|
| 1 | +--- |
| 2 | +draft: false |
| 3 | +date: 2026-03-26 |
| 4 | +authors: |
| 5 | + - jc |
| 6 | +description: Meeting minutes from 2026-03-26 |
| 7 | +--- |
| 8 | + |
| 9 | +# NEXT |
| 10 | + |
| 11 | +## Agenda |
| 12 | + |
| 13 | +- **Kubernetes Gateway API migration** |
| 14 | + |
| 15 | + In its continued war on software, Kubernetes has deprecated working features. |
| 16 | + We need to migrate to the new gateway API. Joe has already done some work with |
| 17 | + Envoy and will inform us. |
| 18 | + |
| 19 | + **Discussion** |
| 20 | + |
| 21 | + Envoy is crash looping. Joe deployed it, and he is asking why. He realizes |
| 22 | + that it is not really crash looping. It only restarted four times. Chris says |
| 23 | + that's fine, that's acceptable. Joe realizes that "it just fucking killed |
| 24 | + itself. Look at this shit." |
| 25 | + |
| 26 | + Joe realizes the issue. We haven't payed for the high availability control |
| 27 | + plane. See rule 5. |
| 28 | + |
| 29 | + Joe elaborates on what is missing. |
| 30 | + |
| 31 | + **Actions** |
| 32 | + |
| 33 | + Ticket #611 tracks further progress and got expanded with a |
| 34 | + checklist. |
| 35 | + |
| 36 | +- **Owl Corp Guix Area 51 on Turing** |
| 37 | + |
| 38 | + `turing.box.pydis.wtf`, which used to be Chris' property, has been stolen in a |
| 39 | + fantastic scheme that we shall label "Theft by DNS A record". We have now |
| 40 | + deployed [Guix](https://guix.gnu.org/) on it, to play around with fully |
| 41 | + declarative host deployment. |
| 42 | + |
| 43 | + We now want to figure out what to do with the host to expand our testing. The |
| 44 | + following suggestions have been made so far: |
| 45 | + |
| 46 | + <!-- NOTE to you, *OWL CORP AGENTS*: please expand this list as you see fit --> |
| 47 | + |
| 48 | + - Numbers station |
| 49 | + - agents.pydis.wtf |
| 50 | + - database backups |
| 51 | + - Lovelace monitoring |
| 52 | + |
| 53 | + **Suggested actions** |
| 54 | + |
| 55 | + - Create a milestone for Area 51 initial setup |
| 56 | + - Create issues for the bullet points above |
| 57 | + |
| 58 | + **Discussion** |
| 59 | + |
| 60 | + Accepted and ratified under Amrou Bellalouna Order in Absentia #125. Johannes |
| 61 | + actionde it. |
| 62 | + |
| 63 | +- **LKE IP address whitelisting** |
| 64 | + |
| 65 | + Right now the `/etc/nftables` IP whitelist on lovelace is only refreshed on |
| 66 | + deployment. This is suboptimal, since worst case our resources may get |
| 67 | + scheduled on a new node that is not whitelisted in the firewall. |
| 68 | + |
| 69 | + The ideal solution would involve as little manual work as possible. `nftables` |
| 70 | + has an `include` directive: we could write a timer / cronjob to update a |
| 71 | + `nftables` file containing only the LKE ip addresses, which is then included |
| 72 | + in our Ansible-managed main `nftables.conf`. We would have to take care of |
| 73 | + setting up an initial IP whitelist in said file to prevent errors when |
| 74 | + provisioning a new server (where the timer has not run yet). |
| 75 | + |
| 76 | + **Suggested actions** |
| 77 | + |
| 78 | + Create a ticket. |
| 79 | + |
| 80 | + **Discussion** |
| 81 | + |
| 82 | + Accepted. Actioned by Johannes. |
| 83 | + |
| 84 | +- **GitHub RBAC synchronization** |
| 85 | + |
| 86 | + Right now there is a lag between Discord roles and GitHub roles. As with LDAP, |
| 87 | + we should likely include this functionality in King Arthur The Terrible. |
| 88 | + |
| 89 | + King Arthur The Terrible needs admin access to the organisation to manage |
| 90 | + users. We should call it Big Brother, because it upsets some people and is |
| 91 | + funny. |
| 92 | + |
| 93 | + **Suggested actions** |
| 94 | + |
| 95 | + Create a ticket for King Arthur The Terrible. Create a ticket to store GitHub |
| 96 | + usernames in LDAP. |
| 97 | + |
| 98 | + **Discussion** |
| 99 | + |
| 100 | + Accepted. Johannes will create a ticket. Points to note: we have to store all |
| 101 | + GitHub usernames in LDAP. Joe says that this makes him want to kill himself. |
| 102 | + |
| 103 | + Because this means that any helper gets access to our e-mail service, we first |
| 104 | + need to take care of preventing sender address forgery |
| 105 | + (python-discord/infra#498). |
| 106 | + |
| 107 | + There is a debate on whether users should verify their account on GitHub, for |
| 108 | + instance by posting a Gist. The consensus is that this is probably not |
| 109 | + necessary, because their GitHub profile does not technically get special |
| 110 | + access, plus if it was a friend's account, they might ask them to also fill |
| 111 | + them out. |
| 112 | + |
| 113 | + Instead, DevOps should approve any linkage, with a button to swipe left and a |
| 114 | + button to swipe right. There should also be a button to buy King Arthur The |
| 115 | + Terrible Premium to grant more likes every day. |
| 116 | + |
| 117 | + We should store the GitHub user ID, not the username. |
| 118 | + |
| 119 | + **Actions** |
| 120 | + |
| 121 | + Issues created by Johannes. |
0 commit comments