Wednesday, 2019-02-27

*** sdake has quit IRC		00:00
*** sdake has joined #openstack-containers		00:03
*** sdake has quit IRC		00:05
*** sdake has joined #openstack-containers		00:06
*** sdake has quit IRC		00:10
*** henriqueof has quit IRC		00:15
*** sdake has joined #openstack-containers		00:33
*** sdake has quit IRC		00:59
*** _fragatina has quit IRC		01:14
*** itlinux has joined #openstack-containers		01:16
*** sdake has joined #openstack-containers		01:34
*** _fragatina has joined #openstack-containers		01:35
*** itlinux has quit IRC		01:36
*** sdake has quit IRC		02:09
*** sdake has joined #openstack-containers		02:09
*** mrodriguez has quit IRC		02:11
*** sdake has quit IRC		02:13
*** sdake has joined #openstack-containers		02:13
*** gyee has quit IRC		02:15
*** sdake has quit IRC		02:16
jakeyip	hi eandersson you around?	02:23
eandersson	yo	02:24
jakeyip	got a min to chat about that commit?	02:24
eandersson	sure	02:24
jakeyip	so, contents needs to be text	02:24
eandersson	ca_cert_contents?	02:24
jakeyip	all 3 of them, cos we are opening a tempfile with 'w+' mode	02:25
eandersson	but so decode will always change the file type to text	02:28
jakeyip	yes	02:28
eandersson	that is why you have the if statement there	02:28
eandersson	if it already text it will just leave it-as	02:29
eandersson	that is why you don't need six.u	02:29
jakeyip	OH. I know what you mean now	02:29
jakeyip	i left the six.u in accidentally. :(	02:30
eandersson	I would probably change magnum_key_contents and magnum_cert_contents	02:30
eandersson	to use the if version as well	02:30
jakeyip	yeah, no idea what I was doing	02:31
eandersson	actually can't you just move some of those up on top?	02:31
eandersson	e.g.	02:31
eandersson	> magnum_key_contents = magnum_cert.get_decrypted_private_key()	02:31
eandersson	looks like a dupe	02:31
*** rcernin has quit IRC		02:32
jakeyip	I could but the tests will have to change	02:32
eandersson	Yea nvm lets just fix it and make it better later :p	02:32
eandersson	Gonna log off but I'll check in later tonight	02:32
jakeyip	that was what I did originally but the tests test the number of calls	02:32
jakeyip	yeap, will fix this up. maybe even write a test	02:32
*** hongbin has joined #openstack-containers		02:38
*** sdake has joined #openstack-containers		02:42
*** hongbin has quit IRC		02:43
*** sdake has quit IRC		02:45
*** _fragatina has quit IRC		02:45
*** sdake has joined #openstack-containers		02:47
*** sdake has quit IRC		02:55
*** sdake has joined #openstack-containers		02:55
*** sdake has quit IRC		03:01
*** sdake_ has joined #openstack-containers		03:02
*** sdake_ has quit IRC		03:10
*** sdake has joined #openstack-containers		03:13
*** sdake has quit IRC		03:15
*** sdake has joined #openstack-containers		03:15
*** sdake has quit IRC		03:23
openstackgerrit	Feilong Wang proposed openstack/magnum master: Return instance ID of worker node https://review.openstack.org/639053	03:23
*** sdake_ has joined #openstack-containers		03:23
*** sdake_ has quit IRC		03:25
*** sdake has joined #openstack-containers		03:27
*** sdake has quit IRC		03:30
*** itlinux has joined #openstack-containers		03:31
*** sdake has joined #openstack-containers		03:31
*** sdake has quit IRC		03:35
*** sdake has joined #openstack-containers		03:36
*** sdake has quit IRC		03:44
*** sdake_ has joined #openstack-containers		03:44
*** sdake_ has quit IRC		03:51
*** sdake has joined #openstack-containers		03:52
*** sdake has quit IRC		03:55
*** ramishra has joined #openstack-containers		03:57
*** sdake has joined #openstack-containers		03:58
*** sdake has quit IRC		04:00
*** sdake_ has joined #openstack-containers		04:03
*** sdake_ has quit IRC		04:05
*** sdake has joined #openstack-containers		04:06
*** sdake has quit IRC		04:11
*** sdake_ has joined #openstack-containers		04:11
*** spsurya has joined #openstack-containers		04:15
*** sdake_ has quit IRC		04:17
*** ykarel has joined #openstack-containers		04:19
*** janki has joined #openstack-containers		04:33
*** _fragatina has joined #openstack-containers		04:52
*** itlinux has quit IRC		05:01
*** dave-mccowan has quit IRC		05:05
*** ricolin has joined #openstack-containers		05:21
*** ricolin has quit IRC		05:35
*** udesale has joined #openstack-containers		05:42
*** ramishra has quit IRC		05:43
*** ramishra has joined #openstack-containers		05:45
*** ykarel has quit IRC		05:54
*** ykarel has joined #openstack-containers		05:55
*** ramishra has quit IRC		05:55
*** ramishra has joined #openstack-containers		06:03
*** ivve has joined #openstack-containers		06:08
*** ttsiouts has joined #openstack-containers		06:53
*** ramishra has quit IRC		06:58
*** ramishra has joined #openstack-containers		07:01
*** ivve has quit IRC		07:17
*** belmoreira has joined #openstack-containers		07:25
*** ttsiouts has quit IRC		07:33
*** ttsiouts has joined #openstack-containers		07:34
*** ivve has joined #openstack-containers		07:34
*** ttsiouts has quit IRC		07:38
*** pcaruana has joined #openstack-containers		08:13
*** ttsiouts has joined #openstack-containers		08:25
*** pcaruana has quit IRC		08:28
*** ttsiouts has quit IRC		08:30
*** pcaruana has joined #openstack-containers		08:42
*** alisanhaji has joined #openstack-containers		08:42
*** pcaruana has quit IRC		08:51
openstackgerrit	Jake Yip proposed openstack/magnum master: python3 fix: decode binary cert data if encountered https://review.openstack.org/638336	08:52
*** flwang1 has joined #openstack-containers		08:55
flwang1	strigazi: around?	08:55
*** ttsiouts has joined #openstack-containers		08:55
*** pcaruana has joined #openstack-containers		08:58
*** pcaruana\|afk\| has joined #openstack-containers		09:01
*** pcaruana has quit IRC		09:03
strigazi	flwang1: yeap	09:07
strigazi	flwang1: we just upgraded magnum to rocky	09:07
strigazi	flwang1: testing keystone-auth	09:08
strigazi	flwang1: Then I'm pushing	09:08
*** ttsiouts has quit IRC		09:08
flwang1	cool, could you pls revisit https://review.openstack.org/623092 ?	09:08
flwang1	i would like to get it in asap	09:09
openstackgerrit	Feilong Wang proposed openstack/magnum master: Add server group for cluster worker nodes https://review.openstack.org/613825	09:09
*** ttsiouts has joined #openstack-containers		09:09
strigazi	flwang1: looking	09:09
flwang1	strigazi: and could you please review https://review.openstack.org/#/c/613825/ and https://review.openstack.org/639053	09:09
strigazi	https://review.openstack.org/613825 +2	09:10
*** ivve has quit IRC		09:11
*** ttsiouts_ has joined #openstack-containers		09:11
strigazi	For https://review.openstack.org/639053 We need to update the commit message, I think it must say the full story.	09:12
*** ttsiouts has quit IRC		09:12
flwang1	strigazi: ok, then for https://review.openstack.org/639053 , pls feel free to post a patch to update the commit message	09:13
strigazi	you can also the link for the story in the comments. It took me 30mins yesterday to explain it. People won't get it.	09:13
strigazi	ok, I'll do it asap	09:13
flwang1	try https://review.openstack.org/#/c/639053/4//COMMIT_MSG,edit ?	09:13
strigazi	just need to check if keystone-auth works	09:13
flwang1	strigazi: i can paste your words into the comment	09:14
strigazi	ok, I'll do it now then	09:14
flwang1	just added a comment	09:15
*** ivve has joined #openstack-containers		09:26
*** janki has quit IRC		09:30
*** janki has joined #openstack-containers		09:30
*** sapd1 has quit IRC		09:33
openstackgerrit	Spyros Trigazis proposed openstack/magnum master: Return instance ID of worker node https://review.openstack.org/639053	09:39
