[14:16:37] <elukey>	 accraze: o/
[14:16:51] <elukey>	 let's sync when you are online, I am not getting the issue that you described above
[14:17:18] <elukey>	 for the isvc part, I checked /home/accraze/test.sh and I think it is not right (or maybe it used to work but not in newer versions
[14:17:21] <elukey>	 root@ml-sandbox:/home/elukey# kubectl get isvc enwiki-goodfaith -n kserve-test
[14:17:24] <elukey>	 NAME               URL                                               READY   PREV   LATEST   PREVROLLEDOUTREVISION   LATESTREADYREVISION                        AGE
[14:17:27] <elukey>	 enwiki-goodfaith   http://enwiki-goodfaith.kserve-test.example.com   True           100                              enwiki-goodfaith-predictor-default-2bhvc   6h42m
[14:17:42] <elukey>	 service hostname becomes root@ml-sandbox:/home/elukey# kubectl get isvc enwiki-goodfaith -n kserve-test
[14:17:45] <elukey>	 NAME               URL                                               READY   PREV   LATEST   PREVROLLEDOUTREVISION   LATESTREADYREVISION                        AGE
[14:17:48] <elukey>	 enwiki-goodfaith   http://enwiki-goodfaith.kserve-test.example.com   True           100                              enwiki-goodfaith-predictor-default-2bhvc   6h42m
[14:17:51] <elukey>	 oof sorry
[14:17:52] <elukey>	 ---
[14:18:03] <elukey>	 SERVICE_HOSTNAME becomes http://enwiki-blabla
[14:18:08] <elukey>	 and then it is used as Host header
[14:19:54] <elukey>	 but you also mentioned articlequality and I don't see pods related to it on minikube
[14:20:00] <elukey>	 ( I am surely missing something)
[14:57:33] <wikibugs>	 10Lift-Wing, 10Machine-Learning-Team (Active Tasks): Add an envoy proxy sidecar to Kserve inference pods - https://phabricator.wikimedia.org/T294414 (10elukey) I was able to use the following config to do allow pods to call via HTTP the egress gateway and force it to use https to connect to the MW api:  ` apiV...
[14:57:47] <elukey>	 I was able to use the istio egress gateway pod to:
[14:58:15] <elukey>	 - get an http call for its service with Host: header set to the target wiki
[14:58:28] <elukey>	 - make egress to call the mw api via https
[14:58:51] <elukey>	 we can of course use https from pods to egress as well, but this one was simpler to test :)
[14:59:32] <elukey>	 https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/ is also a very nice reading
[15:04:42] <elukey>	 the above mentions the use of Redis to keep track of the limits, need to double check how it works (but I suspect it needs a backend to store temp data, IIUC api-gateway does the same)
[15:05:01] <elukey>	 on the egress gateway note, we could proceed in two ways
[15:05:17] <elukey>	 1) have one egress per namespace, configuring it with things to call
[15:05:25] <elukey>	 2) have a single egress for all namespaces
[15:05:30] <elukey>	 ---
[15:05:55] <elukey>	 2) is more flexible, but all namespaces will be able to access the endpoints that we configure. I think it is fine for our use case, but we need to double check
[15:06:06] <elukey>	 1) is more granual but I think overkill initially
[15:10:39] <elukey>	 in theory now, from the pods, we could call istio-egressgateway.istio-system.svc.cluster.local:80 with the right host header
[15:10:57] <elukey>	 (still hacky and not helm-fied, all manual)
[15:21:20] <accraze>	 o/
[15:30:59] <elukey>	 accraze: o/
[15:32:24] <accraze>	 elukey: nice work on istio egress gw pod
[15:33:06] <accraze>	 i agree -- having a single egress per namespace would give us a ton of granularity but might add more complexity to the mvp
[15:33:44] <elukey>	 yeah plus we don't really need to shield the mw api or other things from our pods, except of course circuit breaking
[15:33:48] <accraze>	 how difficult would it be to switch to that approach later and do a single egress for all namespaces initially?
[15:33:57] <elukey>	 I think it shouldn't be hard
[15:34:14] <elukey>	 in theory (still under testing :P) the config for inference service will need to change like
[15:34:29] <elukey>	       - name: WIKI_URL
[15:34:29] <elukey>	         value: http://istio-egressgateway.istio-system.svc.cluster.local
[15:34:48] <elukey>	 so if we wanted to add more gateways in the future we'll just need to add them and change --^
[15:35:10] <elukey>	 and the good bit about endpoints like above is that we can have multiple pods load balanced behind it
[15:35:10] <accraze>	 ahhh i see, that's pretty straight-forward
[15:35:17] <elukey>	 so we can scale egress easily
[15:37:47] <elukey>	 moreover if we wanted to switch to mtls we could, since we would keep the mesh architecture (ingress -> pods -> egress)
[15:43:17] <accraze>	 niiiice, this is sounding really good
[15:44:29] <chrisalbon>	 morning all!
[15:46:15] <accraze>	 o/
[15:46:25] <elukey>	 o/
[15:51:50] <accraze>	 elukey: re: the ml-sandbox, i just re-deployed the updated enwiki-articlequality isvc (w/ transformer) and still getting the same issue
[15:52:10] <elukey>	 can you write in here how to repro?
