Page MenuHomePhabricator

Access to the thanos-swift cluster for ChartMuseum
Closed, ResolvedPublic

Description

I would like to use the thanos swift cluster as storage back-end for chartmuseum (https://chartmuseum.com/docs/#using-with-openstack-object-storage). If the S3 API is a better choice, that's fine too.

  • ChartMuseum will be deployed active/active in both DCs.
  • ChartMuseum will act as proxy to swift, so no direct client connections.
  • Currently we have ~291 objects with a total of ~3.5MB which I expect to slowly increase.
  • I/O will be mostly reads, writes will happen only on push of a new chart.
  • The data that will be stored can be (with some effort) regenerated from git, but swift will be the "authoritative" storage for the artifacts (chart tgz's).

Event Timeline

JMeybohm created this task.Mon, Jun 22, 4:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMon, Jun 22, 4:11 PM

Generally LGTM as a use case.

Is there PII/private data in the charts or you expect to? I'm pointing this out because while connections to the swift frontend must use https, the multi-site replication happens in plain text.

re: API, both S3 (with "v2 signatures") and swift should work. For the latter we are using "tempauth" authentication (not keystone) in case that makes a difference on the ChartMuseum side. The easiest is likely to set things up and give both a try though!

We don't expect private data in the charts at all.
In addition, they are already publicly accessible via https://releases.wikimedia.org/charts/ and https://gerrit.wikimedia.org/g/operations/deployment-charts ofc.

I'm still working on the puppet integration for ChartMuseum but I'm happy to test beforehand to make a decision on what API to use/configure. Do you need anything from me/how do we proceed?

We don't expect private data in the charts at all.
In addition, they are already publicly accessible via https://releases.wikimedia.org/charts/ and https://gerrit.wikimedia.org/g/operations/deployment-charts ofc.

I'm still working on the puppet integration for ChartMuseum but I'm happy to test beforehand to make a decision on what API to use/configure. Do you need anything from me/how do we proceed?

The easiest way is to create an account at hieradata/common/profile/thanos/swift.yaml and the corresponding private material both in private.git on the puppetmaster and on the public/labs private.git. After that is merged I can help with deployment (essentially a rolling restart of swift-proxy on thanos-fe*).

Then you can create containers with the credentials above, there's SSD-based storage too available for containers which we can do in this case.

Change 607467 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] profile: thanos::swift::frontend add account for chartmuseum

https://gerrit.wikimedia.org/r/607467

Change 607468 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[labs/private@master] thanos::swift add chartmuseum account key

https://gerrit.wikimedia.org/r/607468

Commit in private is e427c266f2d6ac0a937bf5d972b759933a9f9a18

Change 607468 merged by JMeybohm:
[labs/private@master] thanos::swift add chartmuseum account key

https://gerrit.wikimedia.org/r/607468

Change 607467 merged by JMeybohm:
[operations/puppet@production] profile: thanos::swift::frontend add account for chartmuseum

https://gerrit.wikimedia.org/r/607467

Mentioned in SAL (#wikimedia-operations) [2020-06-24T15:20:40Z] <jayme> rolling restart of swift-proxy on thanos-fe[2001-2003].codfw.wmnet,thanos-fe[1001-1003].eqiad.wmnet - T256020

JMeybohm closed this task as Resolved.Fri, Jun 26, 3:25 PM
JMeybohm claimed this task.

This is done and the account is working, thanks @fgiunchedi !