Page MenuHomePhabricator

Configure Neutron VIP ports for tools and toolsbeta k8s haproxies
Closed, ResolvedPublic

Description

VIPs were created by Arturo:

261bee38-7b03-4af1-ba28-6c15c082f812 172.16.2.161 toolsbeta-k8s-haproxy-keepalived-vip
67189dc3-5d51-46b3-b431-7022905177d1 172.16.6.113 tools-k8s-haproxy-keepalived-vip

Now they need to be configured to VMs:

aborrero@cloudcontrol1005:~ $ sudo wmcs-openstack --os-project-id toolsbeta server list | grep haproxy
| 9f103a2a-dfde-470a-b2ae-06f44a9b9e98 | toolsbeta-test-k8s-haproxy-4       | ACTIVE | lan-flat-cloudinstances2b=172.16.6.136               | debian-10.0-buster                         | g3.cores2.ram4.disk20                |
| 4ba594d7-7474-47dd-b359-302335f57c1d | toolsbeta-test-k8s-haproxy-3       | ACTIVE | lan-flat-cloudinstances2b=172.16.3.41                | debian-10.0-buster                         | g3.cores2.ram4.disk20                |
| 95f23fb7-3b84-4f2b-9802-11b385247c1e | toolsbeta-test-k8s-haproxy-2       | ACTIVE | lan-flat-cloudinstances2b=172.16.0.169               | debian-10.0-buster (deprecated 2019-12-15) |                                      |
| ba228903-c8a6-41d2-bec0-c43aec863ad0 | toolsbeta-test-k8s-haproxy-1       | ACTIVE | lan-flat-cloudinstances2b=172.16.0.146               | debian-10.0-buster (deprecated 2019-12-15) |                                      |
aborrero@cloudcontrol1005:~ 3s $ sudo wmcs-openstack --os-project-id toolsbeta port list | grep 172.16.6.136
| 42eeea77-6d0d-4c71-aba8-a85cc2ba10d1 |                                                    | fa:16:3e:02:1f:c7 | ip_address='172.16.6.136', subnet_id='a69bdfad-d7d2-4cfa-8231-3d6d3e0074c9' | ACTIVE |
aborrero@cloudcontrol1005:~ $ sudo wmcs-openstack --os-project-id toolsbeta port list | grep 172.16.3.41
| 71846912-5bda-41d4-a9dd-c494835a1660 |                                                    | fa:16:3e:e6:85:de | ip_address='172.16.3.41', subnet_id='a69bdfad-d7d2-4cfa-8231-3d6d3e0074c9'  | ACTIVE |

But policy seems broken:

13:12:32 <arturo> the comnand is almost fine :-) however I'm hitting a policy filter
13:12:39 <arturo> aborrero@cloudcontrol1005:~ 2s 1 $ sudo wmcs-openstack --os-project-id toolsbeta port set --allowed-address ip-address=172.16.2.161 42eeea77-6d0d-4c71-aba8-a85cc2ba10d1
13:12:39 <arturo> HttpException: 403: Client Error for url: http://openstack.eqiad1.wikimediacloud.org:9696/v2.0/ports/42eeea77-6d0d-4c71-aba8-a85cc2ba10d1, (rule:update_port and (rule:update_port:allowed_address_pairs and (rule:update_port:allowed_address_pairs:ip_address))) is disallowed by policy

Event Timeline

aborrero added a subscriber: Andrew.

@Andrew might be the last person who updated the API policy, may know offhand what to modify.

Majavah assigned this task to Andrew.
Majavah updated the task description. (Show Details)

(edit conflict)

Mentioned in SAL (#wikimedia-cloud) [2021-05-07T13:51:41Z] <andrewbogott> add inherited 'admin' right to novaadmin user throughout eqiad1. I was trying to narrow down the rights here but lack of admin breaks some workflows, e.g. T281894 and T282235

Mentioned in SAL (#wikimedia-cloud) [2021-05-07T13:51:41Z] <andrewbogott> add inherited 'admin' right to novaadmin user throughout eqiad1. I was trying to narrow down the rights here but lack of admin breaks some workflows, e.g. T281894 and T282235

Should be fixed by that