[15:52:13] <elukey>	 so I can check
[15:52:14] <accraze>	 i'm using the test-aq.sh script
[15:52:24] <elukey>	 ah nice, checking
[15:52:58] <accraze>	 I can hit the predictor and transformer separately
[15:53:24] <accraze>	 but if i use SERVICE_HOSTNAME="enwiki-articlequality.kserve-test.example.com"
[15:53:39] <accraze>	 i get 503 Service Unavailable
[15:54:06] <accraze>	 when it should route the `request->transformer->predictor->result`
[15:55:25] <elukey>	 mmm i thought that the transformer would have been in the same pod
[15:55:28] <elukey>	 as the predictor
[15:56:09] <accraze>	 ahh no i think they are actually separate pods
[16:00:19] <accraze>	 i'm going through the kserve debug guide trying to trace down where it might break in the request flow
[16:00:21] <accraze>	 https://github.com/kserve/website/blob/main/docs/developer/debug.md#debug-kserve-request-flow
[16:01:56] <elukey>	 I never used the svc hostname like the above
[16:02:21] <elukey>	 but I see
[16:02:22] <elukey>	 enwiki-articlequality   http://enwiki-articlequality.kserve-test.example.com   True           100                              enwiki-articlequality-predictor-default-hh4rn   39m
[16:02:31] <elukey>	 that points to the predictor
[16:03:53] <accraze>	 oh interesting, hmmm the latest revision only points to the predictor
[16:05:13] <elukey>	 I tried to force the SERVICE_HOSTNAME to the transformer
[16:05:17] <elukey>	 and I get a 500
[16:05:20] <elukey>	 in the logs
[16:05:21] <elukey>	 Max retries exceeded with url: /v1/models/enwiki-articlequality:predict (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4f270773c8>: Failed to establish a new connection: [Errno -5] No address associated with hostname'))
[16:05:47] <elukey>	 ah sorry
[16:05:48] <elukey>	 urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='enwiki-articlequality-predictor-default.kserve-test', port=80): Max retries exceeded with url: /v1/models/enwiki-articlequality:predict (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f4f270773c8>: Failed to establish a new connection: [Errno -5] No address associated with hostname'))
[16:07:48] <accraze>	 ohhh ok that makes sense because the transformer needs the predictor hostname
[16:07:50] <accraze>	 https://github.com/wikimedia/machinelearning-liftwing-inference-services/blob/main/revscoring/articlequality/transformer/articlequality_transformer/__main__.py#L14
[16:08:02] <accraze>	 that's supposed to be supplied by the isvc
[16:12:37] <elukey>	 how should it pass it?
[16:21:01] <accraze>	 not 100% sure but i believe the top-level virtual service handles the routing 
[16:21:06] <accraze>	 (still reading docs lol)
[16:24:34] <elukey>	 I am testing the egress solution that seems working, but I don't find traces of it in tcpdump/logs
[16:24:37] <elukey>	 that is weird
[16:25:26] <elukey>	 no I am stupid, I found it 
[16:25:45] <elukey>	 works nicely :)
[16:25:48] <elukey>	 \o/
[16:30:18] <accraze>	 nice one!
[16:31:43] <accraze>	 this is the single egress for all namespaces?
[16:42:19] <elukey>	 exactly yes
[17:52:58] <wikibugs>	 10Lift-Wing, 10Machine-Learning-Team (Active Tasks): Add an envoy proxy sidecar to Kserve inference pods - https://phabricator.wikimedia.org/T294414 (10elukey) I added the following bit to an inference service and it worked!  `     - name: WIKI_URL       value: "http://istio-egressgateway.istio-system.svc.clus...
[18:00:15] <chrisalbon>	 Buuuuddddgets
[18:00:49] <chrisalbon>	 Also, Tajh wants us to come up with a name for the full new infrastructure, something that covers Lift Wing and Train Wing
[18:00:56] <chrisalbon>	 I'm open to all suggestions
[18:02:25] <chrisalbon>	 probably should be bird or flight related
[18:04:05] <elukey>	 I'd call it Skynet but we can't
[18:04:34] <chrisalbon>	 Tajh suggestion some bird of prey from mythology that like murders travelers or something
[18:04:53] <chrisalbon>	 seems like that might not work either
[18:52:42] * elukey afk!
[21:14:29] <accraze>	 ok been digging a bit further into the articlequality transformer isvc issue
[21:14:50] <accraze>	 i can see knative-serving/cluster-local-gateway, however it seems that istio has no knowledge of it
[21:16:48] <accraze>	 been digging through the docs and starting to wonder if there needs to be an envoy proxy in istio to route internal calls (like isvc->transformer->predictor) 
[21:58:22] <accraze>	 but yeah the root issue is that the transformer and predictor can't talk to each other, which is leading me to believe that the cluster-local config is not setup correctly
[21:59:01] <accraze>	 will dig in more tomorrow, going to step away from the gateway stuff for a bit and work on upgrading the python servers to use kserve v0.7.0