ChanServ changed the topic of #freedesktop to: https://www.freedesktop.org infrastructure and online services || for questions about freedesktop.org projects, please see each project's contact || for discussions about specifications, please use https://gitlab.freedesktop.org/xdg or xdg@lists.freedesktop.org
ybogdano has joined #freedesktop
Leopold has quit []
pitsch[m] has joined #freedesktop
alanc has quit [Remote host closed the connection]
alanc has joined #freedesktop
ybogdano has quit [Ping timeout: 480 seconds]
rgallaispou has quit [Read error: Connection reset by peer]
rgallaispou has joined #freedesktop
pitsch[m] has quit [Ping timeout: 480 seconds]
pendingchaos has quit [Ping timeout: 480 seconds]
kem has quit [Ping timeout: 480 seconds]
pendingchaos has joined #freedesktop
vsyrjala_ has joined #freedesktop
vsyrjala has quit [Ping timeout: 480 seconds]
kem has joined #freedesktop
marcel203s[m] has joined #freedesktop
Sumera[m] has joined #freedesktop
gnfzdz[m] has joined #freedesktop
ngcortes has quit [Quit: Leaving]
kem has quit [Ping timeout: 480 seconds]
nirbheek_ has joined #freedesktop
kem has joined #freedesktop
ttancos[m] has joined #freedesktop
ximion has quit []
kem has quit [Ping timeout: 480 seconds]
kem has joined #freedesktop
thaller has joined #freedesktop
nazarewk[m] has joined #freedesktop
gkiagia has joined #freedesktop
heftig has joined #freedesktop
miracolix has quit []
vbenes has joined #freedesktop
danvet has joined #freedesktop
ewlsh[m] has joined #freedesktop
bstrie[m] has joined #freedesktop
MajorBiscuit has joined #freedesktop
vsyrjala_ is now known as vsyrjala
tinywrkb has joined #freedesktop
chrysn[m]1 has joined #freedesktop
muhlinux[m] has joined #freedesktop
aenderboy[m] has joined #freedesktop
ximion has joined #freedesktop
pkira has joined #freedesktop
mvlad has joined #freedesktop
miracolix has joined #freedesktop
fahien has joined #freedesktop
kem has quit [Ping timeout: 480 seconds]
kem has joined #freedesktop
chipxxx has joined #freedesktop
gagallo7[m] has joined #freedesktop
fahien has quit [Quit: fahien]
fahien has joined #freedesktop
therickestrick001[m] has joined #freedesktop
AbleBacon has quit [Read error: Connection reset by peer]
<thaller>
I guess, it will resolve itself? Is there a link to a dashboard, where we can see the capacity/state for the gitlab-ci workers?
ximion has quit []
fahien has quit [Quit: fahien]
pkira has quit [Ping timeout: 480 seconds]
MajorBiscuit has quit [Quit: WeeChat 3.5]
pkira has joined #freedesktop
<daniels>
bentiss: oh, that's interesting - so the static token would be one with access to all minio, and we'd lean on istio do to the per-req validation?
<glehmann>
is mesa CI working okay? the sanity job for my MR is now pending for 45min
<daniels>
glehmann, thaller: looking now
<thaller>
daniels, some NM jobs started in the meantime... Still slower than usual.
<daniels>
yeah, I think all the gst runners are on holiday ... alatiera?
<__tim>
htz2 is doing stuff, htz3 + htz4 seem idle
kusma has joined #freedesktop
<bentiss>
daniels: something like that, yes. I am still trying to get my head around it and seeing if this is possible, but given that istio allows to filter per req the access of the destination pod, we can implement any rule we want
<bentiss>
so I am kind of looking endlessly at the docs since yesterday :/
Guest2816 has quit [Ping timeout: 480 seconds]
<daniels>
bentiss: hrmmm, it's not immediately obvious to me how you'd map that into an s3 req structure
<bentiss>
daniels: the whole thing is that istio (+envoy) allows to add a proxy in front of a dedicated service. You can then attach any rule in front of that webservice, which are JWT validation, OPA calls, or any lua script (or a bunch of others)
<daniels>
oh yeah, I just mean how you'd go about writing the approval rules in the istio auth yaml
<bentiss>
so the plan is to trick ceph into believing the request initially contained the AWS token, when it was actually added by the proxy (and removed on the response)
<daniels>
right
<bentiss>
daniels: we keep using OPA :)
<bentiss>
it's just the way of calling OPA which is not exactly the most current one on the OPA website
<bentiss>
right now, they tell us to have a custom EnvoyFilter, but actually we can use a CUSTOM Istio authorization rule
<bentiss>
Ideally I'd like to have only one way of writing the envoy filters (2 with OPA), and not 3 as it is now: JWT validated in Istio, OPA being called by EnvoyFilter and OPA (though I might have to add an EnvoyFilter to call the lua script)
<bentiss>
because given that this is new, I can very much say "this is secure" when there is an obvious opened door
dcbaker has joined #freedesktop
dakr has quit [Read error: Connection reset by peer]
dakr has joined #freedesktop
<__tim>
both htz3 and htz4 seem to be doing things now
<__tim>
in the runners list it says that those are 'locked to a particular project' by admins, could that be related?
