[12:42:35] elukey: did you figure out what's the matter with the cergen certs in ml-staging? [12:53:30] ah, I see mesh.certmanager is not enabled by default in ml-staging [12:57:20] https://gerrit.wikimedia.org/r/c/operations/puppet/+/981325 [13:03:54] elukey: and I just saw in /srv/private/hieradata/role/common/deployment_server/kubernetes.yaml that you use /usr/share/ca-certificates/wikimedia/Puppet_Internal_CA.crt as serving.kserve.io/s3-cabundle - that will probably break when thanos goes puppet 7 [13:22:30] jayme: thanks! Merging the puppet change! [13:22:44] thanks for the s3-cabundle, checking in a sec as well <3 [13:28:05] aaand deployed all services, should be good now! [13:28:59] yeah, checks out [13:29:01] thanks [13:29:44] still not sure how to deal with this dreaded ingress.*staging toggle in helm [13:29:51] :( [13:30:20] it's just around to change the list of hostnames the ingressgateway accepts [13:30:47] we do actually have that list already on a per cluster/environment basis as it's the same as mesh.certmanager.domains [13:31:11] but re-using that list in the istio module obviously seems wrong [13:31:43] having another copy of it (ingress.domains) seems wrong as well :D [13:40:48] yes yes both points are valid [13:41:35] in theory ingress without mesh is not really supported at the moment right? [13:45:15] yeah [13:45:21] was my line of thinking as well :) [13:48:17] I'd go for that road now, we can always find something newer/better when new use cases arrive [13:48:28] (fixed the s3-cabundle reference as well, thanks!) [13:52:19] elukey: probably right... I took a stab https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/981333 [14:00:19] ack, will review it today/tomorrow! [14:07:00] thanks...make it tomorrow please - does not work that way currently [14:18:57] updated. ready for review :)