At one point, scandium used to have http://parsoid-rt-tests.wikimedia.org/ pointed at the parsoid-rt webservice web UI. But, once scandium became a mediawiki appserver, and since parsoid's rt test services aren't as heavily security hardened or tested or updated compared to production code, we decided to disable that public web access as part of this patch.
Now, as we move the parsoid-rt and parsoid-rt-client node services away from scandium onto testreduce1001, we can revisit this decision. testreduce1001 is not (need not be) a mediawiki app server and doesn't need to run PHP code at all. Right now parsoid-rt on testreduce1001 continues to connect to a database hosted on a production database server. However, as noted in T257906#6390890 parsoid-rt on testreduce1001 can simply connect to a local database on testreduce1001 and be completely isolated from any production services (but it still needs enough access to be able to issue Parsoid REST API requests to scandium).
So, here are some tasks:
- Enable mysql/maraiadb on testreduce1001
- Create a new database
- Initialize this with a fresh set of test titles
- Revert some version of https://gerrit.wikimedia.org/r/c/operations/puppet/+/534271 to enable the webserver on testreduce1001 and to point parsoid-rt-tests.wikimedia.org to parsoid-rt webserver UI
- create certificate for testreduce.discovery.wmnet in private repo, copy to public repo, create fake cert in labs/private
- add testreduce.discovery.wmnet in DNS and point to testreduce1001
- add envoy on backend for TLS termination and let it speak to 8001 on nginx as upstream
- add parsoid-rt-tests to the envoy TLS cert for testreduce.discovery.wmnet
This is not high priority and if any of this work is cumbersome or involves a lot of work, feel free to decline. And, this can also be done after the parent task is resolved as well. So free to edit / update the task as appropriate.