|
| 1 | +--- |
| 2 | +draft: true |
| 3 | +date: ADDME |
| 4 | +authors: |
| 5 | + - jc |
| 6 | +description: Meeting minutes from NEXT |
| 7 | +--- |
| 8 | + |
| 9 | +# NEXT |
| 10 | + |
| 11 | +## Agenda |
| 12 | + |
| 13 | +- **Kubernetes Gateway API migration** |
| 14 | + |
| 15 | + In its continued war on software, Kubernetes has deprecated working features. |
| 16 | + We need to migrate to the new gateway API. Joe has already done some work with |
| 17 | + Envoy and will inform us. |
| 18 | + |
| 19 | + **Actions**: Create a ticket. |
| 20 | + |
| 21 | +- **Owl Corp Guix Area 51 on Turing** |
| 22 | + |
| 23 | + `turing.box.pydis.wtf`, which used to be Chris' property, has been stolen in a |
| 24 | + fantastic scheme that we shall label "Theft by DNS A record". We have now |
| 25 | + deployed [Guix](https://guix.gnu.org/) on it, to play around with fully |
| 26 | + declarative host deployment. |
| 27 | + |
| 28 | + We now want to figure out what to do with the host to expand our testing. The |
| 29 | + following suggestions have been made so far: |
| 30 | + |
| 31 | + <!-- NOTE to you, *OWL CORP AGENTS*: please expand this list as you see fit --> |
| 32 | + |
| 33 | + - Numbers station |
| 34 | + - agents.pydis.wtf |
| 35 | + - database backups |
| 36 | + - Lovelace monitoring |
| 37 | + |
| 38 | + **Actions**: |
| 39 | + |
| 40 | + - Create a milestone for Area 51 initial setup |
| 41 | + - Create issues for the bullet points above |
| 42 | + |
| 43 | +- **LKE IP address whitelisting** |
| 44 | + |
| 45 | + Right now the `/etc/nftables` IP whitelist on lovelace is only refreshed on |
| 46 | + deployment. This is suboptimal, since worst case our resources may get |
| 47 | + scheduled on a new node that is not whitelisted in the firewall. |
| 48 | + |
| 49 | + The ideal solution would involve as little manual work as possible. `nftables` |
| 50 | + has an `include` directive: we could write a timer / cronjob to update a |
| 51 | + `nftables` file containing only the LKE ip addresses, which is then included |
| 52 | + in our Ansible-managed main `nftables.conf`. We would have to take care of |
| 53 | + setting up an initial IP whitelist in said file to prevent errors when |
| 54 | + provisioning a new server (where the timer has not run yet). |
| 55 | + |
| 56 | + **Actions**: Create a ticket. |
| 57 | + |
| 58 | +- **GitHub RBAC synchronization** |
| 59 | + |
| 60 | + Right now there is a lag between Discord roles and GitHub roles. As with LDAP, |
| 61 | + we should likely include this functionality in King Arthur The Terrible. |
| 62 | + |
| 63 | + **Actions**: Create a ticket for King Arthur The Terrible. |
0 commit comments