Page MenuHomePhabricator

Create three Okapi sub-domains (okapi*.wikimedia.org)
Closed, InvalidPublic

Description

Hi there -

The Okapi team is hosting our alpha project and we need a series of subdomains on Wikimedia to attach to our project as we start pushing our project into production.

Currently we need three subdomains to host our alpha project, external apis, and internal apis.

  • okapi.wikimedia.org
  • okapi-api.wikimedia.org
  • okapi-internal.wikimedia.org

Let me know if you need anything else here from me.

Best,
Ryan

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

I'm presuming these aren't going to be MediaWiki wiks underneath etc?

Where do these domains want to point? While they can be "parked", there's not a great deal to do until there's something to point them... For example, is there a request anywhere (yet?) for servers/vms etc?

jbond triaged this task as Medium priority.Dec 9 2020, 12:13 PM
jbond added a subscriber: jbond.

Yep, you are totally right no MediaWiki wiks underneath.

Those will point to different IP addresses. We'll just allocate those and provide them to you.

Can I ask how you're going to do HTTPS on them?

HSTS is enabled for wikimedia.org, and for subdomains, so HTTPS will be required.

$ curl -I https://www.wikimedia.org | grep -i Strict
strict-transport-security: max-age=106384710; includeSubDomains; preload
$ curl -I https://wikimedia.org | grep -i Strict 
strict-transport-security: max-age=106384710; includeSubDomains; preload

And unless we put it to a parking domain/site, nothing can be done here until the IPs are given for the entries to be created.

And IIRC offhand, SRE might have to potentially whitelist your choice of TLS cert provider/help issue those...

I was thinking of https://certbot.eff.org/ or something like that for HTTPS. But we are flexible in that manner so if there are some preferences we can definitely work things out.
Let me check couple of things and get back to you with IPs.
That's really helpful thanks a lot.

There's probably a lot of context missing here, athough we can gather some from https://www.mediawiki.org/wiki/Okapi and https://meta.wikimedia.org/wiki/Okapi . Perhaps we could get a primer on where the project is at, what temporary purpose these names will be put to, where the IPs will be hosted at, what kind of software stack is deployed, and processes around deployment and management?

There are some confusing signals in the original request: wikimedia.org has organizational and security implications in the real world and is thus definitionally a production concern, while "alpha project" implies something intentionally done without much care or scrutiny, and "start pushing our project into production" implies crossing some reasonable review barriers by a lot of teams for how it impacts everything else we do. What are the external vs internal APIs and who/what is consuming them now or in the future? Why are there three different hostnames for this one service (and on a lighter note, why does one of them say "api" twice in its name)? Is that an attempt at some kind of security or privilege isolation between different accessing parties based on network ACLs? Maybe we should pause here briefly and have some kind of sync-up to understand?

Aklapper renamed this task from Okapi Domains to Create three Okapi sub-domains (okapi*.wikimedia.org).Dec 16 2020, 11:41 PM