Striker is a Django wsgi application with quite a few python packages as dependencies. It needs to be deployed in the WMF production cluster so that it can securely access the LDAP directory for auth-bind authentication. It will also need access to a MySQL/MariaDB database server. Having memcached available would be useful as well to allow session storage for redundant servers.
Security review: T135784: Security review of Tool Labs console application
Needed services
- LDAP access (read + auth-bind; writes planned for future)
- MySQL/MariaDB (small collection of tables to track authentication, git repos)
- Conduit API access to phabricator.wikimedia.org
- memcached
pybal? (can probably get away with direct varnish LB if pybal is difficult)
Future services
- LDAP write access
- Elasticsearch (ideally the Tool Labs hosted ES cluster to make sharing data with tools easier)
- Nova api
- TOTP validation (either access to labswiki db on silver or move seeds into LDAP)
- k8s task status/monitoring api
Host sizing
Local disk and processor needs should be light. The current and planned features do not call for any local resource storage. Most activities will be mysql and/or other external api calls. This might be a good candidate for deployment in a container/VM if that fits with the other network access needs.
Open questions
- What do we call this thing? "Striker" is a codename for the software. In the Tool Labs vision document I called the service console.wmflabs.org. This probably isn't the best name either as at least in the short/mid-term this application will be focused on Tool Labs rather than Labs generally. Perhaps toolsadmin or toolmanager or something similar?
- DONE T136256#2442681 Semi-arbitrarily picked toolsadmin.wikimedia.org
- Packaging! Everybody's favorite problem. Can we use wheels and Scap or do we need to figure out how to make debs for all the dependencies?
- DONE T136256#2442668 Will use Scap and wheels
- Location, location, location. Where on the network should this live? Can this be deployed in the ganeti cluster or does it need bare metal for some reason (like access to things that are both inside and outside of the Labs environment)?
- DONE T136256#2492355 Will host on californium