Page MenuHomePhabricator
Create Task
Maniphest T265691

[tbs.maintaindbusers] Update maintain-dbusers to create an envvar with replica.my.cnf to be used by buildpack images
Closed, ResolvedPublic
Actions

Description

Now that we have a secrets management service (envvars service), we can make maintain-dbusers put in an envar with the credentials for the database access, that will allow a lot of tools to not need NFS at all and unblock the first NFS-less webservices.

We ended up creating 4 environment variables:

  • TOOL_DATABASE_USER/TOOL_DATABASE_PASSWORD -> user/pass for toolsdb
  • TOOL_REPLICA_USER/TOOL_REPICA_PASSWORD -> user/pass for the replicas (that currently is the same)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
replica_cnf_api: add envvars backendoperations/puppetproduction+443 -63
replica_cnf_api: refactor to use multiple backendsoperations/puppetproduction+1 K -605
Customize query in gerrit

Related Objects
Search...

Event Timeline

Legoktm created this task.Oct 15 2020, 10:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 15 2020, 10:46 PM
Bstorm added a comment.Oct 15 2020, 10:49 PM

One option I just thought of is that the deploy mechanism (or even maintain-kubeusers) could copy the contents into a secret (which is encrypted at rest in our cluster) and then we could mount it into the pod like a file.

Legoktm added a comment.Oct 15 2020, 11:37 PM

Having maintain-kubeusers do it seems nicer as it means the deploy mechanism doesn't have to have access to any secret stuff (I haven't fully reasoned about the security model of it yet though). Is there any overhead/risk to having maintain-kubeusers create all the secrets ahead of time?

Bstorm added a comment.Oct 16 2020, 6:02 PM

There shouldn't be. The secrets are scoped to the namespaces and the only people who can see into them are people who can do so anyway via NFS. They are encrypted in etcd.

The ideal might actually be that the service that creates the credentials in the first place ("maintain-dbusers"...very creative naming conventions are hard) on NFS also creates the secrets in my mind because then they could both be rotated the same way. To do *that*, we'd have to give it a k8s certificate, but that's not hard. We have a script for it as long as the need for the cert and its rotation is added to the docs.

maintain-dbusers needs work this quarter anyway, so it might be a good time to consider adding a new function to create secrets in k8s (probably based on the webservice methods for interacting with it to avoid pip libraries on physical servers).

Legoktm added a comment.Oct 16 2020, 9:38 PM
In T265691#6556070, @Bstorm wrote:

The ideal might actually be that the service that creates the credentials in the first place ("maintain-dbusers"...very creative naming conventions are hard) on NFS also creates the secrets in my mind because then they could both be rotated the same way. To do *that*, we'd have to give it a k8s certificate, but that's not hard. We have a script for it as long as the need for the cert and its rotation is added to the docs.

Sounds good to me.

maintain-dbusers needs work this quarter anyway, so it might be a good time to consider adding a new function to create secrets in k8s (probably based on the webservice methods for interacting with it to avoid pip libraries on physical servers).

Would it make sense to do this before or after that other work?

Bstorm added a comment.Oct 16 2020, 10:55 PM
In T265691#6556788, @Legoktm wrote:.

Would it make sense to do this before or after that other work?

Maybe during? I'll check how bad it is :-D
It's tricky to test because the maintain-dbusers script is a PITA to test. The function to create the secrets is probably not going to be too bad to test.

nskaggs moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.Oct 20 2020, 4:22 PM
Legoktm renamed this task from Figure out how to provide replica.my.cnf to buildpack images to Update maintain-dbusers to create a k8s secret with replica.my.cnf to be used by buildpack images.Oct 20 2020, 6:57 PM
Legoktm updated the task description. (Show Details)
Andrew triaged this task as Medium priority.Jan 12 2021, 5:10 PM
Andrew moved this task from Soon! to Inbox on the cloud-services-team (Kanban) board.
taavi added a subtask: T291409: [NFS] Update maintain_dbusers so it can run on a VM.Sep 26 2021, 4:39 PM
dcaro added a project: User-dcaro.Oct 18 2021, 1:48 PM
dcaro edited projects, added Toolforge Build Service; removed Toolforge.Oct 18 2021, 2:18 PM
dcaro added a project: Cloud-Services-Origin-Team.Nov 24 2021, 3:25 PM
dcaro added a project: Cloud-Services-Worktype-Project.
dcaro renamed this task from Update maintain-dbusers to create a k8s secret with replica.my.cnf to be used by buildpack images to [tbs.maintaindbusers] Update maintain-dbusers to create a k8s secret with replica.my.cnf to be used by buildpack images.Aug 26 2022, 8:57 AM
dcaro edited parent tasks, added: T267374: [tbs.beta] Create a toolforge build service beta release; removed: T194332: [builds-api,components-api,webservice,jobs-api] Make Toolforge a proper platform as a service with push-to-deploy and build packs.
Raymond_Ndibe added a project: User-Raymond_Ndibe.Dec 7 2022, 2:19 PM
Raymond_Ndibe subscribed.
Raymond_Ndibe removed a project: User-Raymond_Ndibe.Dec 15 2022, 6:49 PM
Raymond_Ndibe added a project: User-Raymond_Ndibe.Jan 17 2023, 9:56 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:53 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
dcaro closed subtask T334578: [toolforge] Create a secrets management offering to avoid storing on NFS as Resolved.May 4 2023, 4:29 PM
dcaro renamed this task from [tbs.maintaindbusers] Update maintain-dbusers to create a k8s secret with replica.my.cnf to be used by buildpack images to [tbs.maintaindbusers] Update maintain-dbusers to create an envvar with replica.my.cnf to be used by buildpack images.Jun 20 2023, 12:18 PM
dcaro updated the task description. (Show Details)
bd808 mentioned this in T339940: Support reading Wiki Replica/ToolsDB credentials from envvars.Jun 20 2023, 3:56 PM
bd808 added a parent task: T339940: Support reading Wiki Replica/ToolsDB credentials from envvars.
fnegri subscribed.Jun 22 2023, 7:14 PM
komla mentioned this in T335249: Toolforge Build Service Beta Rollout To Selected Users.Jun 28 2023, 11:26 PM
gerritbot added a comment.Jun 29 2023, 12:28 PM

