Page MenuHomePhabricator
Create Task
Maniphest T293649

[tbs.harbor] Pre-create namespaces
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

We need a way to create the harbor projects for the users to be able to push their images to them.

This can be done beforehand or on-demand. Some ideas:

On-demand

Creating it when the first run is triggered, from the webservice cli

Advantages:

  • Only created when it's actually needed

Disadvantages:

  • Needs credentials to create the project, as it currently is, the cli will need access to those.

Creating it from the validation hook

Advantages:

  • Only created when it's actually needed
  • Secrets remain in the validation hook

Disadvantages:

  • Hand to debug/troubleshoot
  • Delay-sesitive part of the process

Creating it from another (new) service

Advantages:

  • Only created when it's actually needed
  • Secrets remain in the admin side of things
  • This might be the way things should go (thinning the cli and moving to a service)

Disadvantages:

  • New service to maintain (even if it's small)

Beforehand

maintain-kubeusers script [1]:

Advantages:

  • It does not slow down any of the user processes

Disadvantages:

  • It might not have run yet when the user tries to run a build
  • It will create all the projects at once, when most of them might not be needed
  • Might be long and heavy (listing and checking all projects, creating all projects, ~3k tools)

Our own cronjob

Advantages:

  • Clearer separation

Disadvantages:

  • Not reusing mainainkubeusers (not sure how much we can reuse though)

Decision

We decided to go with the dedicated cronjob, as it's the simplest, clearest and does not require exposing any credentials to users.
This entails:

  • Creating the dedicated toolforge tool (maintain-harbor)
  • Create the robot account with "powers" to create the namespaces
  • Create the script to pull the tools list from ldap and create the namespaces
  • Set up a toolforge job that runs that script
  • Add the entry to the toolhub list https://toolhub.wikimedia.org/lists/192

[1] https://gerrit.wikimedia.org/r/plugins/gitiles/labs/tools/maintain-kubeusers/

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedLucasWerkmeisterT320140 Migrate wd-shex-infer from Toolforge GridEngine to Toolforge Kubernetes
 ResolvedmatmarexT319707 Migrate dtcheck from Toolforge GridEngine to Toolforge Kubernetes
 ResolvedLegoktmT320062 Migrate steve-adder from Toolforge GridEngine to Toolforge Kubernetes
 ResolvedLegoktmT320011 Migrate rfa-voting-history from Toolforge GridEngine to Toolforge Kubernetes
 OpendcaroT194332 [Epic,builds-api,components-api,webservice,jobs-api] Make Toolforge a proper platform as a service with push-to-deploy and build packs
 ResolveddcaroT267374 [tbs.beta] Create a toolforge build service beta release
 ResolvedRaymond_NdibeT324827 tbs: user-story 3 - I want to cancel the build using the toolforge build cancel feature
 ResolveddcaroT324833 tbs: user-story 5 - I want to check the status of a given build using the toolforge build show feature.
 ResolveddcaroT324830 tbs: user-story 4 - I want to check the status of the last build using the toolforge build show feature
 ResolveddcaroT324823 tbs: user-story 2 - Feature: I can start a new build from a git url
 ResolveddcaroT324834 tbs: user-story 6 - I want to start a webservice with the image I built earlier.
 ResolvedRaymond_NdibeT293645 [tbs.webservice] Modify the webservice cli to allow the deployment of custom images from harbor
 ResolvedRaymond_NdibeT316327 [tbs] Deploy on tools
 ResolveddcaroT316325 [tbs.buildservice.toolsbeta] Deploy on toolsbeta
 ResolvedRaymond_NdibeT316326 [tbs.buildservice] Ensure we use the deploy.sh standard
 ResolvedRaymond_NdibeT332347 Duplicate the maintain-harbor deployment for "tools"
 ResolvedfnegriT316323 [tbs.harbor.tools] Replicate toolsbeta harbor deployment
 ResolvedfnegriT332208 [tbs] Harbor broken in toolsbeta because of missing db password
 ResolvedRaymond_NdibeT334657 Add a `tool-` prefix to Harbor namespaces
 ResolvedNoneT265681 [tbs.tools] Deploy a tool using a buildpack-based image on Toolforge
 ResolveddcaroT316330 [tbs.toolsbeta] Deploy a tool using a buildpack-based image on Toolsbeta
 ResolveddcaroT267616 [tbs.harbor] Puppetize the toolsbeta installation
 ResolvedAndrewT267618 Request increased quota for toolsbeta Cloud VPS project
 ResolvedSlst2020T316232 [tbs.harbor.toolsbeta] Create a postgres DB with trove and plug the current instance there
 ResolveddcaroT316233 [tbs.harbor.toolsbeta] Create a cinder volume and put there the storage for the container images
 ResolvedRaymond_NdibeT293649 [tbs.harbor] Pre-create namespaces
 ResolvedRaymond_NdibeT316339 [tbs.registry-admission.tools] Allow images from harbor on tools
 ResolvedRaymond_NdibeT323689 [webservice] Allow configuring the image registry used to pull
 ResolveddcaroT324566 [webservice] Figure out how to configure depending on the environment it's running
 ResolveddcaroT325141 tbs: user-story 6 - Build and deploy the modified webservice to toolsbeta
 ResolveddcaroT325142 tbs: user-story 6 - Build and deploy the modified webservice to tools