strigazi	flwang1: done	09:39
flwang1	strigazi: perfect, lgtm	09:42
flwang1	strigazi: let's merge it?	09:42
*** ykarel is now known as ykarel\|lunch		09:44
strigazi	flwang1: ok. I think without these comments the change would cause confusion. It's now enough to push the code and merge. Sorry for teh delay but it needed to be done. The code is not enough.	09:46
flwang1	strigazi: that's ok	09:46
openstackgerrit	Spyros Trigazis proposed openstack/magnum master: Return instance ID of worker node https://review.openstack.org/639053	09:46
strigazi	+2	09:48
flwang1	strigazi: thanks	09:49
strigazi	flwang1: I want to push a change in the CI to check for storyboard links and releasenotes	09:51
strigazi	flwang1: thoughts?	09:51
strigazi	brtknr: ^^	09:51
flwang1	sure	09:51
flwang1	it's good to have	09:51
flwang1	strigazi: https://review.openstack.org/#/c/638069/ need your bless	09:53
strigazi	flwang1: -1 the ssh port is closed	09:54
strigazi	flwang1: I left a comment about it already	09:54
flwang1	why do you think we have to open the ssh port?	09:54
strigazi	so be able to login to the nodes	09:54
strigazi	;)	09:55
flwang1	strigazi: i know, but admin user of the cluster can open it manually when it's really necessary	09:55
flwang1	for the default state, we're trying to only open ports which are really necessary	09:55
strigazi	we have in master nodes	09:55
flwang1	strigazi: i know, for master, that's another story	09:56
flwang1	for the perfect world, user shouldn't have permission to login the master as well	09:56
flwang1	they even won't be able to see the masters as we discussed before	09:56
strigazi	"hidden" masters is a completely different discussion	09:57
flwang1	just like using a loadbalancer service or a DB service, user don't have to, even shouldn't know the node, but just use the service	09:57
flwang1	strigazi: i know it's a different story	09:58
flwang1	i'm just saying user don't have to get the login BY DEFAULT	09:58
flwang1	they can enable it when they want	09:58
strigazi	I'm thinking. traefik won't work for users that have security groups	09:59
brtknr	strigazi: I dont fully follow the context regarding check for storyboard links	09:59
strigazi	brtknr all commit must reference a story in story board	09:59
brtknr	strigazi: As in, there must be a story/task id in the commit message for the Zuul gate to pass?	09:59
strigazi	brtknr all commits must reference a story in story board	09:59
strigazi	yes	09:59
brtknr	gotcha! sounds great	09:59
openstackgerrit	Merged openstack/magnum master: Add reno for flannel reboot fix https://review.openstack.org/638613	10:00
strigazi	flwang1: ok with a note in traefik docs and reno. let's take it.	10:01
strigazi	flwang1: ok with a note in traefik docs and in reno. let's take it.	10:01
strigazi	makes sense?	10:01
flwang1	strigazi: sure	10:01
strigazi	I'm doing it	10:02
*** sdake has joined #openstack-containers		10:02
flwang1	more doc is always good	10:02
*** sdake has quit IRC		10:05
*** sdake has joined #openstack-containers		10:07
*** sdake has quit IRC		10:10
*** sdake has joined #openstack-containers		10:12
*** sdake has quit IRC		10:13
*** sdake has joined #openstack-containers		10:14
*** sdake has quit IRC		10:15
strigazi	flwang1: example command to open the port?	10:15
strigazi	flwang1: can you paste it here	10:15
flwang1	openstack security group rule create [--remote-ip <ip-address> \| --remote-group <group>] [--dst-port <port-range> \| [--icmp-type <icmp-type> [--icmp-code <icmp-code>]]] [--protocol <protocol>] [--ingress \| --egress] [--ethertype <ethertype>] [--project <project> [--project-domain <project-domain>]] [--description <description>] <group>	10:16
flwang1	are you going to add it into the doc?	10:17
strigazi	flwang1: ok, I can write it myself	10:17
flwang1	strigazi: sorry, generally, i just use the dashboard to add rule	10:17
flwang1	i don't have a cli in hand	10:17
flwang1	openstack security group rule create SECURITY_GROUP_NAME --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0	10:18
flwang1	strigazi: ^	10:18
*** sdake has joined #openstack-containers		10:22
*** ykarel\|lunch is now known as ykarel		10:23
*** sdake has quit IRC		10:25
openstackgerrit	Spyros Trigazis proposed openstack/magnum master: [k8s-fedora-atomic] Security group definition for worker nodes https://review.openstack.org/638069	10:25
*** sdake has joined #openstack-containers		10:26
strigazi	brtknr: can you have a look as well ^^	10:27
strigazi	flwang1: you connect to the dashboard? In our cloud as admins, we never login.	10:28
strigazi	flwang1: it will take a million years to do anything	10:29
flwang1	strigazi: we can only login dashboard in internal network	10:29
flwang1	with admin user	10:29
flwang1	why it takes long? because the bad performance of horizon?	10:29
openstackgerrit	Spyros Trigazis proposed openstack/magnum master: [k8s-fedora-atomic] Security group definition for worker nodes https://review.openstack.org/638069	10:30
strigazi	because we have 40000 vms :)	10:30
*** sdake has quit IRC		10:30
brtknr	Looking	10:30
flwang1	strigazi: o	10:31
flwang1	i'm jealous of that	10:31
strigazi	well 35626	10:31
brtknr	Why is icmp being blocked?	10:32
brtknr	Its useful to check if a node has come online	10:32
*** sdake has joined #openstack-containers		10:32
strigazi	8848 hypervisors, I think mount everest has this high in meters	10:32
strigazi	brtknr: it is blocked, I missed that	10:32
brtknr	Not sure why its a security issue	10:33
strigazi	flwang1: ^^	10:33
flwang1	brtknr: that's a good point	10:35
flwang1	personally, i think ICMP is ok to open	10:35
*** sdake has quit IRC		10:35
strigazi	let's open it then	10:35
flwang1	i asked our ops, and they also think ICMP is not a big problem	10:36
*** sdake has joined #openstack-containers		10:36
flwang1	that could be useful for health check for some cases	10:36
brtknr	yes, sometimes, there can be such a thing as too much security... like Trump's wall	10:36
strigazi	touche	10:37
brtknr	;)	10:38
*** sdake has quit IRC		10:41
*** sdake_ has joined #openstack-containers		10:41
*** sdake_ has quit IRC		10:45
flwang1	strigazi: any other comment on https://review.openstack.org/#/c/623092/8 ?	10:46
flwang1	i'm going to post a new patchset to address you and brtknr's comment	10:46
strigazi	flwang1: I'm testing	10:47
*** sdake has joined #openstack-containers		10:47
brtknr	also the point about no ssh hasnt been addressed	10:47
brtknr	whats the reason to block ssh?	10:48
strigazi	brtknr: operators or users will have to open the port	10:48
strigazi	brtknr: https://review.openstack.org/#/c/638069/4/releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml	10:48
flwang1	brtknr: i think public cloud and private cloud may have different PoV about security	10:48
strigazi	flwang1: not really	10:48
strigazi	it the same for us.	10:49
flwang1	strigazi: ok, no argument here	10:49
strigazi	for everyone	10:49
flwang1	i have explained above anyway	10:49
flwang1	brtknr: ^	10:49
strigazi	If we were very well prepared we could disable even the daemon	10:49
flwang1	by default, we'd like close as much as possible ports	10:49
*** sdake has quit IRC		10:50
flwang1	strigazi: let's don't argue details when you got my point	10:50
brtknr	DISABLE THE SSH DAEMON?	10:51
*** sdake has joined #openstack-containers		10:51
brtknr	oops	10:51