Change 933973 had a related patch set uploaded (by David Caro; author: David Caro):

[operations/puppet@production] replica_cnf_api: refactor to use multiple backends

https://gerrit.wikimedia.org/r/933973

gerritbot added a project: Patch-For-Review.Jun 29 2023, 12:28 PM
dcaro changed the task status from Open to In Progress.Jul 3 2023, 4:46 PM
dcaro claimed this task.
dcaro edited projects, added Toolforge Build Service (Iteration 16); removed Toolforge Build Service.
dcaro moved this task from Next Up to In Progress on the Toolforge Build Service (Iteration 16) board.
dcaro moved this task from Iteration 16 to Iteration 17 on the Toolforge Build Service board.Jul 4 2023, 3:19 PM
dcaro edited projects, added Toolforge Build Service (Iteration 17); removed Toolforge Build Service (Iteration 16).
dcaro moved this task from Next Up to In Progress on the Toolforge Build Service (Iteration 17) board.Jul 4 2023, 3:21 PM
Raymond_Ndibe moved this task from In Progress to In Review on the Toolforge Build Service (Iteration 17) board.Jul 5 2023, 2:53 AM
gerritbot added a comment.Jul 7 2023, 8:52 AM

Change 936232 had a related patch set uploaded (by David Caro; author: David Caro):

[operations/puppet@production] WIP: replica_cnf_api: add envvars backend

https://gerrit.wikimedia.org/r/936232

dcaro moved this task from Iteration 17 to Iteration 18 on the Toolforge Build Service board.Aug 8 2023, 1:48 PM
dcaro edited projects, added Toolforge Build Service (Iteration 18); removed Toolforge Build Service (Iteration 17).
dcaro moved this task from Next Up to In Review on the Toolforge Build Service (Iteration 18) board.
gerritbot added a comment.Aug 8 2023, 3:15 PM

Change 933973 merged by David Caro:

[operations/puppet@production] replica_cnf_api: refactor to use multiple backends

https://gerrit.wikimedia.org/r/933973

dcaro changed the status of subtask T344155: [toolforge-weld] Allow passing embedded certs in the kubeconfig from Open to In Progress.Aug 17 2023, 12:25 PM
dcaro changed the status of subtask T344155: [toolforge-weld] Allow passing embedded certs in the kubeconfig from In Progress to Stalled.Aug 28 2023, 2:56 PM
dcaro changed the status of subtask T344155: [toolforge-weld] Allow passing embedded certs in the kubeconfig from Stalled to In Progress.
dcaro closed subtask T344155: [toolforge-weld] Allow passing embedded certs in the kubeconfig as Resolved.Aug 29 2023, 1:25 PM
dcaro edited projects, added Toolforge Build Service (Iteration 19); removed Toolforge Build Service (Iteration 18).Aug 30 2023, 7:40 AM
dcaro moved this task from Next Up to In Review on the Toolforge Build Service (Iteration 19) board.
gerritbot added a comment.Aug 31 2023, 2:49 PM

Change 936232 merged by David Caro:

[operations/puppet@production] replica_cnf_api: add envvars backend

https://gerrit.wikimedia.org/r/936232

Maintenance_bot removed a project: Patch-For-Review.Aug 31 2023, 3:11 PM
dcaro closed this task as Resolved.Sep 1 2023, 7:27 AM
dcaro updated the task description. (Show Details)
dcaro moved this task from In Review to Done on the Toolforge Build Service (Iteration 19) board.

Up and running!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits