[09:43:43] <arturo>	 dcaro: this is a new attempt to what I tried yesterday (but had to revert) https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/37
[09:59:24] <arturo>	 thanks
[10:19:06] <dcaro>	 np
[10:19:08] * dcaro lunch
[11:16:31] * arturo back in a bit
[12:40:53] <dcaro>	 quick review https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/315
[12:41:51] <arturo>	 +1'd
[14:07:40] <taavi>	 andrewbogott: for T365696 I need an account with domain-wide admin rights. I probably should register a new account instead of re-using novaadmin. should I do that just as a normal ldap/developer account or is there a way to register some keystone-only service account?
[14:07:41] <stashbot>	 T365696: Investigate how to run OpenTofu to manage Cloud VPS admin-only resources - https://phabricator.wikimedia.org/T365696
[14:12:09] <andrewbogott>	 taavi: if it's for the default domain then it needs to be in ldap
[14:16:19] <taavi>	 ok! .. how does one create a new account in the codfw1dev ldap these days?
[14:17:05] <arturo>	 :-( --> FIRING: MaintainKubeusersHang: maintain-kubeusers last finished run is 28.63M minutes old
[14:17:17] <andrewbogott>	 ooh the answer to this is embarassing.  I don't think bitu is setup yet (slyngs might know otherwise)
[14:17:38] <andrewbogott>	 so either you can add it to ldap directly, or you can use labtestwikitech.  BUT to use labtestwikitech you have to enable account creation in the config first
[14:17:43] <andrewbogott>	 which I will do right now :)
[14:18:25] <taavi>	 andrewbogott: I'm not sure we can do that anymore, or whether we've (= I've) already ripped too much things out of the config to make that work
[14:18:33] <taavi>	 arturo: hmm, sounds like the `for:` time is still too low?
[14:18:34] <andrewbogott>	 oh, good point
[14:19:05] <arturo>	 taavi: yeah, something weird. I'll keep researching
[14:19:36] <andrewbogott>	 taavi: so I guess edit ldap.  I was doing that all day yesterday so I have the commands in my history, what username/shellname would you like?
[14:20:09] <taavi>	 cloudvps-admin-tofu or something similar?
[14:22:33] <andrewbogott>	 I'm superstitious about dashes, mind if it's just tofuadmin?
[14:23:20] <taavi>	 what's wrong with dashes? :-)
[14:23:29] <andrewbogott>	 probably nothing!
[14:23:35] <arturo>	 taavi: turns out, https://gitlab.wikimedia.org/repos/cloud/toolforge/alerts/-/merge_requests/14 was never merged :-P
[14:24:12] <arturo>	 (just merged now -- the `for:` change)
[14:24:19] <taavi>	 that would do it
[14:24:20] <andrewbogott>	 https://www.irccloud.com/pastebin/tk0gXHqC/
[14:24:39] <andrewbogott>	 taavi, I'm giving it your personal email so it's easy for you to do a password reset (assuming that that bit is still possible)
[14:24:58] <taavi>	 not without a bitu instance :-)
[14:25:38] <andrewbogott>	 well, ok, you'll need to set the password using ldap cli then
[14:25:45] <andrewbogott>	 otherwise it's done
[14:25:49] <taavi>	 ok, thanks!
[14:26:03] <andrewbogott>	 it might work! lmk if it does
[14:26:14] <taavi>	 I'll have a look after our meeting
[14:44:24] <slyngs>	 andrewbogott: Yeah, I created an LDIF for myself as well
[14:44:59] <andrewbogott>	 ok :)  We'll all look forward to having a gui
[14:45:51] <slyngs>	 andrewbogott: Regarding Bitu, there's some network related issues that prevents the VM for accessing the LDAP server for DEV. So I was considering moving Bitu to cloudweb2002-dev instead. How would you feel about that?
[14:46:06] <slyngs>	 I keeps the network nice and clean, but adds an additional service to that host
[14:47:38] <andrewbogott>	 Oh, good point re: r/w ldap
[14:47:57] <andrewbogott>	 yeah, moving it there is probably the simplest path
[14:48:59] <andrewbogott>	 it runs in a docker container?
[14:49:04] <slyngs>	 It can
[14:49:28] <slyngs>	 We do have one, so if that's preferred no objection on my part
[14:49:40] <andrewbogott>	 actually, wait, when you say 'the VM' are you talking about a ganetti VM?
[14:49:47] <slyngs>	 Yes
[14:50:31] <andrewbogott>	 huh, I'd expect networking to work OK then, can you tell me what the problem is?
