#openstack-containers log

09:00:26 <jakeyip> #startmeeting magnum
09:00:26 <opendevmeet> Meeting started Wed Aug 14 09:00:26 2024 UTC and is due to finish in 60 minutes.  The chair is jakeyip. Information about MeetBot at http://wiki.debian.org/MeetBot.
09:00:26 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
09:00:26 <opendevmeet> The meeting name has been set to 'magnum'
09:00:33 <jakeyip> #link https://etherpad.opendev.org/p/magnum-weekly-meeting
09:00:48 <jakeyip> #topic Roll Call
09:00:51 <jakeyip> o/
09:02:04 <dalees> o/
09:03:06 <jakeyip> let's start
09:03:21 <jakeyip> #topic Reviews
09:04:05 <jakeyip> 1 from me to fix bug I mentioned last week https://review.opendev.org/c/openstack/magnum/+/926143
09:05:46 <jakeyip> can do this when you have time
09:05:55 <jakeyip> dalees: anything reviews you want to push?
09:07:11 <dalees> nah, nothing in magnum for now.
09:07:30 <jakeyip> ok there's another thing I need more eyes on
09:08:31 <dalees> 926143 sounds like an important bug fix, though I don't understand how it resolves the issue yet. Perhaps I just need to sit down and try it out.
09:08:31 <jakeyip> there's a possible security regression with the secure-rbac work ricolin did. there are more info in the agenda
09:10:17 <jakeyip> dalees: I can explain it more, and it actually is linked to the possible security regression
09:11:10 <jakeyip> it's a bit complicated to follow because there are so many different pieces
09:12:04 <jakeyip> I had a fun time tracing it :D
09:17:43 <dalees> yeah i see. I wonder how this type of thing affects CAPI and app creds. The default in the driver is to create an app cred for the same project with the same roles.
09:19:28 <jakeyip> dalees: yeah I haven't looked into that part yet.
09:29:07 <jakeyip> dalees: something else I want to ask you, do you fork the helm charts?
09:29:21 <dalees> jakeyip: yep, we do.
09:29:57 <jakeyip> how do you do versioning?
09:30:24 <dalees> didnt' we discuss this a while back?
09:30:31 <jakeyip> sorry I forgot
09:30:41 <dalees> no worries :D
09:30:44 <jakeyip> do you do off Chart.yaml or git commit ?
09:31:05 <dalees> we tag like this `0.8.0+catalystcloud5` and push to our oci registry
09:31:16 <jakeyip> do you modify Chart.yaml ?
09:34:09 <dalees> seems not for our current pipelines
09:35:00 <jakeyip> I'm still in two minds, but I'm thinking modifying Chart.yaml is a better way for a repo with many charts
09:35:23 <jakeyip> examples are https://github.com/openstack/openstack-helm/blob/master/ceilometer/Chart.yaml and https://github.com/bitnami/charts/blob/main/bitnami/apache/Chart.yaml
09:36:22 <jakeyip> working off git commit like how stackhpc does it makes all charts have the same version. also the versioning logic is in the CI pipeline which is a big awkward for forking
09:36:25 <dalees> we only publish one chart, the  `openstack-cluster` one. The cluster-addons chart is a dependency of it, so it's built into the package.
09:37:25 <jakeyip> in your clusters, what's the version of cluster-addons ?
09:38:09 <dalees> I don't think it matters much, since it's loaded as "repository: file://../cluster-addons"
09:39:40 <jakeyip> yeah ok
09:39:45 <dalees> looks like it's `addons-0.1.0`
09:39:56 <jakeyip> yeah it'll never increment for you
09:40:38 <dalees> the changes appear though, they come in from 'helm dependency build`
09:40:51 <jakeyip> it's not a big deal
09:41:29 <jakeyip> I'm thinking what will be less confusing for users if they decide to fork `openstack/magnum-capi-helm-charts`
09:42:25 <jakeyip> I think maybe your CI checks out a fresh copy each time it builds openstack-cluster ?
09:42:35 <jakeyip> fresh copy of the git repo
09:43:09 <dalees> yup, it'll all match the git commit of the tag
09:44:22 <dalees> i can see how modifying Chart.yaml would be easier for forks
09:50:23 <jakeyip> yeah it's an incompatible change with how stackhpc does it, so I'm asking for opinions
09:50:39 <jakeyip> etc-defrag is the other one that will be changed
09:51:44 <jakeyip> a bit annoying if we do the Charts.yaml method and azimuth-cloud doesn't follow, then we are maintaining two different versions
09:51:58 <jakeyip> I don't want to split more
09:54:42 <jakeyip> anyway just stupid things. nothing from me
09:54:52 <jakeyip> we are almost at time, let me know if you need anything
10:07:42 <jakeyip> #endmeeting