#openstack-containers log

08:00:13 <dalees> #startmeeting magnum
08:00:13 <opendevmeet> Meeting started Tue Aug 19 08:00:13 2025 UTC and is due to finish in 60 minutes.  The chair is dalees. Information about MeetBot at http://wiki.debian.org/MeetBot.
08:00:13 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
08:00:13 <opendevmeet> The meeting name has been set to 'magnum'
08:00:19 <dalees> #topic roll call
08:00:23 <dalees> hi jakeyip !
08:00:36 <dalees> do we have folk present for a meeting?
08:00:41 <jakeyip> o/
08:00:53 <jakeyip> I'm just here for a bit, apologies, waiting to board
08:01:27 <hemanth> o/
08:01:54 <dalees> jakeyip: oh, have a nice flight! you're off imminently?
08:01:59 <dalees> imminently
08:02:49 <jakeyip> yeah boarding soon lift off in 30 mins
08:03:35 <jakeyip> maybe we can just run thru "Propose credential refresh spec"?
08:04:03 <dalees> yeah, sure. keen to hear thoughts on that as we're progressing with implementation
08:04:12 <dalees> #topic credential refresh spec
08:04:17 <mnasiadka> o/
08:04:21 <mnasiadka> sorry for being late
08:04:30 <dalees> hi mnasiadka , welcome
08:04:45 <dalees> #link https://review.opendev.org/c/openstack/magnum-specs/+/955448
08:05:12 <jakeyip> one concern I have is that we'll need to wipe all traces of original app cred / trust in the cluster; else this will allow someone using this to get the old app cred and trust and essentially masquerade as the original user
08:05:47 <dalees> jakeyip: the implementation sends a delete to keystone for the old app cred, so it should be invalidated.
08:05:56 <mnasiadka> well, if the app cred is removed keystone API wise, so it should be fine
08:06:16 <mnasiadka> trusts - those are going to disappear together with Heat driver
08:06:34 <mnasiadka> (which reminds me to add removing trusts to the list of things we need to tell the users to do)
08:06:38 <dalees> yes, i've been meaning to make trusts a config option so they aren't created for most.
08:07:23 <jakeyip> does that require the implementation of reloader first, to make sure anything using the old app cred is kicked, before the app cred is deleted?
08:07:46 <mnasiadka> yes, we need to first reconfigure the app cred on the cluster, and then remove the old one
08:07:52 <mnasiadka> that's in the spec IIRC
08:08:23 <mnasiadka> dalees: I think the spec is fine, I commented some nits yesterday, but I'm fine merging without addressing my comments
08:08:41 <dalees> jakeyip: reloader patchset is up, but imho if you're rotating creds it's likely already invalid so you wouldn't break an app cred more, and the short time there's an invalid one in use isn't a big deal for reconciliation loops.
08:09:17 <dalees> mnasiadka: thank you, appreciate your review and thoughts. Matt and I will review your comments and possibly address.
08:09:43 <mnasiadka> My worry is - do you want to merge both spec and technical implementation this cycle?
08:10:06 <mnasiadka> Feature freeze is Aug 29
08:11:37 <dalees> mnasiadka: yes, but if that's too rushed for reviews then so be it, perhaps it can still be reviewed and only merge next cycle.
08:11:58 <mnasiadka> I'm fine with reviewing the code next week if we can merge the spec until end of this
08:12:15 <mnasiadka> So if you guys will be fast with responses, I think that's fine
08:12:42 <dalees> I've been reviewing Matts draft implementation this week (with potential changes from spec in mind), and it's working well.
08:12:48 <mnasiadka> I still prefer to patch bugs next cycle and backport them, than to delay improvements ;)
08:13:41 <dalees> mnasiadka: yes, we will be fast on this topic to address reviews as we're actively looking to use it ourselves :)
08:14:07 <jakeyip> I've been out of the loop for this, so I won't raise any objections, as long as 2 cores think it's good to go, then go for it
08:14:51 <mnasiadka> Ok then, the other spec looks fine
08:15:07 <dalees> I do have one question though - there's an 'owner' field on Cluster - should this change when creds are refreshed?
