:50:45 canori01: You have evaluated both coreos and fedora atomic?> 21:50:57 yes, as we sit right now its fedora atomic 21:51:01 strigazi: yes, I have 21:52:18 canori01: You have selected coreos? 21:53:17 Well, my organization has. If it were up to me personally, I would use either 21:53:41 canori01: yeap, I get it 21:54:10 @all Anything else? 21:54:22 nope 21:54:27 nope 21:56:13 Thanks for joining the meeting everyone, see you indentified with your nick in #openstack-contianers :) 21:56:36 ttyl 21:56:48 #endmeeting