[09:08:18] <elukey>	 hey folks, we have a test account for apus (s3 storage backed by ceph) that we can use for the Docker registry: https://phabricator.wikimedia.org/T394476#10862692
[09:08:47] <elukey>	 what should we do? Create a new registry VM in codfw, allocate a Redis instance in codfw and start testing? Does it sound good?
[09:09:44] <elukey>	 cc: akosiaris: 
[10:32:06] <akosiaris>	 perfect
[10:32:27] <akosiaris>	 elukey: I 'll craft a puppet patch to run a second registry instance
[10:32:50] <akosiaris>	 Should save us from all the more redis+VMs shenanigans and we 'll quite probably need it anyway
[11:05:20] <brouberol>	 I have a deployment/helmfile/permission question for y'all. We've been working on an airflow-devenv CLI, installed on the deployment servers, that allow data engineers to create ephemeral airflow dev environments in Kubernetes. Some of our data engineers are not part of the `deployment` UNIX group, so even if we have created a dedicated
[11:05:20] <brouberol>	 `airflow-deployers` UNIX group composed of `analytics-privatedata` users, these users still can't read the `airflow-dev-deploy` kubeconfig, because `/etc/helmfile-defaults/private` and `/etc/helmfile-defaults/private/dse-k8s_services` don't have the `o+x` permission bit
[11:06:01] <brouberol>	 I was wondering if setting that o+x bit on these 2 folders specifically would be perceived as a security issue. 
[11:06:54] <brouberol>	 The way I see if, unix users who are not in the deployment (or root) groups would not be able to read anything, except files owned by `airflow-deployers` within that file tree
[11:07:04] <brouberol>	 that being said, I'd rather ask before 
[11:08:44] <brouberol>	 sorry, small addendum: the permission issue is not related to the kubeconfig file but to the private value file
[11:29:39] <akosiaris>	 brouberol: it's the entire hierarchy, though, right ? not just those 2 directories
[11:30:18] <akosiaris>	 that is private, private/dse-k8s_services, private/dse-k8s_services/<service> 
[11:30:21] <akosiaris>	 and then the file itself
[11:31:16] <akosiaris>	 ah, I just realized that you only care for the airflow-dev namespace
[11:32:16] <akosiaris>	 +x is fine by me on private. It still requires to know what's in there to get something out and files still have their own permissions
[11:33:21] <akosiaris>	 I assume you want to switch mode => '0750' in line 33 of deployment_server/helmfile.pp to 0751 and line 52 as well?
[11:33:31] <akosiaris>	 this is probably fine 
[11:34:41] <akosiaris>	 yeah, post a patch and I 'll +1, this shouldn't have huge implications, the files themselves are the ones that should keep their permissions as is.
[11:39:41] <btullis>	 Thanks. Here is the patch: https://gerrit.wikimedia.org/r/c/operations/puppet/+/1151657
[12:10:10] <brouberol>	 thanks akosiaris, that is going to make some engineers very happy
[12:25:56] <elukey>	 akosiaris: okok but are we going to share the same redis instance? Are there chances to mess up the main registry? This is why I wanted the second VM+redis, just more separate and "safe"
[12:26:18] <elukey>	 but I am fine with whatever plan you prefer, I'll review the CR when ready :)
[13:38:29] <akosiaris>	 btullis, brouberol: +1ed
[13:39:01] <btullis>	 akosiaris: Many thanks.
[13:41:23] <brouberol>	 thanks!