Page MenuHomePhabricator
Create Task
Maniphest T278686

Fix scap canary checks on beta cluster (Check failed: returned 302, expecting: 200)
Closed, ResolvedPublic
Actions

Description

At https://integration.wikimedia.org/ci/job/beta-scap-sync-world/

Scap canary checks always fail on the beta cluster:

13:30:48 10:30:48 Check 'Check endpoints for deployment-mediawiki11.deployment-prep.eqiad1.wikimedia.cloud' failed: /wiki/{title} (Main Page) is CRITICAL: Test Main Page returned the unexpected status 302 (expecting: 200); /wiki/{title} (Special Version) is CRITICAL: Test Special Version returned the unexpected status 302 (expecting: 200)

That's a redirect from http to https, mediawiki_canary_swagger_url uses http in wmcs and https in production.

Details

SubjectRepoBranchLines +/-
scap: Use https for beta swagger checksoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

taavi created this task.Mar 29 2021, 10:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 29 2021, 10:56 AM
taavi added a subtask: T206158: Investigate setting up HTTPS directly on beta appservers.Mar 30 2021, 5:56 AM
Krinkle renamed this task from Fix scap canary checks on beta cluster to Fix scap canary checks on beta cluster (Check failed: returned 302, expecting: 200).May 14 2021, 9:00 PM
Krinkle updated the task description. (Show Details)
Krinkle subscribed.
Krinkle added a comment.May 14 2021, 9:05 PM

For other people's context (I believe Majavah knows this already) - the reason this has been left broken for so long is that neither HTTP nor HTTPS works from Scap's point of view.

When scap targets localhost with an HTTP url, you get a connection but none of the expected HTTP 200 responses (MW will redirect to HTTPS in beta, just like it does in prod).

When scap targets localhost with an HTTPS url, it would work, if not for the fact that we never get to MW because the beta appservers don't yet support valid TLS connections.

taavi added a comment.EditedMay 15 2021, 6:14 AM

The servers got cfssl certificates in the subtask, but guess they need alternative names too for the wikis?

taavi@deployment-deploy01:~$ service-checker-swagger deployment-mediawiki11.deployment-prep.eqiad1.wikimedia.cloud https://en.wikipedia.beta.wmflabs.org -s /spec.yaml
[...]
ssl.CertificateError: hostname 'en.wikipedia.beta.wmflabs.org' doesn't match 'appservers.svc.deployment-prep.eqiad1.wikimedia.cloud'
[...]

I tried adding them (efecf3a6ff78) but wildcards are somehow not yet functional, filed T282930 for that.

taavi claimed this task.May 17 2021, 1:05 PM
Restricted Application added a project: User-Majavah. · View Herald TranscriptMay 17 2021, 1:05 PM
gerritbot added a comment.May 17 2021, 1:05 PM

Change 692318 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] scap: Use https for beta swagger checks

https://gerrit.wikimedia.org/r/692318

gerritbot added a project: Patch-For-Review.May 17 2021, 1:05 PM
gerritbot added a comment.May 17 2021, 1:55 PM

Change 692318 merged by Jbond:

[operations/puppet@production] scap: Use https for beta swagger checks

https://gerrit.wikimedia.org/r/692318

Maintenance_bot removed a project: Patch-For-Review.May 17 2021, 2:11 PM
taavi closed this task as Resolved.May 17 2021, 2:20 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL