Move k8s master to k8s-master.tools.wmflabs.org
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	yuvipanda
	Jul 6 2016, 1:00 PM

Description

Right now it is tools-k8s-master-01.tools.eqiad.wmflabs, which causes a bunch of problems:

SPOF, hard to failover
It uses the puppetmaster CA to sign certificates, which means anything communicating with it over SSL needs to be on tools-puppetmaster-01 (another SPOF!)

Steps to switch:

Create a public IP + assign DNS for the k8s master
Set up SSL certificates using *.tools.wmflabs.org so that the k8s master works properly
Set hiera variable and hand-run puppet to make sure that all the kubelets and kube-proxies switch over properly
Do a find + sed on all .kube/config files

Details

Subject	Repo	Branch	Lines +/-
tools: Don't set CA explicitly for kube2proxy	operations/puppet	production	+2 -4
tools: Use provisioned cert instead of puppet cert	operations/puppet	production	+6 -4
tools: Don't specify CA explicitly for client config	operations/puppet	production	+0 -1
tools: Provision star.tools.wmflabs.org cert for k8s master	operations/puppet	production	+6 -1

Customize query in gerrit

Related Objects

Mentioned In: rOPUPafd3fa804aa7: tools: Don't set CA explicitly for kube2proxy
rOPUP24aefaabec01: tools: Use provisioned cert instead of puppet cert
rOPUP5b6c1f18e67c: tools: Don't specify CA explicitly for client config
rOPUP40b2106a6813: tools: Provision star.tools.wmflabs.org cert for k8s master
rOPUPc2a200eb6284: tools: Don't set CA explicitly for kube2proxy
rOPUP30c444f4871a: tools: Use provisioned cert instead of puppet cert
rOPUPc5d56d30b792: tools: Don't specify CA explicitly for client config
rOPUP3df28ca02124: tools: Provision star.tools.wmflabs.org cert for k8s master
rOPUPf8d42424420a: tools: Use provisioned cert instead of puppet cert
rOPUP2af585fa3272: tools: Provision star.tools.wmflabs.org cert for k8s master

Event Timeline

yuvipanda created this task.Jul 6 2016, 1:00 PM

Restricted Application added a project: Cloud-Services. · View Herald TranscriptJul 6 2016, 1:00 PM

Restricted Application added subscribers: Zppix, Aklapper. · View Herald Transcript

Mentioned in SAL [2016-07-06T13:09:13Z] <yuvipanda> associated a floating IP with tools-k8s-master-01 for T139461

Change 297591 had a related patch set uploaded (by Yuvipanda):
tools: Provision star.tools.wmflabs.org cert for k8s master

https://gerrit.wikimedia.org/r/297591

gerritbot added a project: Patch-For-Review.Jul 6 2016, 1:53 PM

yuvipanda mentioned this in rOPUP2af585fa3272: tools: Provision star.tools.wmflabs.org cert for k8s master.Jul 6 2016, 1:57 PM

Change 297595 had a related patch set uploaded (by Yuvipanda):
tools: Use provisioned cert instead of puppet cert

https://gerrit.wikimedia.org/r/297595

yuvipanda mentioned this in rOPUPf8d42424420a: tools: Use provisioned cert instead of puppet cert.Jul 6 2016, 2:10 PM

Change 297600 had a related patch set uploaded (by Yuvipanda):
tools: Don't specify CA explicitly for client config

https://gerrit.wikimedia.org/r/297600

yuvipanda mentioned this in rOPUP3df28ca02124: tools: Provision star.tools.wmflabs.org cert for k8s master.Jul 6 2016, 2:45 PM

yuvipanda mentioned this in rOPUPc5d56d30b792: tools: Don't specify CA explicitly for client config.

yuvipanda mentioned this in rOPUP30c444f4871a: tools: Use provisioned cert instead of puppet cert.

Change 297611 had a related patch set uploaded (by Yuvipanda):
tools: Don't set CA explicitly for kube2proxy

https://gerrit.wikimedia.org/r/297611

yuvipanda mentioned this in rOPUPc2a200eb6284: tools: Don't set CA explicitly for kube2proxy.Jul 6 2016, 4:31 PM

Change 297591 merged by Yuvipanda:
tools: Provision star.tools.wmflabs.org cert for k8s master

https://gerrit.wikimedia.org/r/297591

Change 297600 merged by Yuvipanda:
tools: Don't specify CA explicitly for client config

https://gerrit.wikimedia.org/r/297600

Change 297595 merged by Yuvipanda:
tools: Use provisioned cert instead of puppet cert

https://gerrit.wikimedia.org/r/297595

Change 297611 merged by Yuvipanda:
tools: Don't set CA explicitly for kube2proxy

https://gerrit.wikimedia.org/r/297611

yuvipanda mentioned this in rOPUP40b2106a6813: tools: Provision star.tools.wmflabs.org cert for k8s master.Jul 6 2016, 5:23 PM

yuvipanda mentioned this in rOPUP5b6c1f18e67c: tools: Don't specify CA explicitly for client config.

yuvipanda mentioned this in rOPUP24aefaabec01: tools: Use provisioned cert instead of puppet cert.

yuvipanda mentioned this in rOPUPafd3fa804aa7: tools: Don't set CA explicitly for kube2proxy.

Done!

• Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:41 PM

Move k8s master to k8s-master.tools.wmflabs.orgClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Move k8s master to k8s-master.tools.wmflabs.org
Closed, ResolvedPublic
Actions