<daniels>
bentiss: yeah, all that makes sense, just can't see how to write the istio rules, but let's see :)
<daniels>
__tim: hmm, it's not showing as that by me, and it is working on multiple projects
chipxxx has quit [Read error: Connection reset by peer]
<daniels>
zmike: you mean the pipeline that's nearly finished?
<daniels>
if it comes up with a brown pause icon that says 'pending', that means it's waiting for an available runner
MajorBiscuit has joined #freedesktop
Leopold_ has quit []
Haaninjo has joined #freedesktop
<zmike>
daniels: yes, it's not surprising that it's nearly finished when you checked, but I assigned it 2 hours ago and it timed out after an hour without having started the pipeline
<zmike>
I'm not sure I've seen it time out like that when starting the merge pipeline unless something is more deeply wrong
<daniels>
yeah, people have been DoSing CI lately
<daniels>
but that's what the brown pause icon means - it's waiting for a runner to become available
<zmike>
who's DoSing it
<zmike>
I'll have a talk with them
<daniels>
mostly NetworkManager, but some dbus, some virgl, some Mesa
kem has quit [Ping timeout: 480 seconds]
kem has joined #freedesktop
<glehmann>
do other projects (not mesa) run CI on every push?
<daniels>
nope
<daniels>
NM runs manually, but its testing is extremely heavyweight and ties our runners up for a long time
pkira has quit [Ping timeout: 480 seconds]
seb128 has joined #freedesktop
fahien has joined #freedesktop
fahien has quit []
ybogdano has joined #freedesktop
unrznbl[m] has joined #freedesktop
mitTengiz[m] has joined #freedesktop
Major_Biscuit has joined #freedesktop
MajorBiscuit has quit [Ping timeout: 480 seconds]
chipxxx has joined #freedesktop
<bentiss>
daniels: alright, I think I'm done for today: I pushed the istiod deployment on gitlab-config, and the fdo-opa to attach on top of the new ceph rgw fdo-opa storage
<bentiss>
daniels: so it adds a CUSTOM Istio authorization rule which is forwarded to OPA, and then there is the JWT token validation (haven't checked if it works and itf it is before or after OPA)
<bentiss>
the policy will need to be updated because we don't have the full plain token in OPA, nor if this is the owner or not
<bentiss>
right now I allow any request that claims to be AWS* token, meaning that the dashboard and the operator can talk to it
<bentiss>
daniels: and if you want to play with it, there is also a foo namespace with an httpbin webservice where we can play with istio
Major_Biscuit has quit [Ping timeout: 480 seconds]
___nick___ has joined #freedesktop
ngcortes has joined #freedesktop
___nick___ has quit []
chomwitt has joined #freedesktop
halfline[m] has joined #freedesktop
ximion has joined #freedesktop
genpaku has quit [Remote host closed the connection]
genpaku has joined #freedesktop
ngcortes_ has joined #freedesktop
ngcortes_ has quit [Read error: Connection reset by peer]
ngcortes has quit [Ping timeout: 480 seconds]
thaller is now known as Guest2837
thaller has joined #freedesktop
Guest2837 has quit [Read error: Connection reset by peer]
thaller is now known as Guest2838
thaller has joined #freedesktop
Leopold has joined #freedesktop
thaller has quit [Read error: Connection reset by peer]
thaller has joined #freedesktop
Guest2838 has quit [Ping timeout: 480 seconds]
thaller is now known as Guest2839
Guest2839 has quit [Read error: Connection reset by peer]
thaller has joined #freedesktop
bendlas[m] has joined #freedesktop
chipxxx has quit [Read error: Connection reset by peer]
thaller has quit [Ping timeout: 480 seconds]
pv has joined #freedesktop
thaller has joined #freedesktop
AbleBacon has joined #freedesktop
thaller is now known as Guest2842
thaller has joined #freedesktop
Guest2842 has quit [Ping timeout: 480 seconds]
mvlad has quit [Remote host closed the connection]