[07:00:07] <hashar>	 I will not attend Thursday sync meeting, I have a sailing competition in the evening 
[07:02:25] <hashar>	 for the communication between production and our OpenStack project, I'll avoid passing them through the bastion.   For Jenkins, the  controller runs on contint machines which have a public and direct ssh access to the instances
[07:03:19] <hashar>	 iirc there is some static routing involved and some rules permit the traffic to enter WMCS network
[07:03:54] <hashar>	 but that all depends on where the executor (prod?) and resource nodes are located (wmcs?)
[15:58:42] <hashar>	 I have send a wip patch to update the components overview  / architecture diagram at https://zuul-ci.org/docs/zuul/latest/components.html
[15:58:58] <hashar>	  https://review.opendev.org/c/zuul/zuul/+/950563
[15:59:00] <hashar>	 and rendering https://phabricator.wikimedia.org/F60350621 :)
[16:00:53] <taavi>	 the current contint hosts have a what we call "nat exemption", which basically means that cloud vps vms with cloud-realm private IP addresses can talk with the contint hosts with wikiprod realm public IP addresses
[16:02:01] <taavi>	 in general we're trying to replace those with use of IPv6, since a host with a wikiprod realm public v6 address is natively able to talk to a cloud realm VM with a (by default public) v6 address, so you should not need any special network edge case config to make it work
[16:04:38] <mutante>	 wasnt it desired that they can NOT communicate directly (unless there is some special case like this) though?
[16:05:43] <mutante>	 the separation used to be delibarate choice rather than just technical reasons afair
[16:48:01] <taavi>	 one realm seeing private addresses from the other realm is what we're trying to reduce