21:03:29 #startmeeting containers 21:03:30 Meeting started Tue Nov 20 21:03:29 2018 UTC and is due to finish in 60 minutes. The chair is strigazi. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:03:31 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 21:03:33 The meeting name has been set to 'containers' 21:03:44 #topi Roll Call 21:03:46 o/ 21:03:51 #topic Roll Call 21:04:02 o/ 21:04:02 o/ 21:04:30 o/ 21:04:32 o/ 21:05:18 #topic Stories/Tasks 21:05:45 tasks I added in the agenda: 21:05:48 #link https://wiki.openstack.org/wiki/Meetings/Containers#Agenda_for_2018-11-20_2100_UTC 21:06:06 1. Helm in k8s clusters 21:06:34 After some discussion in gerrit, we decided not to have the binary in the heat-agent 21:07:09 since the agent has specific purpose related to heat and versioning is complicated. 21:07:41 I implemented an alternative where a k8s job is deployed by the agent 21:08:15 The job runs in a minimal container which includes the helm bin 21:08:32 and this container is versioned with the helm verion 21:08:44 Does this make sense? 21:10:29 you mean running Helm as a pod on top of k8s cluster 21:10:30 ? 21:10:30 I'd like to see more, but yes it makes sense 21:10:59 one moment to dig the code. 21:13:15 Can't http://paste.openstack.org/raw/735868/ 21:13:18 Jim Bach proposed openstack/magnum master: Make providing a keypair optional https://review.openstack.org/590443 21:14:54 Since we create the role, we can leverage it deploy tiller. 21:15:15 In the same way we can deploy charts. 21:15:54 looks good, pretty straight forward . 21:16:01 What I need your input on though is the following. 21:16:28 The best practice of helm, is secure tiller with tls and one tiller per ns 21:17:39 I think it would make sense to have tiller configured in kube-system for us to deploy additional components, eg prometheus, sssd, node problem detector, k8s-keystone-auth and so on 21:19:16 And for users can deploy tiller in other namespaces, they shouldn't use the global tiller anyway and tiller in kube-system should have powers only there. 21:19:23 makes some sense? 21:19:41 yup 21:19:47 the default tiller sounds like a no-go to me 21:19:48 yes, split tillers are better I feel 21:20:01 no tls and admin access is pretty bad 21:21:04 on the other hand, if we use the job model I posted, we can deploy components with helm template && k apply -f 21:22:51 Enough with helm, we can continue on gerrit. let's mode on to upgrades. 21:23:56 2. We discusses briefly with flwang in Berlin about it, the work I've done I'll break it in four patches and move things: 21:24:30 a. patch for the API: https://review.openstack.org/#/c/514959/ 21:25:04 b. add the heat agent in all nodes: https://review.openstack.org/#/c/561858/ 21:25:57 c. part from https://review.openstack.org/#/c/561858/ to move most software configs in software deployments 21:26:24 d. final software deployment to upgrade the nodes: https://review.openstack.org/#/c/514960/ 21:26:41 looks good for me 21:26:54 This way it will be more review friendly and modular. 21:27:05 well "modular" 21:27:14 will check these out 21:27:56 and one last item from me 21:28:08 For k8s-keystone-auth 21:28:54 I discussed with Ricardo chaning the magnum client to produce a k8s-keystone-auth friendly kubeconfig, would that make sense? 21:29:08 strigazi: that would be great 21:29:11 I think so 21:29:14 openstack coe cluster config --keystone-auth 21:29:19 or similar 21:29:21 i will pick up that patch asap 21:29:28 --k8s-keystone-auth 21:29:38 strigazi: i love it 21:29:43 The question is, what would that be 21:29:51 the simplest way is: 21:30:25 http://paste.openstack.org/raw/735869/ 21:30:48 with the token encoded in kubeconfig. 21:31:02 it is very similar the the certs options 21:31:21 in that case you have everything in one file in the filesystem 21:31:37 would the user be adding their token to it or would the cli be filling that part in? 21:31:46 the clo 21:31:51 the cli 21:32:28 IMO the user should always do a single cmd. 21:32:48 so they have to get a new config when their token expires or edit it every time? 21:33:09 there is the option with the client in the cpo repo but at cern is a no-go due to the lack of kerberos. 