Page MenuHomePhabricator
Create Task
Maniphest T300740

Provide a convenient way to connect to services in kubernetes staging clusters
Closed, ResolvedPublic
Actions

Description

We currently rely on a rr-dns entry to connect to services running in Kubernetes clusters.

While this does work in general it needs manual configuration in DNS and it is different from how traffic reaches clusters in production.

With upcoming ingress, we should add an LVS service k8s-ingress-staging pointing to the istio-ingressgateway on staging kubernetes nodes (as we would do it in production).

That LVS service should be active/passive (eqiad being active by default) to retain the functionality of the "hidden" staging cluster used by SRE's to test infrastructure changes/updates etc.

LVS is now setup up and the staging clusters ingressgateway can be reached via k8s-ingress-staging.discovery.wmnet.
miscweb, being the only service currently enabled, can be accessed by with proper SNI:

curl -I --resolve "miscweb.staging.discovery.wmnet:30443:$(dig +short k8s-ingress-staging.discovery.wmnet)" 'https://miscweb.staging.discovery.wmnet:30443'

As next step, I would like to add a wildcard record to DNS (like *.k8s-staging.discovery.wmnet, name is just a proposal and what I currently used on the ingress side - easy to change that, though) pointing to whatever k8s-ingress-staging.discovery.wmnet currently points to. This would make setting up new services in staging clusters completely self-service (after the initial k8s user/namespace creation by SRE).

All that only applies to staging ofc. Production services would still need an entry in services.yaml for monitoring and individual depooling etc.

Details

Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

JMeybohm created this task.Feb 2 2022, 2:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 2 2022, 2:14 PM
JMeybohm mentioned this in T290966: Implement POC for istio ingress.Feb 2 2022, 2:20 PM
gerritbot added a comment.Feb 2 2022, 2:46 PM

Change 759253 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/dns@master] Add k8s-ingress-staging LVS VIPs

https://gerrit.wikimedia.org/r/759253

gerritbot added a project: Patch-For-Review.Feb 2 2022, 2:46 PM
gerritbot added a comment.Feb 2 2022, 3:28 PM

Change 759259 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] Add k8s-ingress-staging to conftool-data

https://gerrit.wikimedia.org/r/759259

gerritbot added a comment.Feb 2 2022, 3:28 PM

Change 759260 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] Add LVS service k8s-ingress-staging

https://gerrit.wikimedia.org/r/759260

gerritbot added a comment.Feb 3 2022, 11:13 AM

Change 759470 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] Create a new wikimedia_cluster: kubernetes-staging

https://gerrit.wikimedia.org/r/759470

gerritbot added a comment.Feb 3 2022, 1:02 PM

Change 759470 merged by JMeybohm:

[operations/puppet@production] Create a new wikimedia_cluster: kubernetes-staging

https://gerrit.wikimedia.org/r/759470

gerritbot added a comment.Feb 3 2022, 1:35 PM

Change 759253 merged by JMeybohm:

[operations/dns@master] Add k8s-ingress-staging LVS VIPs

https://gerrit.wikimedia.org/r/759253

gerritbot added a comment.Feb 4 2022, 9:01 AM

Change 759259 merged by JMeybohm:

[operations/puppet@production] Add kubernetes-staging to conftool-data

https://gerrit.wikimedia.org/r/759259

JMeybohm added a subscriber: Dzahn.Feb 9 2022, 10:35 AM
gerritbot added a comment.Feb 9 2022, 3:00 PM

Change 759260 merged by JMeybohm:

[operations/puppet@production] Add LVS service k8s-ingress-staging

https://gerrit.wikimedia.org/r/759260

gerritbot added a comment.Feb 9 2022, 3:09 PM

Change 761357 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] Move k8s-ingress-staging to state: lvs_setup

https://gerrit.wikimedia.org/r/761357

gerritbot added a comment.Feb 9 2022, 3:20 PM

Change 761357 merged by JMeybohm:

[operations/puppet@production] Move k8s-ingress-staging to state: lvs_setup

https://gerrit.wikimedia.org/r/761357

Stashbot added a comment.Feb 9 2022, 3:31 PM

Mentioned in SAL (#wikimedia-operations) [2022-02-09T15:30:59Z] <jayme> restarting pybal on lvs2010,lvs1020 - T300740

Stashbot added a comment.Feb 9 2022, 3:56 PM

Mentioned in SAL (#wikimedia-operations) [2022-02-09T15:56:16Z] <jayme> restarting pybal on lvs1015,lvs2009 - T300740

Stashbot added a comment.Feb 9 2022, 3:57 PM

Mentioned in SAL (#wikimedia-operations) [2022-02-09T15:57:00Z] <jayme> ran sudo rm /var/run/confd-template/.k8s-ingress-staging*.err on puppetmaster2001 - T300740

gerritbot added a comment.Feb 9 2022, 4:11 PM

Change 761380 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] Move k8s-ingress-staging to state: monitoring_setup

https://gerrit.wikimedia.org/r/761380

gerritbot added a comment.Feb 9 2022, 4:19 PM

Change 761387 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/dns@master] Add discovery record k8s-ingress-staging

https://gerrit.wikimedia.org/r/761387

gerritbot added a comment.Feb 9 2022, 4:22 PM

Change 761380 merged by JMeybohm:

[operations/puppet@production] Move k8s-ingress-staging to state: monitoring_setup

https://gerrit.wikimedia.org/r/761380

gerritbot added a comment.Feb 9 2022, 4:32 PM

Change 761392 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] Move k8s-ingress-staging to state: poduction

https://gerrit.wikimedia.org/r/761392

gerritbot added a comment.Feb 9 2022, 4:32 PM

Change 761393 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] Add k8s-ingress-staging to disc_desired_state.py

https://gerrit.wikimedia.org/r/761393

gerritbot added a comment.Feb 9 2022, 4:51 PM

Change 761392 merged by JMeybohm:

[operations/puppet@production] Move k8s-ingress-staging to state: poduction

https://gerrit.wikimedia.org/r/761392

gerritbot added a comment.Feb 9 2022, 5:05 PM

Change 761393 merged by JMeybohm:

[operations/puppet@production] Add k8s-ingress-staging to disc_desired_state.py

https://gerrit.wikimedia.org/r/761393

gerritbot added a comment.Feb 9 2022, 5:05 PM

Change 761387 merged by JMeybohm:

[operations/dns@master] Add discovery record k8s-ingress-staging

https://gerrit.wikimedia.org/r/761387

Stashbot added a comment.Feb 9 2022, 5:07 PM

Mentioned in SAL (#wikimedia-operations) [2022-02-09T17:07:26Z] <jayme> ran sudo rm /var/run/confd-template/.k8s-ingress-staging*.err on puppetmaster1001 - T300740

gerritbot added a comment.Feb 10 2022, 10:43 AM

Change 761590 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] Add tcp-notls probe to k8s-ingress-staging

https://gerrit.wikimedia.org/r/761590

gerritbot added a comment.Feb 10 2022, 10:45 AM

Change 761590 merged by JMeybohm:

[operations/puppet@production] Add tcp-notls probe to k8s-ingress-staging

https://gerrit.wikimedia.org/r/761590

JMeybohm updated the task description. (Show Details)Feb 10 2022, 2:00 PM
JMeybohm added a subscriber: BBlack.
akosiaris awarded a token.Feb 14 2022, 11:35 AM
Joe added a comment.Feb 16 2022, 8:59 AM

I would generally agree that having all services with name *.staging.$dc.wmnet resolve to the same rr-record is what you want.

I'm not 100% sure what's the best technical solution for this, I would assume that if we have an LVS endpoint we can just write an A record for the wildcard?

JMeybohm added a comment.Feb 16 2022, 9:42 AM
In T300740#7713949, @Joe wrote:

I would generally agree that having all services with name *.staging.$dc.wmnet resolve to the same rr-record is what you want.

I'm not 100% sure what's the best technical solution for this, I would assume that if we have an LVS endpoint we can just write an A record for the wildcard?

Yes. But only for the DC specific names. Ideally I'd like to have a wildcard pointing to the discovery record so people don't have to care/know which DC is the active one.

gerritbot added a comment.Feb 18 2022, 12:05 PM

Change 763717 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/dns@master] Add *.k8s-staging.discovery.wmnet

https://gerrit.wikimedia.org/r/763717

gerritbot added a comment.Feb 23 2022, 2:34 PM

Change 765273 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] Add k8s-ingress-wikikube to conftool-data

https://gerrit.wikimedia.org/r/765273

gerritbot added a comment.Feb 23 2022, 2:35 PM

Change 765273 merged by JMeybohm:

[operations/puppet@production] Add k8s-ingress-wikikube to conftool-data

https://gerrit.wikimedia.org/r/765273

gerritbot added a comment.Apr 1 2022, 8:16 AM

Change 763717 merged by JMeybohm:

[operations/dns@master] Add *.k8s-staging.discovery.wmnet

https://gerrit.wikimedia.org/r/763717

JMeybohm updated the task description. (Show Details)Apr 1 2022, 8:25 AM
gerritbot added a comment.Apr 1 2022, 8:52 AM

Change 776162 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Use *.k8s-staging.discovery.wmnet for staging certificates

https://gerrit.wikimedia.org/r/776162

gerritbot added a comment.Apr 1 2022, 8:52 AM

Change 776163 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Use *.k8s-staging.discovery.wmnet for staging Ingress

https://gerrit.wikimedia.org/r/776163

BTullis subscribed.Apr 1 2022, 9:42 AM
gerritbot added a comment.Apr 4 2022, 7:24 AM

Change 776162 merged by jenkins-bot:

[operations/deployment-charts@master] Use *.k8s-staging.discovery.wmnet for staging certificates

https://gerrit.wikimedia.org/r/776162

gerritbot added a comment.Apr 4 2022, 7:24 AM

Change 776163 merged by jenkins-bot:

[operations/deployment-charts@master] Use *.k8s-staging.discovery.wmnet for staging Ingress

https://gerrit.wikimedia.org/r/776163

JMeybohm closed this task as Resolved.Apr 4 2022, 9:50 AM

Something like curl -I https://miscweb.k8s-staging.discovery.wmnet:30443 now works by default.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL