[08:56:31] <jayme>	 it's fine without I'd say
[10:54:23] <elukey>	 super
[10:54:29] <elukey>	 I am going to rollout to staging then
[10:54:47] <elukey>	 jayme: for cert-manager I filed, not sure if it is the best approach or not
[10:55:15] <elukey>	 in the chart I found the digest as alternative, not a specific placeholder for the image's version (maybe I missed it somewhere)
[10:59:45] <jayme>	 elukey: I think there is image.tag
[11:00:30] <jayme>	 and webhook.image.tag and cainjector.image.tag :)
[11:00:42] <elukey>	 okok missed, what do you prefer? 
[11:01:29] <jayme>	 I would prefer overwriting for staging only for now, leave it over the weekend and then bump the appVersion and chartversion...
[11:01:34] <jayme>	 probably the easiest
[11:03:00] <elukey>	 +1 ok
[11:03:03] <jayme>	 you can probably use some yaml anchor like here helmfile.d/admin_ng/cert-manager/cert-manager-values.yaml contains the 
[11:03:20] * elukey nods
[11:03:32] <elukey>	 last one - ok to proceed with the istio upgrade in wikikube staging?
[11:03:59] <jayme>	 yeah, go ahead
[11:04:22] <jayme>	 would you be so kind to to do staging-codfw as well please?
[11:04:32] <elukey>	 yep yep already in my list
[11:05:32] <jayme>	 cool, thanks
[11:06:42] <elukey>	 lovely:
[11:06:42] <elukey>	 ailed to pull image "docker-registry.discovery.wmnet/istio/proxyv2:1.15.7-2": rpc error: code = Unknown desc = Error response from daemon: Head "https://docker-registry.discovery.wmnet/v2/istio/proxyv2/manifests/1.15.7-2": no basic auth credentials
[11:07:11] <elukey>	 on ml-staging-codfw worked nicely
[11:35:46] <elukey>	 the docker pull commands are the same in both clusters
[11:36:07] <elukey>	 (from the kubelet)
[11:36:08] <elukey>	 Pulling image "docker-registry.discovery.wmnet/istio/proxyv2:1.15.7-2"
[11:38:20] <elukey>	 the change is https://gerrit.wikimedia.org/r/977214
[11:38:36] <elukey>	 I had to use {{ registry }} since we have a special "istio" namespace in the registry
[11:38:49] <elukey>	 so docker-pkg on my laptop complained without it
[11:43:09] <elukey>	 ah wait, it fails on the control plane
[11:43:21] <elukey>	 istio-ingressgateway-2rwc5   0/1     ImagePullBackOff   0             38m    10.64.75.131   kubestagemaster1001.eqiad.wmnet   <none>           <none>
[11:43:24] <elukey>	 istio-ingressgateway-ckj9c   0/1     ImagePullBackOff   0             35m    10.64.75.195   kubestagemaster1002.eqiad.wmnet   <none>           <none>
[11:46:03] <elukey>	 and they have the NoSchedule taint
[11:48:31] <elukey>	 attempting another istioctl manifest apply
[11:48:42] <elukey>	 that of course now hangs in ingress
[11:48:56] <elukey>	 I kinda hoped it would have cleared the current situation
[11:49:17] <elukey>	 as FYI I did
[11:49:33] <elukey>	 root@deploy2002:/srv/deployment-charts/custom_deploy.d/istio/main# istioctl-1.15.7 manifest apply -f config.yaml
[11:49:48] <elukey>	 (after kube_admin staging etc.. )
[11:50:44] <elukey>	 the desired pods in the daemonset is 4
[11:52:43] <elukey>	 jayme: I may need your help after lunch for --^, maybe there is a gotcha that I don't know
[11:54:55] <elukey>	 going afk for lunch, ttl!
[14:49:31] <jayme>	 elukey: I'm looking at modules/ingress/istio_1.0.3.tpl where there is this special casing for staging and ml-staging. For staging it's no longer required because all certs do have proper SANs now - looks like there is still some work to do for ml to catch up...do you know what/where exactly?
[14:50:15] <jayme>	 (sorry, did not see the ping earlire for whatever reason)
[15:06:33] <elukey>	 jayme: I'd need to check but I'll do it today/tomorrow, is it blocking you now?
[15:06:44] <elukey>	 it may very well not be needed
[15:07:10] <jayme>	 elukey: nono, next days is fine. I can also try to figure it out myself if you don't have time
[15:07:42] <elukey>	 I'll tell you tomorrow if it is needed or not, just written down :)
[15:07:54] <elukey>	 any idea about the ingress on control plane nodes thing?
[15:10:09] <jayme>	 no...but I bet it's something related to a registry change
[15:10:23] <jayme>	 ailed to pull image "docker-registry.discovery.wmnet/istio/proxyv2:1.15.7-2": rpc error: code = Unknown desc = Error response from daemon: Head "https://docker-registry.discovery.wmnet/v2/istio/proxyv2/manifests/1.15.7-2": no basic auth credentials
[15:11:15] <elukey>	 yeah I found it as well, but it is weird that it happens only in staging and also -o wide reports control plane nodes
[15:11:19] <elukey>	 the desired replica is 4
[15:11:25] <elukey>	 (for the daemonset)
[15:11:28] <elukey>	 I'd have expected 2
[15:12:20] <jayme>	 nono, 4 is fine I suppose
[15:12:31] <jayme>	 I think they tolerate the master taint
[15:13:34] <jayme>	 the control planes are unable to pull the old image as well...nice that you uncovered that now :)
[15:14:27] <jayme>	 ah, the workers are not able to pull as well...so at least consistency
[15:27:18] <elukey>	 oof