21:33:36 imdigitaljim: every 24h at least for us. how long is for you? 21:34:11 i think the same 21:34:21 other options include getting a token per call. but user will hate it 21:34:26 I would 21:34:49 with certs in our cloud k8s replies in 70ms 21:35:05 with the token in kubeconfig in ~120ms 21:35:47 with the small script in exec to do a single openstack token issue it takes 1s 21:36:04 pythonclient speed levels... 21:36:34 http://paste.openstack.org/show/735870/ 21:36:37 this is what we do 21:36:58 (ive shared this in irc before) 21:37:06 and i would propose this as well 21:37:16 it works until the token expires, then users lose their minds and don't know what to do 21:37:59 that works too, I couldn'g find it :) 21:38:00 ^ not referring to what was pasted 21:38:13 hi, sorry i'm late 21:39:00 imdigitaljim: btw, mind me picking up https://review.openstack.org/#/c/577477/ ? 21:39:21 oh for sure 21:39:22 go for it 21:39:29 we've switched to a centos driver 21:39:35 flwang: thought of you when we came across this the other day https://github.com/kubernetes/kubernetes/pull/70398 in case it affects your implementation of ipvs 21:39:43 (it does ours) 21:39:44 that id like to shoot for putting it up by stein 21:39:58 ill try to have blueprint documents for everyone to review in the meantime 21:40:32 imdigitaljim: mainly to use a custom image? 21:40:33 its isolated from existing except https://review.openstack.org/#/c/615592/ https://review.openstack.org/#/c/615591/ https://review.openstack.org/#/c/590443/ 21:40:55 it can use upstream centos image 21:41:02 but yes we additionally customize it 21:41:08 colin-: thanks 21:41:36 how do you install k8s? 21:41:45 ill have it in the blueprints :D 21:42:21 imdigitaljim: for your adding clients patches, are you aware of the patch lingxian proposed? 21:42:24 in stories 21:42:33 to add a hook for deleting resources 21:42:57 which one particularly 21:44:07 https://review.openstack.org/#/q/owner:anlin.kong%2540gmail.com+status:merged 21:44:18 * https://review.openstack.org/#/q/owner:anlin.kong%2540gmail.com 21:45:01 imdigitaljim: https://review.openstack.org/497144 21:46:34 oh ok thats an okay PR but unnecessary 21:46:55 you can just make function calls in the delete section 21:46:58 ./shrug 21:47:14 imdigitaljim: we do know that 21:47:18 but yeah our driver is isolated from that 21:47:36 imdigitaljim: you better understand the whole picture 21:47:46 imdigitaljim: are you going to maintain the centos driver upstream? 21:47:51 there are some case we'd like to handle with a plugin approach 21:48:15 yeah id imagine so 21:48:30 especially if any of you were considering switching once weighing the pros/cons 21:48:37 imdigitaljim: is there any big difference between your driver and the upstream version? 21:48:41 much 21:48:57 its faster, easier to read, easier to maintain, less effort to operate 21:49:00 much is not a sound answer ;D 21:49:21 allows easy customization based on your needs 21:49:25 but anyway, just propose it as a v2 or something like that, so that we can review 21:49:37 yeah itll be just a standalone in the drivers folder 21:49:48 imdigitaljim: cool 21:49:52 ill throw up a blue print of design and explain things 21:50:09 imdigitaljim: that would be nice 21:50:26 or you can even do both in parallel 21:50:28 imdigitaljim: how fase? 21:50:31 imdigitaljim: how fast? 21:50:38 less than 3mins? 21:50:40 bootstraps in like 3 minutes 21:50:42 yeah 21:51:01 unless its spinning disk 21:51:02 i can't wait to see the code 21:51:07 which is like 6-8 21:51:27 we were talking about sharing it offline 21:51:29 sending a zip 21:51:35 to you both 21:51:45 if you're interested in an unofficial preview at some point 21:51:53 imdigitaljim: that works as well 21:52:27 the sooner the better we diverge. 21:52:34 the sooner the better we converge . :) 21:53:18 https://imgur.com/a/gTazcKl 21:53:30 kind of a layout 21:54:32 looks good, code please ;) 21:54:37 sounds good 21:55:40 also a side note as well, my wife is having a kid and ill be out about a month 21:55:55 but my colleagues will continue to meet 21:56:22 congrats first, then i would suggest sharing your code for review before your leaving 21:56:37 imdigitaljim: congratulations :) 21:58:46 We are reaching an hour, if there is anything else to discuss we can continue in the channel or tmr (tmr for me) 21:58:46 thanks@! 21:59:18 strigazi: i'm good 21:59:54 cool, thanks for joining the meeting guys 22:00:09 See you next week 22:00:24 see you all 22:00:43 imdigitaljim: congrats again 22:00:49 #endmeeting