[14:51:04] <slyngs>	 XioNoX can probably do it better, but there's some additional firewalling keeping those bits of the network separated
[14:51:44] <andrewbogott>	 ah, so it's just not possible to have ganetti hosts talk to the cloud-vps private network?  dang
[14:52:09] <slyngs>	 It's possible I think, but is it nice ... I don't know
[14:52:39] <slyngs>	 I just requires exact steps, which I think we have done for some services
[14:52:42] <slyngs>	 It
[14:53:12] <taavi>	 both ganeti vms and cloudwebs are outside the cloud-hosts/cloud-private networks, so they would have the same limitations
[14:53:54] <slyngs>	 Also the -dev webses ?
[14:54:06] <taavi>	 yes, both are hardware in the public vlan
[14:54:27] <taavi>	 cloudweb-devs probably already have a hole to talk to the codfw1dev ldap, poking one for the bitu vm should be a matter of adding a few lines to the homer repo
[14:55:31] <andrewbogott>	 thanks taavi, that's what I was about to say: it's the same problem for cloudweb as for ganetti as far as I know
[14:55:44] <andrewbogott>	 um... ganeti
[14:56:22] <andrewbogott>	 taavi: do you have access/knowledge to edit homer or should we bother cathal?
[14:57:43] <slyngs>	 I can go poke either Cathal or Arzel
[14:58:03] <taavi>	 i can also do it, although getting a +1 from the would not be a bad idea
[14:59:02] <slyngs>	 No I think we should, just so they know
[14:59:52] <andrewbogott>	 topranks: we're talking about adding an exception so that a new ganeti VM (codfw1dev bitu) can talk to ldap on the cloudservices2xxx hosts, do you have any concerns?
[15:00:21] <andrewbogott>	 (this is just piling test/dev exceptions one on top of another)
[15:01:02] <topranks>	 andrewbogott: I'd probably need to think it through, does the VM exist already?
[15:01:13] <topranks>	 or more to the point what network/vlan would it be on?
[15:01:42] <slyngs>	 topranks: Yes, the VM exists
[15:01:56] <topranks>	 what's the name of it?
[15:02:23] <slyngs>	 What we'd like to have working is
[15:02:24] <slyngs>	 nc -vzw 2 cloudservices2004-dev.codfw.wmnet 389
[15:02:33] <slyngs>	 cloudidm2001-dev.codfw.wmnet
[15:03:36] <taavi>	 basically that would be https://gerrit.wikimedia.org/r/c/operations/homer/public/+/1039742
[15:04:14] <andrewbogott>	 topranks: the premise here is that we want a toy bitu that can read/write to our toy ldap, in order to replace a bunch of labtestwikitech functionality.
[15:04:20] <andrewbogott>	 (that was maybe obvious)
[15:06:00] <topranks>	 I'm not overly familiar with what a "bitu" is tbh :)
[15:06:22] <topranks>	 what is "cloudidm" ?
[15:06:49] <slyngs>	 Installation of the idm.wikimedia.org software for use in the Striker/labs environment
[15:07:11] <topranks>	 but it's going into the WMF production ganeti rather than into the labs environment?
[15:07:12] * arturo offline
[15:08:00] <slyngs>	 I did the installation on a production Ganeti, but it needs to manage the labs LDAP. 
[15:08:35] <slyngs>	 There's also the option of redoing the installation somewhere in the labs environment, if we don't like the network changes
[15:10:49] <topranks>	 when we need to make exceptions that's ok and we can do it 
[15:11:01] <topranks>	 but overall that sounds like the wrong sort of shape 
[15:11:16] <topranks>	 if we need to create a new cloud service to manage cloud elements it should go into the cloud realm 
[15:11:29] <topranks>	 rather than being put in wmf production and then creating exceptions to allow them to talk 
[15:12:01] <andrewbogott>	 codfw1dev is test/dev but it runs on hardware
[15:12:45] <andrewbogott>	 IMO having something on the cloud have r/w ldap access breaks more rules than having bitu on ganeti :)
[15:14:19] <slyngs>	 Ideally I'd like to have it within the same network: 10.192.20.10/24
[15:14:28] <slyngs>	 With all the other dev things
[15:14:51] <taavi>	 if we could do a (ganeti) vm in cloud-hosts/cloud-private that would be the best option imo, but i don't think we can atm?
[15:16:16] <andrewbogott>	 to be clear, I'm not strictly opposed to it moving to labweb2xxx which already has the network exception. Just seems like more trouble/less service separation
[15:17:58] <slyngs>	 Did I get the hosts wrong, I thought that the labtestwikitech installation was on cloudservices2004-dev
[15:18:35] <taavi>	 the mediawiki installation is on cloudweb2002-dev
[15:18:59] <andrewbogott>	 ldap is on cloudservices200x-dev
[15:19:01] <taavi>	 cloudservices2004/5-dev house the LDAP database that both labtestwikitech and the new bitu installation will talk to
[15:19:15] <slyngs>	 Sorry, yes, cloudweb2002-dev. 
[15:20:07] <topranks>	 it seems like this new function ought to run somewhere on the cloud networks 
[15:20:28] <topranks>	 but cloud services have no infra to run VMs?  and don't want to add new physical hosts for it?
[15:20:45] <slyngs>	 Seems like a lot to waste a physical host on
[15:20:55] <slyngs>	 the other way.. seems like to little
[15:21:16] <slyngs>	 But we can just run in on cloudweb2002-dev. andrewbogott if you're okay with it
[15:21:17] <topranks>	 I'd rather solve the problem of "how do we run this in the cloud network" than to create it now on prod. infra and have another exception and element we probably can never separate 
[15:21:57] <topranks>	 cloudweb2002-dev is also not in the cloud network fwiw 
[15:23:00] <slyngs>	 already have the right networking setup and firewall rules
[15:23:23] <topranks>	 but we need to untangle cloudweb's this is just making our life worse 
[15:23:37] <slyngs>	 We don't want that :-)
[15:23:50] <topranks>	 sorry I don't want to make anyone's life difficult 
[15:24:18] <slyngs>	 No no, it fine, we would have asked if we didn't want your opinion
[15:24:26] <slyngs>	 wouldn't
[15:24:53] <taavi>	 topranks: it's a bit of a circular dependency :-) this unblocks part of not making wikitech be a ldap wiki, which in turn unblocks moving cloudwebs to the cloud-hosts/private setup that other cloud* hardware uses
[15:26:00] <topranks>	 taavi: ok, well if it gets us towards that then it's definitely good 
[15:26:15] <topranks>	 if that's the case it's probably fine on cloudweb2002-dev if it can run there?
[15:26:30] <topranks>	 and then when we get to the end of that untangling it would move into the cloud rack along with cloudweb?
[15:26:31] <slyngs>	 Maybe the easiest then would be to run the code as a container on cloudweb2002-dev, then we can just move it, when/if that because an option?
[15:27:13] <taavi>	 i'd be fine with that
[15:27:22] <slyngs>	 andrewbogott: ?
[15:28:19] <andrewbogott>	 yeah, if it's containerized it shouldn't make much more of a mess than we have already
[15:28:45] <slyngs>	 I'll make it work in a container
[15:28:54] <andrewbogott>	 striker and horizon are already running there in blubber-built containers, the puppet code for deploying that should be obvious
[15:29:39] <slyngs>	 taavi already made me build blubber-built containers for Bitu, so we have that ready. Might need a tweak or two, but that's easy enough. 
[15:30:06] <andrewbogott>	 cool
[15:30:20] <slyngs>	 I really need to run, but thank you everyone. I'll make the needed changes to Bitu/container images and Puppet
[15:38:16] <dcaro>	 andrewbogott: do you know if the user id that keystone uses in it's authentication is the 'username' that you enter in the login page of horizon? https://docs.openstack.org/api-ref/identity/v3/index.html#password-authentication-with-scoped-authorization
[15:38:55] <andrewbogott>	 I think it can auth by name or by id
[15:39:06] <andrewbogott>	 But I believe the id is the shell name
[15:39:27] <andrewbogott>	 e.g.:
[15:39:31] <andrewbogott>	 https://www.irccloud.com/pastebin/KhoTuYQB/
[15:39:36] <andrewbogott>	 dcaro: is that what you were asking?
[15:39:43] <dcaro>	 yes :), that's useful
[15:40:31] <dcaro>	 for application tokens though, you have to pass both, the secret (the token) and the application id? or do you know if you can just pass the token itself? (feel weird that you need both, not a common 'token' auth)
[15:42:07] <taavi>	 for an application credential, you need both the cred id and secret, yes
[15:43:43] <dcaro>	 I'm thinking on using a bearer token auth header, and embedding both like `<app-id>:<app-token>` so clients can use `Authorization: Bearer <app-id>:<app-token>` header (with the token being the chained string)
[15:44:17] <dcaro>	 that way most libraries will not need anything weird, does that make sense? 🤔
[16:06:35] <andrewbogott>	 taavi: don't app credentials get you a token which you can use on its own for subsequent calls?  (for, like, X number of hours)
[16:06:49] <taavi>	 yes
[16:07:45] <andrewbogott>	 maybe that's what david was saying, I'm distracted by staff meeting
[16:18:37] <dcaro>	 not really, you still need the app credentials first
[16:21:42] <andrewbogott>	 true
[16:23:34] <dcaro>	 Toolforge clients don't need to deal with keystone, they deal with toolforge, then toolforge deals with keystone xd
[16:23:38] <dcaro>	 (or whatever)
[16:30:32] <dcaro>	 *should not need to
[17:02:06] * dcaro off
[17:02:11] <dcaro>	 cya on monday