Page MenuHomePhabricator
Create Task
Maniphest T262562

[infra] Fix the mis-named k8s service in tools and toolsbeta projects
Open, MediumPublic
Actions

Description

We created the new Toolforge Kubernetes with a DNS name that doesn't follow convention back in T236826: Toolforge: new k8s: initial build of the new kubernetes cluster.

The existing name is k8s.tools.eqiad1.wikimedia.cloud and it should be k8s.svc.tools.eqiad1.wikimedia.cloud. We did the same thing with toolsbeta.

Unfortunately everyone's config has the existing name, and I'm sure maintain-kubeusers doesn't know how to switch it without some development. The cluster has a name, but I *think* that name is entirely different anyway. We may be fine there, but we'd want to be careful about puppet, user auth and similar.

Related Objects
Search...

Event Timeline

Bstorm triaged this task as Medium priority.Sep 10 2020, 4:05 PM
Bstorm created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 10 2020, 4:05 PM
Bstorm added a subscriber: aborrero.Sep 10 2020, 4:07 PM
Bstorm mentioned this in T262550: Toolforge returns HTTP 502 error.Sep 10 2020, 4:44 PM
Bstorm added a parent task: T262550: Toolforge returns HTTP 502 error.Sep 10 2020, 4:46 PM
Bstorm added a comment.Sep 10 2020, 4:59 PM

When this is fixed here and in toolsbeta, we should revert https://gerrit.wikimedia.org/r/c/operations/puppet/+/626399

bd808 updated the task description. (Show Details)Sep 10 2020, 5:00 PM
Bstorm renamed this task from Fix the mis-named k8s service in tools project to Fix the mis-named k8s service in tools and toolsbeta projects.Sep 10 2020, 5:01 PM
Bstorm updated the task description. (Show Details)
taavi claimed this task.May 13 2021, 7:37 AM
taavi subscribed.

Started the work on this with https://gerrit.wikimedia.org/r/c/operations/puppet/+/687003

Restricted Application added a project: User-Majavah. · View Herald TranscriptMay 13 2021, 7:37 AM
Bstorm added a comment.May 13 2021, 3:51 PM

The init file info should be manually edited into the configmap so that when we upgrade, the change takes effect. (just saying it here so it's known to all, including those who didn't read the patch chatter).

Stashbot added a comment.May 15 2021, 7:52 AM

Mentioned in SAL (#wikimedia-cloud) [2021-05-15T07:52:07Z] <Majavah> set profile::wmcs::kubeadm::control::apiserver_cert_alternative_names hiera key and adjust config map T262562

taavi added a comment.Aug 6 2021, 5:58 PM

Updating the config map seems to have done nothing even after two Kubernetes upgrades. The documentation says that renewing certificates will use the previous certs as source for the data. So I wonder if we need to replace the control nodes to get completely new certificates?

Bstorm added a comment.EditedAug 6 2021, 6:24 PM

We can manually replace them. It's not a lot of fun, but I've done it before. That said, replacing the control plane is effectively replacing the cluster since the entire cluster's PKI is based on it. OK, maybe not entirely because you can preserve the CA...

I mean, I did it with openssl. Other apps are a lot easier, and you could double check your products before moving the new certs in place (comparing the -text output). If the cluster keys off the old certs for source data, that should work.

The only thing that might be nice is testing a kubeadm certs refresh in toolsbeta after the manually created certs are in place. That plays the phase that kubeadm uses for upgrades, so we'll know for sure if we have succeeded :)

Bstorm added a comment.Aug 6 2021, 6:40 PM

So yeah, I propose we try just making new certs and keys based on the cluster CA and try inserting them then renewing them with kubeadm to see how it acts.

bd808 moved this task from Backlog to In Progress on the Toolforge board.Aug 10 2022, 5:03 PM
bd808 moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.Sep 27 2022, 9:31 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 7:25 PM
fnegri moved this task from Kanban to Doing? (legacy column) on the cloud-services-team board.
fnegri moved this task from Doing? (legacy column) to Inbox on the cloud-services-team board.Jan 19 2023, 1:02 PM
taavi removed taavi as the assignee of this task.Sep 18 2023, 5:35 PM
taavi claimed this task.

I'm still planning to do this when we next refresh the toolforge control plane nodes.

taavi moved this task from In Progress to Ready to be worked on on the Toolforge board.Nov 7 2023, 2:21 PM
dcaro moved this task from Ready to be worked on to Workspace for triaging whenever needed on the Toolforge board.Jan 24 2024, 1:50 PM
taavi added a subtask: T284656: Toolforge k8s: Migrate workers to Containerd and Bookworm.Jan 26 2024, 11:02 AM
dcaro moved this task from Workspace for triaging whenever needed to Ready to be worked on on the Toolforge board.Feb 21 2024, 4:04 PM
aborrero closed subtask T284656: Toolforge k8s: Migrate workers to Containerd and Bookworm as Resolved.Feb 26 2024, 10:52 AM
dcaro renamed this task from Fix the mis-named k8s service in tools and toolsbeta projects to [toolforge,k8s] Fix the mis-named k8s service in tools and toolsbeta projects.Mar 5 2024, 4:11 PM
dcaro renamed this task from [toolforge,k8s] Fix the mis-named k8s service in tools and toolsbeta projects to [infra] Fix the mis-named k8s service in tools and toolsbeta projects.Mar 5 2024, 5:15 PM
taavi removed taavi as the assignee of this task.Tue, Jun 25, 3:35 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits