Page MenuHomePhabricator

Add egress rules for dbproxy1017 & dbproxy1021
Closed, ResolvedPublic

Description

These are the proxies being added in front of m5-master

Event Timeline

bd808 changed the task status from Open to In Progress.Oct 27 2021, 4:36 PM
bd808 claimed this task.
bd808 triaged this task as High priority.
bd808 moved this task from Backlog to In Progress on the Toolhub board.

Change 735031 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[operations/deployment-charts@master] toolhub: Add egress to m5-master dbproxy nodes

https://gerrit.wikimedia.org/r/735031

Change 735031 merged by jenkins-bot:

[operations/deployment-charts@master] toolhub: Add egress to m5-master dbproxy nodes

https://gerrit.wikimedia.org/r/735031

After deploying the updated helm chart, the networkpolicy for the toolhub namespace in eqiad allows port 3306 outbound to:

  • 10.64.48.43/32 (dbproxy1017.eqiad.wmnet)
  • 10.64.32.180/32 (dbproxy1021.eqiad.wmnet)
  • 10.192.48.47/32 (dbproxy2004.codfw.wmnet)
  • 10.64.0.98/32 (db1128.eqiad.wmnet)
  • 10.64.16.35/32 (db1132.eqiad.wmnet)

Checked with kube_env toolhub eqiad; kubectl describe networkpolicies toolhub-main from deploy1002.

Thank you Bryan for fixing this so quickly!