09:00:43 <strigazi> #startmeeting magnum
09:00:43 <opendevmeet> Meeting started Wed Feb 16 09:00:43 2022 UTC and is due to finish in 60 minutes.  The chair is strigazi. Information about MeetBot at http://wiki.debian.org/MeetBot.
09:00:43 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
09:00:43 <opendevmeet> The meeting name has been set to 'magnum'
09:00:49 <strigazi> #topic Roll Call
09:00:52 <strigazi> o/
09:01:25 <oneswig> hi
09:02:24 <jakeyip> o/
09:02:25 <strigazi> mnasiadka: jakeyip: hello :)
09:02:33 <mnasiadka> o/
09:03:03 <bbezak> o/
09:03:04 <parallax> \o
09:03:22 <tobias-urdin> o/
09:03:36 <gbialas> o/
09:04:28 <strigazi> #topic Add Cluster API Kubernetes COE driver https://review.opendev.org/c/openstack/magnum-specs/+/824488
09:06:29 <oneswig> Only a couple of internal discussions on that at this end, unfortunately.  Not much progress
09:07:52 <strigazi> oneswig: Is there a first step we can start from? Are you stuck in something particular?
09:10:57 <strigazi> oneswig: I (or someone in our team) could help with the driver part, up to the point of talking to the kubernetes cluster running the CAPI controller
09:12:18 <oneswig> Another colleague has been working on an implementation (as part of other work), I'd hoped he would join last week, but I wasn't ehre
09:13:44 <oneswig> Appreciate the offer and I'll try to make connections
09:13:56 <strigazi> oneswig: ok, thanks
09:14:39 <strigazi> #topic Past Action Items
09:14:46 <strigazi> change the default hyperkube to the rancher build
09:15:12 <strigazi> I didn't manage to push the patch last week, I will do it today
09:16:04 <strigazi> #topic Pending Reviews
09:18:19 <strigazi> I'd need a second pair of eyes for "Mesos driver drop https://review.opendev.org/c/openstack/magnum/+/821213"
09:19:00 <jakeyip> LGTM, but I have questions - when we deprecate these should we start from client / API first?
09:19:14 <oneswig> I saw that the FC35 update has security implications (ie, people should do move off FC33).  Has that been publicised?
09:19:42 <jakeyip> oneswig: do you have a link for that?
09:20:19 <strigazi> jakeyip: For the mesos driver, I don't think we do any validations in the client
09:20:55 <strigazi> jakeyip: It's been some time that it didn't receive any patches and we sent an email in the ML
09:21:25 <oneswig> https://jfrog.com/blog/the-impact-of-cve-2022-0185-linux-kernel-vulnerability-on-popular-kubernetes-engines/
09:21:33 <jakeyip> thanks!
09:22:28 <jakeyip> strigazi: yeah for mesos I don't see anything in client, I am thinking generally, e.g. the related bay/baymodel drop
09:23:44 <strigazi> jakeyip: usually we log a warning on both api/client then drop
09:25:47 <jakeyip> then drop meaning one version later?
09:26:43 <strigazi> yes, but do we want to wait for another release?
09:28:26 <jakeyip> for mesos I was thinking dropping it at the API at https://github.com/openstack/magnum/blob/master/magnum/api/validation.py#L259-L260 first... which has the effect of not allowing new clusters, then the driver code will be effectively dead code and can be removed easily
09:29:18 <strigazi> jakeyip: so, in this release we change the validation and on the next one the rest of the code?
09:31:05 <jakeyip> seems safer to me, I don't have strong opinions.
09:31:16 <strigazi> ok
09:31:21 <strigazi> let's do that
09:31:48 <jakeyip> we can revisit if the code (e.g. tests) are preventing us from moving forward
09:31:59 <strigazi> For bay/baymodel, something similar?
09:32:25 <jakeyip> yeap
09:32:36 <strigazi> cool
09:32:40 <jakeyip> e.g. could do client this version https://review.opendev.org/c/openstack/python-magnumclient/+/803629
09:33:32 <strigazi> ok Let's log these as actions
09:34:02 <strigazi> #action change magnum/api/validation.py#L259-L260 to not allow mesos as a coe option
09:34:41 <strigazi> #action leave a comment to merge https://review.opendev.org/c/openstack/magnum/+/821213 in Z
09:35:00 <strigazi> #undo
09:35:00 <opendevmeet> Removing item from minutes: #action leave a comment to merge https://review.opendev.org/c/openstack/magnum/+/821213 in Z
09:35:05 <strigazi> #action leave a comment to merge https://review.opendev.org/c/openstack/magnum/+/821213 in Z+1
09:35:33 <strigazi> #action merge 803629: Drop bay and baymodel | https://review.opendev.org/c/openstack/python-magnumclient/+/803629 in Z
09:36:09 <strigazi> #action leave a comment to mere 803780: Drop bay and baymodel from controllers | https://review.opendev.org/c/openstack/magnum/+/803780 in Z+1
09:36:15 <strigazi> #undo
09:36:15 <opendevmeet> Removing item from minutes: #action leave a comment to mere 803780: Drop bay and baymodel from controllers | https://review.opendev.org/c/openstack/magnum/+/803780 in Z+1
09:36:20 <strigazi> #action leave a comment to merge 803780: Drop bay and baymodel from controllers | https://review.opendev.org/c/openstack/magnum/+/803780 in Z+1
09:37:00 <strigazi> #action change the default hyperkube to the rancher build
09:37:25 <strigazi> let's move to the rest of the list of reviews
09:40:26 <strigazi> For https://review.opendev.org/c/openstack/magnum/+/773923 and https://review.opendev.org/c/openstack/magnum/+/775793 I don't think there something to bring up
09:41:30 <strigazi> For         827089: security hardening - kube-hunter(KHV002) | https://review.opendev.org/c/openstack/magnum/+/827089 is safe to merge jakeyip ? we rely on the healthz of the apiserver to install all addons
09:42:34 <strigazi> if others can have a look it would be great
09:43:15 <strigazi> Finally, for 827668: fcos-k8s: Update to v1.22 | https://review.opendev.org/c/openstack/magnum/+/827668 we can merge
09:44:16 <strigazi> #topic Open Discussion
09:44:29 <strigazi> Anyone wants to bring something up?
09:44:49 <jakeyip> oh hm, need to hold that. I saw that the cluster state reports healthy, I did not realised the /heathz endpoint returns 401. I'll check
09:45:37 <strigazi> For the Z-PTL I'll send an email today. I hope we can change on the next release :)
09:46:04 <jakeyip> we have a couple of patches for quotas that we would like merge
09:46:04 <strigazi> jakeyip: where to you see the 401? in the conductor?
09:46:31 <strigazi> jakeyip: For the quotas patches, I'll have a look
09:47:27 <jakeyip> strigazi: 401 when I curl it as a normal client
09:47:51 <strigazi> jakeyip: that's exepcted, it's the goal of the pacth
09:47:53 <jakeyip> strigazi: thanks!
09:48:58 <strigazi> jakeyip: calls like this should work https://github.com/openstack/magnum/blob/master/magnum/drivers/common/templates/kubernetes/fragments/calico-service.sh#L4471
09:49:03 <strigazi> [ "ok" = "$(kubectl get --raw='/healthz')" ]
09:51:10 <jakeyip> ok, I was confused. I thought /healthz output updates cluster status.
09:52:00 <jakeyip> reading code now... I'll leave comment on the patch later
09:52:06 <strigazi> jakeyip: thanks
09:53:09 <strigazi> AOB?
09:54:15 <jakeyip> thanks for merging magnumclient robo patches, there are a couple more I will send them up after meeting, don't want to pollute the conversation
09:55:48 <strigazi> See you next week everyone
09:55:53 <strigazi> #endmeeting