strigazi	brtknr: if	10:51
brtknr	btw anyone else excited about RunAsGroup transitioning to beta in 1.14?	10:53
strigazi	flwang1:	10:53
strigazi	typo ^^	10:53
*** udesale has quit IRC		10:53
*** sdake has quit IRC		10:55
*** sdake has joined #openstack-containers		10:56
flwang1	brtknr: TBH, generally i'm more care about the stability than new features ;)	10:58
*** sdake has quit IRC		11:00
openstackgerrit	Feilong Wang proposed openstack/magnum master: [k8s-fedora-atomic] Security group definition for worker nodes https://review.openstack.org/638069	11:00
*** sdake has joined #openstack-containers		11:01
strigazi	RunAsGroup is a big security improvement.	11:05
brtknr	strigazi: What do you guys do about shared storage at Cern regarding file permissions etc. for volumes mounted in k8s pods?	11:09
*** ttsiouts_ has quit IRC		11:09
*** ttsiouts has joined #openstack-containers		11:10
brtknr	Its a big problem for us as the userspace uid/gid do not map to container uid/gid...	11:10
brtknr	I think RunAsGroup is a step in the right direction	11:10
*** sapd1 has joined #openstack-containers		11:11
brtknr	I'm thinking of RBAC rules that only allow a service account credential to run pods with certain uid/gid	11:11
openstackgerrit	Lingxian Kong proposed openstack/magnum master: [k8s-fedora-atomic] Use ClusterIP for prometheus service https://review.openstack.org/639001	11:12
brtknr	Although I am not sure whether thats currently possible	11:13
openstackgerrit	Lingxian Kong proposed openstack/magnum master: [k8s-fedora-atomic] Use ClusterIP for prometheus service https://review.openstack.org/639001	11:13
brtknr	This blog article appears to suggest its possible: https://medium.com/coryodaniel/kubernetes-assigning-pod-security-policies-with-rbac-2ad2e847c754	11:15
flwang1	lxkong: did you see our discussion about the security rules?	11:20
lxkong	flwang1: no, didn't look at irc	11:20
* lxkong is scrolling up		11:20
flwang1	lxkong: then just take a look the patch set we proposed https://review.openstack.org/638069	11:21
flwang1	lxkong: let's know if you're happy with that	11:21
flwang1	in short, we're adding the icmp back	11:21
lxkong	icmp?	11:21
lxkong	yep, i'm ok with that	11:21
flwang1	and strigazi just updated some docs	11:21
flwang1	cool	11:21
*** ttsiouts has quit IRC		11:23
strigazi	flwang1: brtknr https://review.openstack.org/#/c/623092/8	11:24
strigazi	https://review.openstack.org/#/c/623092/8/magnumclient/common/utils.py@245	11:24
strigazi	flwang1: brtknr ^^	11:25
flwang1	strigazi: yep, if you source the rc file on the same session, you will get this issue	11:26
flwang1	so yes, we probably need to use another different name	11:26
strigazi	flwang1: we will need the rc to generate the token	11:26
strigazi	let's hear from others?	11:27
flwang1	strigazi: yep, i know, can you try OS_AUTH_TOKEN ?	11:27
strigazi	OS_TOKEN is a standard name, we need to think about it before dropping the standard name	11:27
strigazi	OS_AUTH_TOKEN where?	11:28
flwang1	OS_AUTH_TOKEN is also standard name	11:29
strigazi	OS_AUTH_TOKEN works	11:30
openstackgerrit	Lingxian Kong proposed openstack/magnum master: [k8s-fedora-atomic] Security group definition for worker nodes https://review.openstack.org/638069	11:32
flwang1	strigazi: so let's use OS_AUTH_TOKEN?	11:33
strigazi	ok	11:34
strigazi	docs, reno?	11:34
strigazi	I can't find OS_AUTH_TOKEN anywhere in keystone docs	11:34
flwang1	you can find it when you generate a rc file on horizon	11:35
flwang1	doc in client side and reno also on client side?	11:36
strigazi	https://github.com/openstack/horizon/search?q=%22OS_AUTH_TOKEN%22&unscoped_q=%22OS_AUTH_TOKEN%22	11:36
flwang1	or you're asking doc and reno on server side?	11:36
strigazi	I think people look at the server side docs	11:38
flwang1	strigazi: we have reno and doc at https://review.openstack.org/#/c/561783/	11:39
flwang1	are you asking a user guide about how to use this?	11:40
strigazi	flwang1: let's wait at least for Rircardo (I'll ping him) or someone else to reply about the var name	11:40
flwang1	strigazi: sure, https://github.com/hashicorp/packer/issues/4415	11:41
strigazi	flwang1: how are we going to inform users about it?	11:41
strigazi	we need to have docs about the client, no?	11:42
flwang1	strigazi: seems we don't have a doc in client, but i can write a doc on server side about how to use the keystone auth feature including client usage	11:42
flwang1	strigazi: seems OS_AUTH_TOKEN is an old veriable before OS_TOKEN https://sumitkgaur.wordpress.com/2014/05/14/openstack-object-storage-swift/	11:44
brtknr	flwang1: can you please help me understand why we're using OS_TOKEN?	11:44
flwang1	brtknr: for keystone auth feature, are you aware of we support it now?	11:45
strigazi	the why should have been in the commit message :)	11:45
brtknr	yes but why are we using OS_TOKEN instead of OS_USERNAME and OS_PASSWORD?	11:45
brtknr	or generate OS_TOKEN from the client using OS_USERNAME and OS_PASSWORD	11:46
brtknr	if not available in the environment	11:46
strigazi	or generate OS_TOKEN from the client using OS_USERNAME and OS_PASSWORD this	11:46
strigazi	brtknr: people are using different auth methods like:	11:47
strigazi	certificates, kerberos, oauth some(?)	11:47
strigazi	or creds	11:47
strigazi	user/pass	11:47
flwang1	strigazi: hmm... we may be able to do it like this ' export OS_AUTH_TOKEN=$(openstack token issue -f value -c id)' in the config	11:47
brtknr	flwang1: yes, thats a good idea!	11:48
strigazi	flwang1: why ask for a token every time? is will be slower	11:48
strigazi	Better not make k8s as fast as keystone	11:48
flwang1	we can check it first	11:48
brtknr	strigazi: but thats what most clients do	11:48
*** ttsiouts has joined #openstack-containers		11:49
strigazi	we don't have to write a new client	11:49
flwang1	then there is no perfect solution	11:49
strigazi	There is the option to use the token which means no new configuration, only in kubeconfig	11:50
flwang1	i have to offline in 10 mins	11:50
strigazi	if we want to use a client, in the cloud provider repo there is a client	11:50
flwang1	it's very late here	11:50
flwang1	true, like i do in initial patch	11:51
strigazi	flwang1: I'll ask Ricardo to review. Maybe we just fo with OS_TOKEN	11:51
strigazi	flwang1: the extra client is bad	11:51
flwang1	agree	11:51
strigazi	we need to redistribute clients	11:51
strigazi	package, test	11:51
strigazi	rebuild on security	11:52
strigazi	we can support it with a third parameter	11:52
flwang1	strigazi: i'd like to let openstack release a docker image for openstack clients, like i said in my TC nominaiton email	11:52
strigazi	brtknr: makes sense why we proposed OS_TOKEN?	11:52
strigazi	docker is a good plus	11:53
strigazi	docker image is a good plus	11:53
strigazi	not enough	11:53
strigazi	all users must have docker?	11:54
flwang1	no, don't get me wrong, i'm not saying only have the docker image	11:55
flwang1	i'm saying having a docker image will be a good one	11:55
flwang1	so people don't have to worry about python deps, etc, etc	11:56
openstackgerrit	Merged openstack/magnum master: Return instance ID of worker node https://review.openstack.org/639053	11:57
strigazi	flwang1: I understand. I'm not saying is bad or anything. It is good.	11:58
strigazi	but doesn't solve all problems. If opestack would release a single golang binary, that would solve many issues.	11:59
flwang1	strigazi: i have to go, i will propose patch about the action api for both resize and upgrade	11:59
