User Details
- User Since
- Sep 5 2023, 11:23 AM (33 w, 3 d)
- Availability
- Available
- IRC Nick
- brouberol
- LDAP User
- Brouberol
- MediaWiki User
- BRouberol-WMF [ Global Accounts ]
Yesterday
mpic:v0.0.1 was just released!
I'm going to call this done for now, as both the DB user password and OIDC client secret have been committed to the private puppet repo and rendered on the deployment server, and it's not clear that we need anything else atm. Please re-open if we need other secrets.
Thu, Apr 25
Fri, Apr 19
That'd be perfect!
I have added the DB user passwords in the private puppet repo
create database mpic_staging; grant all privileges on mpic_next.* to `mpic_staging`@`10.%` identified by '[REDACTED]'; flush privileges;
Mon, Apr 8
This should be fixed now. Please re-open if you're seeing the same bug reoccur. Thanks for the report!
Sat, Apr 6
We identified the root cause: in the case of users belonging to a single LDAP group (which is the case for Neil), CAS returns a role list as a string, instead of a list containing a single string.
Fri, Apr 5
@Sfaci could we sync up so that I can get access to the MariaDB user password assigned to your app user, and commit it into the private puppet repo?
Thu, Apr 4
The way the chart is rendered by injecting the values into the templates is by running (when located in ~/path/to/deployment-charts)
❯ cat kafka-config-diff-from-1_1-to-3_5.json | jq 'map(select(.name | contains("socket") or contains("buffer") or contains("thread")))' [ { "name": "sasl.login.refresh.buffer.seconds", "status": "new", "description": "The amount of buffer time before credential expiration to maintain when refreshing a credential, in seconds. If a refresh would otherwise occur closer to expiration than the number of buffer seconds then the refresh will be moved up to maintain as much of the buffer time as possible. Legal values are between 0 and 3600 (1 hour); a default value of 300 (5 minutes) is used if no value is specified. This value and sasl.login.refresh.min.period.seconds are both ignored if their sum exceeds the remaining lifetime of a credential. Currently applies only to OAUTHBEARER.", "scope": "broker", "type": "short", "valid_values": null, "importance": "medium", "update_mode": "per-broker", "default (1.1)": "[ABSENT]", "default (3.5)": "300" }, { "name": "socket.connection.setup.timeout.max.ms", "status": "new", "description": "The maximum amount of time the client will wait for the socket connection to be established. The connection setup timeout will increase exponentially for each consecutive connection failure up to this maximum. To avoid connection storms, a randomization factor of 0.2 will be applied to the timeout resulting in a random range between 20% below and 20% above the computed value.", "scope": "broker", "type": "long", "valid_values": null, "importance": "medium", "update_mode": "read-only", "default (1.1)": "[ABSENT]", "default (3.5)": "30000 (30 seconds)" }, { "name": "socket.connection.setup.timeout.ms", "status": "new", "description": "The amount of time the client will wait for the socket connection to be established. If the connection is not built before the timeout elapses, clients will close the socket channel.", "scope": "broker", "type": "long", "valid_values": null, "importance": "medium", "update_mode": "read-only", "default (1.1)": "[ABSENT]", "default (3.5)": "10000 (10 seconds)" }, { "name": "socket.listen.backlog.size", "status": "new", "description": "The maximum number of pending connections on the socket. In Linux, you may also need to configure `somaxconn` and `tcp_max_syn_backlog` kernel parameters accordingly to make the configuration takes effect.", "scope": "broker", "type": "int", "valid_values": "[1,...]", "importance": "medium", "update_mode": "read-only", "default (1.1)": "[ABSENT]", "default (3.5)": "50" } ]
The philosophy of the scaffolding tools is that is most cases, you should mostly need to tweak things in values.yaml (the chart default values).
https://gerrit.wikimedia.org/r/1017034 introduces a lot of YAML, but bear in mind that this is fully automatically generated, via the following command:
root@deploy2002:~# kube_env admin dse-k8s-eqiad root@deploy2002:~# kubectl get namespaces | grep mpic mpic Active 78m mpic-next Active 78m
brouberol@deploy2002:~$ ls -alh /etc/kubernetes/mpic*-dse-k8s-eqiad.config -rw-r----- 1 mwdeploy deployment 451 Apr 4 09:40 /etc/kubernetes/mpic-deploy-dse-k8s-eqiad.config -rw-r----- 1 mwdeploy deployment 423 Apr 4 09:40 /etc/kubernetes/mpic-dse-k8s-eqiad.config -rw-r----- 1 mwdeploy deployment 476 Apr 4 09:40 /etc/kubernetes/mpic-next-deploy-dse-k8s-eqiad.config -rw-r----- 1 mwdeploy deployment 448 Apr 4 09:40 /etc/kubernetes/mpic-next-dse-k8s-eqiad.config
brouberol@dns1004:~$ host mpic.wikimedia.org mpic.wikimedia.org is an alias for dyna.wikimedia.org. dyna.wikimedia.org has address 208.80.154.224 dyna.wikimedia.org has IPv6 address 2620:0:861:ed1a::1 brouberol@dns1004:~$ host mpic-next.wikimedia.org mpic-next.wikimedia.org is an alias for dyna.wikimedia.org. dyna.wikimedia.org has address 208.80.154.224 dyna.wikimedia.org has IPv6 address 2620:0:861:ed1a::1
brouberol@dns1004:~$ host mpic-next.svc.eqiad.wmnet mpic-next.svc.eqiad.wmnet is an alias for k8s-ingress-dse.svc.eqiad.wmnet. k8s-ingress-dse.svc.eqiad.wmnet has address 10.2.2.91 brouberol@dns1004:~$ host mpic.svc.eqiad.wmnet mpic.svc.eqiad.wmnet is an alias for k8s-ingress-dse.svc.eqiad.wmnet. k8s-ingress-dse.svc.eqiad.wmnet has address 10.2.2.91
Also available as JSON
Wed, Apr 3
@mforns I can pick up this work until Ben comes back if necessary, depending on whether you're still blocked or if you have enough to proceed.
On slack, @Sfaci mentioned
About how the application is configured, at this moment, we have only a config.yaml file per environment but I don't know if we should declare some environment variables.
Is there a standard way to use config files for storing environment variables (db connection creds)?
Fri, Mar 29
I've taken care of archiving the gerrit repo
What subdomains will be required @WDoranWMF ?