Page MenuHomePhabricator
Create Task
Maniphest T271847

Improve cleanup behavior on failure for maintain-kubeusers
Closed, ResolvedPublic
Actions

Description

We've seen maintain-kubeusers fail at least twice since we moved etcd to ceph (see T267966). This was caused by an etcd timeout causing it's k8s requests to fail, but it could not continue without manual intervention because it had completed creation of the CSR.

Fix this vulnerability by having it clean up its own messes or recognize the valid CSR and use it instead, whichever is easier or better.

This way, a failure causing a restart will restore functionality (also look for other areas where restart on failure won't work).

Details

SubjectRepoBranchLines +/-
crashes: retry creating CSRs after crasheslabs/tools/maintain-kubeusersmaster+25 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bstorm triaged this task as High priority.Jan 12 2021, 6:26 PM
Bstorm created this task.
gerritbot added a comment.Jan 13 2021, 10:09 PM

Change 656000 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[labs/tools/maintain-kubeusers@master] crashes: retry creating CSRs after crashes

https://gerrit.wikimedia.org/r/656000

gerritbot added a project: Patch-For-Review.Jan 13 2021, 10:09 PM
gerritbot added a comment.Jan 21 2021, 3:18 PM

Change 656000 merged by jenkins-bot:
[labs/tools/maintain-kubeusers@master] crashes: retry creating CSRs after crashes

https://gerrit.wikimedia.org/r/656000

Stashbot added a comment.Jan 21 2021, 3:29 PM

Mentioned in SAL (#wikimedia-cloud) [2021-01-21T15:29:47Z] <bstorm> pushed the maintain-kubeusers:beta tag with the new code to the docker repo T271847

Maintenance_bot removed a project: Patch-For-Review.Jan 21 2021, 4:10 PM
Bstorm added a comment.Jan 21 2021, 11:34 PM

Confirmed this is working on toolsbeta using the toolsctl script. Deploying to tools.

Bstorm closed this task as Resolved.Jan 21 2021, 11:58 PM
Bstorm claimed this task.

Deployed. This shouldn't cause crash loops for this service anymore.

Stashbot added a comment.Jan 21 2021, 11:58 PM

Mentioned in SAL (#wikimedia-cloud) [2021-01-21T23:58:38Z] <bstorm> deployed new maintain-kubeusers to tools T271847

bd808 mentioned this in T275910: maintain-kubeusers fails to recover from interrupted certificate creation due to mismatch between CSR name and delete request.Feb 26 2021, 8:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits