[07:33:45] <elukey>	 docker report doesn't fail anymore on build2001 \o/
[07:33:58] <elukey>	 it took a bit but finally it worked :D
[08:00:54] <jayme>	 yay, congrats
[08:18:31] <brouberol>	 nicely done!
[08:57:24] <claime>	 elukey: gg!
[09:00:06] <elukey>	 <3
[09:54:20] <elukey>	 brouberol: o/
[09:54:49] <elukey>	 I had a chat with Janis about https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/1077872/2/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml since usually clusterroles are the weirdest corner cases
[09:55:30] <elukey>	 afaics this gets bound to the provisioner's service account in https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/1077872/2/charts/ceph-csi-cephfs/templates/provisioner-clusterrolebinding.yaml, effectively making the provisioner able to read all secrets across namespaces etc..
[09:56:32] <elukey>	 IIUC with the spark/flink operator the problem was similar and we ended up using role bindings for a list of namespaces that were "allowed"
[09:56:47] <elukey>	 rather than giving a free "clusterolebinding"
[09:57:10] <elukey>	 I don't recall if we had a similar issue with the previous chart that we imported, maybe btullis remember
[09:57:25] <elukey>	 or maybe I was very ignorant about clusteroles and didn't raise the issue :D
[09:57:38] <elukey>	 would it be a lot of work to modify the chart in this way?
[09:59:45] <btullis>	 Thanks elukey. I have discussed this with brouberol in a sync this morning and we're happy to implement the recommended approach for both ceph-csi-cephfs and ceph-csi-rbd.
[10:00:28] <elukey>	 thanks a lot, maybe we could end up documenting it the best practice on wikitech as well
[10:00:42] <elukey>	 I can help with anything, reviewing brainstoriming etc..
[10:01:12] <elukey>	 I know it is more work on your shoulders, I didn't want to add more load :(
[10:01:22] <btullis>	 spark-operator was similar, but is currently a little more primitive, because it currently only watches one namespace. I didn't add support for multiple namespaces yet.
[10:02:32] <btullis>	 It's OK, it makes a lot of sense from a security perspective. The only downside is diverging from the upstream charts, which might make upgrades trickier. 
[10:02:54] * elukey nods
[10:03:02] <btullis>	 But maybe we will try to send the feature upstream, if that's not too hard.
[10:03:03] <elukey>	 maybe we can ask if they are willing to get a patch
[10:03:08] <elukey>	 exactly yes
[10:04:29] <btullis>	 Thanks for your review though. Much appreciated. 
[10:05:49] <elukey>	 the rest looks good afaics, the usual root-containers but the daemonset it is ok
[10:07:04] <btullis>	 Yeah, it helps that it is extremely similar to the rbd version. That's now working well for us. 
[13:08:02] <brouberol>	 Sorry, I was afk for a while. Îll
[13:09:21] <brouberol>	 i’ll be back home in a bit. What I’ll do is rework the cephfs chart first, and backport the same type of change for the rbd chart as well
[13:58:08] <brouberol>	 Here it is: https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/1080032/1
[13:59:03] <brouberol>	 once we agree on the implementation, I'll implement a similar change in ceph-csi-rbd