[16:42:09] <elukey>	 as FYI I have kicked off a build-production-images run on build2001, that picked up a lot of images that probably were left over by the Image weekly bot (spark, pytorch, etc..). It is running in tmux, and it will likely take a bit to complete
[16:48:36] <elukey>	 totally unrelated, if people have time https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/1028931/6/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml
[16:48:55] <elukey>	 so we can take an example about new helm chart review etc..
[16:49:15] <elukey>	 this is for the ceph CSI provisioner, that Ben and I are working on
[16:49:55] <elukey>	 the thing that I don't completely like is the fact that secrets across namespaces can be checked, and that serviceaccount/tokens can be created
[16:50:24] <elukey>	 but this is something that will run in kube-system, probably serving multiple namespaces, so I am not sure if we can avoid it
[16:50:52] <elukey>	 overall I am +1 to merge, but it is a complicated use case so if people could chime in it would be a good learning experience
[16:51:10] <elukey>	 (like, telling me Luca please consider working on something that is not K8s from now on)
[16:51:16] <elukey>	 :D
[16:51:25] <elukey>	 going afk but will read tomorrow, thanks :)
[17:04:50] <btullis>	 I think that I can probably put an if-gate around the RBAC to give it the ability to create a `serviceaccount/token` - I think it is used if we want to create encrypted volumes: https://github.com/ceph/ceph-csi/blob/devel/docs/design/proposals/encryption-with-vault-tokens.md - ref: https://github.com/ceph/ceph-csi/commit/7a2dd4c3cf5891fc3d7627843b124dcdf4f8abf9
[17:13:41] <btullis>	 ...which we're not.