Event Timeline

dcaro created this task.Oct 18 2021, 2:58 PM
dcaro removed dcaro as the assignee of this task.Oct 19 2021, 1:45 PM
dcaro removed a project: User-dcaro.
dcaro added a project: User-dcaro.Nov 24 2021, 2:58 PM
dcaro added a project: Cloud-Services-Origin-Team.Nov 24 2021, 3:25 PM
dcaro added a project: Cloud-Services-Worktype-Project.
dcaro renamed this task from [webservice] Update maintain-kubeusers (or similar) to create the tools namespaces in harbor to [tbs][poc]Find a way to create and maintain the harbor namespaces.Dec 6 2021, 10:49 AM
dcaro updated the task description. (Show Details)
dcaro moved this task from To refine to Refined on the User-dcaro board.
dcaro renamed this task from [tbs][poc]Find a way to create and maintain the harbor namespaces to [tbs.maintainkubeusers]Create harbor namespaces using maintainkubeusers script.Aug 26 2022, 8:16 AM
dcaro removed a subscriber: Bstorm.
dcaro added a parent task: T315720: DWL irc-buster VM did not come back up from unexpected cloudvirt reboot.Aug 26 2022, 8:17 AM
dcaro added a parent task: T316330: [tbs.toolsbeta] Deploy a tool using a buildpack-based image on Toolsbeta.Aug 26 2022, 9:44 AM
dcaro removed parent tasks: T315720: DWL irc-buster VM did not come back up from unexpected cloudvirt reboot, T267374: [tbs.beta] Create a toolforge build service beta release.
dcaro moved this task from Backlog to To be Discussed on the Toolforge Build Service board.Oct 19 2022, 12:33 PM
dcaro updated the task description. (Show Details)Nov 22 2022, 2:26 PM
dcaro updated the task description. (Show Details)
dcaro updated the task description. (Show Details)Nov 22 2022, 2:31 PM
dcaro updated the task description. (Show Details)Nov 22 2022, 2:37 PM
Raymond_Ndibe renamed this task from [tbs.maintainkubeusers]Create harbor namespaces using maintainkubeusers script to Create harbor namespaces using any method agreed by the team.Nov 22 2022, 2:37 PM
Raymond_Ndibe updated the task description. (Show Details)
Raymond_Ndibe subscribed.Nov 22 2022, 2:39 PM

just for documentation sake incase we forget, the custom cronjob approach is currently the preferred approach, but that might change later