strigazi	flwang1: just go for resize first	11:59
*** ivve has quit IRC		12:00
flwang1	strigazi: yep, i mean, i will consider the case of upgrade as well	12:00
flwang1	the api will be v1/<cluster id>/action and the POST body will be {"resize": {"node_count": 2}}	12:01
strigazi	yes	12:01
strigazi	cool	12:01
strigazi	thanks	12:01
flwang1	cool	12:01
flwang1	i have to go to bed now	12:01
strigazi	good night	12:02
flwang1	thank you, my friend, all good discussion	12:02
* strigazi is going for lunch		12:02
strigazi	flwang1: cheers	12:02
*** ramishra has quit IRC		12:04
*** ramishra has joined #openstack-containers		12:26
*** udesale has joined #openstack-containers		12:26
openstackgerrit	Merged openstack/magnum master: Add server group for cluster worker nodes https://review.openstack.org/613825	12:32
*** ivve has joined #openstack-containers		12:57
*** dave-mccowan has joined #openstack-containers		13:02
*** pcaruana\|afk\| has quit IRC		13:09
*** sdake has quit IRC		13:16
*** jmlowe has quit IRC		13:29
*** henriqueof has joined #openstack-containers		13:45
*** janki has quit IRC		13:53
*** mrodriguez has joined #openstack-containers		13:57
*** sdake has joined #openstack-containers		14:12
*** sdake has quit IRC		14:12
*** jmlowe has joined #openstack-containers		14:13
*** ykarel is now known as ykarel\|afk		14:20
brtknr	strigazi: yes kind of.... I am just thinking about the experience of using openstack credentials to generate kubeconfig... will I need to provide OS_TOKEN each time?	14:44
brtknr	and use OS_AUTH_TYPE=token	14:44
brtknr	and unset OS_USERNAME and OS_PASSWORD	14:44
brtknr	its kind of painful	14:44
*** ttsiouts has quit IRC		14:45
*** sdake has joined #openstack-containers		14:48
*** sdake has quit IRC		14:55
strigazi	brtknr: this option is mostly for non admin users	14:55
*** hongbin has joined #openstack-containers		14:56
strigazi	brtknr: if you are the cluster admin, just use the certs for authentication	14:56
*** pcaruana has joined #openstack-containers		14:57
strigazi	brtknr: actually we can add all options	14:58
*** itlinux has joined #openstack-containers		14:59
*** sdake has joined #openstack-containers		15:01
strigazi	brtknr: one thing to take into account is that kubetl need a token only. so with password and so on, kubectl would issue a token first with the openstack client, parse it and then send it	15:02
strigazi	token issue takes a full second. (not because of keystone server) but because of the python client	15:03
strigazi	brtknr: you can use the golang binary which is faster	15:03
strigazi	brtknr: in any case, users like Cern and blizzard, OS_PASSWORD is not an option. we use kerberos	15:04
*** ykarel\|afk is now known as ykarel		15:06
*** ttsiouts has joined #openstack-containers		15:06
brtknr	strigazi: any good actively developed golang client you know of?	15:16
strigazi	brtknr: https://github.com/kubernetes/cloud-provider-openstack/tree/master/cmd/client-keystone-auth	15:18
*** hongbin has quit IRC		15:18
*** hongbin has joined #openstack-containers		15:20
*** imdigitaljim has quit IRC		15:30
*** cbrumm_ has quit IRC		15:30
*** schaney has quit IRC		15:31
*** itlinux_ has joined #openstack-containers		15:31
*** schaney has joined #openstack-containers		15:32
*** cbrumm_ has joined #openstack-containers		15:32
*** sdake has quit IRC		15:33
*** itlinux has quit IRC		15:34
*** sdake has joined #openstack-containers		15:36
*** itlinux_ has quit IRC		15:46
*** sapd1 has quit IRC		15:46
*** ivve has quit IRC		16:01
*** ykarel is now known as ykarel\|away		16:03
*** ykarel\|away is now known as ykarel		16:04
*** udesale has quit IRC		16:10
*** ramishra has quit IRC		16:25
*** hongbin has quit IRC		16:33
*** _fragatina has quit IRC		16:36
*** hongbin has joined #openstack-containers		16:41
*** ykarel_ has joined #openstack-containers		16:43
*** ykarel has quit IRC		16:46
*** sdake has quit IRC		16:52
*** sdake has joined #openstack-containers		16:54
*** pcaruana has quit IRC		16:57
*** _fragatina has joined #openstack-containers		16:58
*** _fragatina_ has joined #openstack-containers		16:59
*** ykarel_ is now known as ykarel\|away		16:59
*** rtjure has quit IRC		17:00
*** sdake has quit IRC		17:02
*** _fragatina has quit IRC		17:02
*** _fragatina_ has quit IRC		17:07
*** ttsiouts has quit IRC		17:31
*** ttsiouts has joined #openstack-containers		17:31
*** jmlowe has quit IRC		17:34
*** dims has quit IRC		17:35
*** ttsiouts has quit IRC		17:36
*** ivve has joined #openstack-containers		17:36
*** flwang1 has quit IRC		17:48
*** dims has joined #openstack-containers		17:48
*** ykarel\|away has quit IRC		17:51
*** _fragatina has joined #openstack-containers		17:58
*** sdake has joined #openstack-containers		18:26
*** _fragatina has quit IRC		18:31
*** sdake has quit IRC		18:33
*** _fragatina has joined #openstack-containers		18:35
*** sdake has joined #openstack-containers		18:38
*** ivve has quit IRC		18:43
*** sdake has quit IRC		18:44
*** sdake has joined #openstack-containers		18:45
*** jmlowe has joined #openstack-containers		18:47
*** jmlowe has quit IRC		18:47
*** jmlowe has joined #openstack-containers		18:48
*** sdake has quit IRC		18:51
*** sdake has joined #openstack-containers		18:56
*** alisanhaji has quit IRC		19:20
*** ttsiouts has joined #openstack-containers		19:36
*** spsurya has quit IRC		19:52
*** henriqueof has quit IRC		20:01
*** jmlowe has quit IRC		20:29
*** dave-mccowan has quit IRC		20:38
*** henriqueof has joined #openstack-containers		20:57
*** ivve has joined #openstack-containers		21:03
openstackgerrit	Lingxian Kong proposed openstack/magnum master: [k8s-fedora-atomic] Security group definition for worker nodes https://review.openstack.org/638069	21:07
*** ivve has quit IRC		21:14
*** jmlowe has joined #openstack-containers		21:17
openstackgerrit	Feilong Wang proposed openstack/magnum master: [WIP] Support <cluster>/actions/resize API https://review.openstack.org/638572	22:04
openstackgerrit	Feilong Wang proposed openstack/magnum master: [WIP] Support <cluster>/actions/resize API https://review.openstack.org/638572	22:06
openstackgerrit	Feilong Wang proposed openstack/magnum master: [WIP] Support <cluster>/actions/resize API https://review.openstack.org/638572	22:11
openstackgerrit	Lingxian Kong proposed openstack/magnum master: [k8s-fedora-atomic] Security group definition for worker nodes https://review.openstack.org/638069	22:12
openstackgerrit	Lingxian Kong proposed openstack/magnum master: [k8s-fedora-atomic] Security group definition for worker nodes https://review.openstack.org/638069	22:16
flwang	mnaser: around? recently, we're getting node failure for k8s api functional job	22:31
*** sdake has quit IRC		22:36
*** sdake has joined #openstack-containers		22:54
mnaser	flwang: oh thats no bueno	23:03
mnaser	flwang: let me dig in	23:03
flwang	mnaser: thanks	23:04
*** rcernin has joined #openstack-containers		23:06
*** sapd1 has joined #openstack-containers		23:06
*** dave-mccowan has joined #openstack-containers		23:17
*** itlinux has joined #openstack-containers		23:26
*** ttsiouts has quit IRC		23:32
*** sdake has quit IRC		23:38
*** sdake has joined #openstack-containers		23:41
*** sdake has quit IRC		23:42
openstackgerrit	Merged openstack/magnum master: [k8s-fedora-atomic] Security group definition for worker nodes https://review.openstack.org/638069	23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!