08:15:48 <jakeyip> yeah I thought about that too, will be fair to assume it changes
08:15:53 <dalees> it feels like it should, but it has implications for keystone trusts i think - which we're not currently planning on rotating (as they aren't used in capi-helm driver)
08:16:27 <mnasiadka> I think if we can make owner change work in the process that's nice - I wouldn't worry about trusts - we're dropping Heat driver anyway
08:16:33 <jakeyip> I think I had the thought on whether we could just use a set of that field to trigger this and not have another api endpoint
08:16:49 <mnasiadka> And I'd like to drop it this cycle actually, or at latest beginning of next
08:17:33 <mnasiadka> well, with SLURP it needs to go next release
08:17:36 <dalees> jakeyip: the 'set' of fields is so awkward (i've been working to make some mutable - which wont make Flamingo). At this point I'd rather the PATCH endpoint
08:17:44 <jakeyip> hahaha
08:17:58 <jakeyip> yes, it's a hot messs
08:18:34 <jakeyip> I had a feeling I commented on all this somewhere but I couldn't find it! not sure if I was dreaming
08:18:35 <dalees> the implementation library leaks into the api too; yuck.
08:18:49 <dalees> jakeyip: maybe a draft somewhere.
08:19:57 <jakeyip> ok nothing for me
08:20:03 <dalees> mnasiadka: i'd also like to drop it; but we probably still need a way to manage (and delete!) old heat clusters for a little bit longer. out of tree is fine by me though.
08:20:12 <jakeyip> nothing else from me
08:21:01 <mnasiadka> dalees: we can drop the driver in SLURP release, which is G, not current (F) - so that's fine
08:21:12 <dalees> cool, then we'll merge the spec shortly and remove draft from the implementation patches this week.
08:21:24 <dalees> mnasiadka: ok, that's helpful to know.
08:22:16 <dalees> any other topics? I see a review we've discussed last week from hemanth
08:22:22 <mnasiadka> But I think it's time to stop testing, the version we're testing against is EOL
08:22:52 <mnasiadka> #link https://review.opendev.org/c/openstack/magnum/+/957709/10
08:22:53 <hemanth> dalees: its more like a request to review, nothing to discuss
08:23:35 <hemanth> we agreed on the approach in the last meeting, so any reviews are appreciated when someone gets time
08:24:37 <dalees> hemanth: ack, yes i think we were ok on direction of the patch, just needs some eyes ( https://review.opendev.org/c/openstack/magnum-capi-helm/+/955984 )
08:24:51 <dalees> #topic reviews
08:24:57 <dalees> ^ belated topic change ;)
08:25:28 <hemanth> ok
08:25:32 <dalees> that covers hemanth's
08:26:05 <dalees> mnasiadka: want to discuss heat and testing? I see you're working on CI? (thank you!)
08:26:33 <mnasiadka> Yes, I'd like to drop testing of the Heat driver test-cluster job - it's breaking now, and version we're testing is EOL
08:27:14 <mnasiadka> I'm working on a CI job in magnum-capi-helm that would do the same using devstack-plugin-container for deploying the CAPI mgmt cluster - so that should be ready-ish soon
08:27:48 <mnasiadka> The same goes with the container images in https://hub.docker.com/u/openstackmagnum
08:27:55 <mnasiadka> (building and publishing new ones)
08:28:03 <dalees> as in; ready before flamingo releases?
08:28:18 <mnasiadka> That's my goal
08:29:08 <mnasiadka> It doesn't really help us that we have ever-failing CI jobs - and it doesn't make any sense to keep them running since 1.28 is EOL
08:29:31 <dalees> I know Heat is old, but not doing any cluster creations might leave us lacking if we don't have anything CAPI testing by Flamingo release. Perhaps there aren't many Magnum core changes to come in though.
08:30:38 <dalees> having said that I'm okay dropping them if we have a plan/timeline for the capi ones. I don't want to spend any time on the Heat ones
08:30:58 <mnasiadka> That was my intention - nobody wants to spend time on it.
08:32:32 <mnasiadka> Should I add a release note that we're dropping testing for Heat driver, since it's deprecated?
08:33:07 <dalees> Seems like a reasonable note to add
08:37:26 <opendevreview> Merged openstack/magnum-specs master: Propose adding Reloader to workload clusters.  https://review.opendev.org/c/openstack/magnum-specs/+/957191
08:38:13 <dalees> any other topics? we can end early if not
08:38:32 <mnasiadka> I'll add the note in some minutes and ping for reviews :)
08:38:32 <dalees> I assume jakeyip is now in flight
08:38:38 <mnasiadka> That's all from me
08:40:07 <dalees> thanks all for joining
08:40:10 <dalees> #endmeeting