dcaro renamed this task from Create harbor namespaces using any method agreed by the team to [tbs.maintainkubeusers] Pre-create harbor namespaces.Nov 22 2022, 2:42 PM
dcaro updated the task description. (Show Details)
dcaro updated the task description. (Show Details)Nov 22 2022, 3:03 PM
dcaro updated the task description. (Show Details)
dcaro updated the task description. (Show Details)
KHernandez-WMF set the point value for this task to 5.Nov 22 2022, 5:51 PM
KHernandez-WMF moved this task from To be Discussed to Iteration 05 on the Toolforge Build Service board.
KHernandez-WMF edited projects, added Toolforge Build Service (Iteration 05); removed Toolforge Build Service.
dcaro claimed this task.Dec 1 2022, 9:58 AM
dcaro moved this task from Next Up to In Progress on the Toolforge Build Service (Iteration 05) board.
dcaro changed the task status from Open to In Progress.Dec 1 2022, 9:59 AM
dcaro moved this task from Refined to Doing on the User-dcaro board.
KHernandez-WMF moved this task from Iteration 05 to Iteration 06 on the Toolforge Build Service board.Dec 7 2022, 3:26 PM
KHernandez-WMF edited projects, added Toolforge Build Service (Iteration 06); removed Toolforge Build Service (Iteration 05).
KHernandez-WMF moved this task from Next Up to In Progress on the Toolforge Build Service (Iteration 06) board.
dcaro removed dcaro as the assignee of this task.Dec 8 2022, 9:30 AM
dcaro moved this task from In Progress to Next Up on the Toolforge Build Service (Iteration 06) board.
dcaro changed the task status from In Progress to Open.Dec 8 2022, 9:36 AM
dcaro moved this task from Doing to Refined on the User-dcaro board.Dec 8 2022, 9:40 AM
dcaro added a parent task: T324823: tbs: user-story 2 - Feature: I can start a new build from a git url.Dec 9 2022, 10:08 AM
dcaro renamed this task from [tbs.maintainkubeusers] Pre-create harbor namespaces to [tbs.harbor] Pre-create harbor namespaces.Dec 15 2022, 1:16 PM
dcaro renamed this task from [tbs.harbor] Pre-create harbor namespaces to [tbs.harbor] Pre-create namespaces.
Raymond_Ndibe claimed this task.Dec 15 2022, 6:22 PM
Raymond_Ndibe added a project: User-Raymond_Ndibe.
KHernandez-WMF mentioned this in T324823: tbs: user-story 2 - Feature: I can start a new build from a git url.Dec 15 2022, 7:49 PM
KHernandez-WMF moved this task from Iteration 06 to Iteration 07 on the Toolforge Build Service board.Dec 20 2022, 4:57 PM
KHernandez-WMF edited projects, added Toolforge Build Service (Iteration 07); removed Toolforge Build Service (Iteration 06).
Raymond_Ndibe added a comment.Jan 6 2023, 5:48 PM

patch submitted here https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-harbor/-/merge_requests/1

Raymond_Ndibe moved this task from Next Up to In Review on the Toolforge Build Service (Iteration 07) board.Jan 6 2023, 5:48 PM
Raymond_Ndibe moved this task from Backlog to In Review on the User-Raymond_Ndibe board.
KHernandez-WMF moved this task from Iteration 07 to Iteration 08 on the Toolforge Build Service board.Jan 10 2023, 6:22 PM
KHernandez-WMF edited projects, added Toolforge Build Service (Iteration 08); removed Toolforge Build Service (Iteration 07).
KHernandez-WMF moved this task from Next Up to In Review on the Toolforge Build Service (Iteration 08) board.
Raymond_Ndibe moved this task from In Review to Done on the Toolforge Build Service (Iteration 08) board.Jan 18 2023, 2:26 PM
Raymond_Ndibe moved this task from Done to In Review on the Toolforge Build Service (Iteration 08) board.Jan 18 2023, 2:30 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:45 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
Slst2020 moved this task from In Review to Done on the Toolforge Build Service (Iteration 08) board.Jan 19 2023, 2:15 PM
KHernandez-WMF closed this task as Resolved.Jan 23 2023, 7:06 PM
aborrero subscribed.Mar 8 2023, 3:38 PM

I would like to know more details about why maintain_harbor is planned to run as a Toolforge jobs framework cronjob rather than a standalone application (or cronjob) in the kubernetes cluster.

I'm mentioning this because I feel that tying the two things together can make it cumbersome to operate (both things) in the future, for little added value.

The change to run as a standalone cronjob deployment in k8s would be very small.

aborrero added a comment.Mar 9 2023, 2:09 PM
In T293649#8676822, @aborrero wrote:

I would like to know more details about why maintain_harbor is planned to run as a Toolforge jobs framework cronjob rather than a standalone application (or cronjob) in the kubernetes cluster.

I'm mentioning this because I feel that tying the two things together can make it cumbersome to operate (both things) in the future, for little added value.

The change to run as a standalone cronjob deployment in k8s would be very small.

We talked about this, and the main concerns are:

  • development time: writing the deployment helm chart would take time, instead of using the ready-made cron abstraction by jobs-api
  • secret management: maintain-harbor requires a secret to be able to interact with the harbor API. The only way we know of doing that today in Cloud VPS is using a puppet secret: deploying a secret to k8s-control filesystem and read it at deploy.sh runtime. Again, having this setup in place would require time. Even if this secret mechanism can be reused by other Toolforge components, is not a priority right now.
Raymond_Ndibe updated the task description. (Show Details)Mar 13 2023, 12:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL