Page MenuHomePhabricator
Create Task
Maniphest T310172

Configure k8s API control plane service with LVS
Closed, ResolvedPublic5 Estimated Story Points
Actions

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add a kublet node_label to each master of the dse-k8s clusteroperations/puppetproduction+2 -0
Configure the load-balancers for dse-k8s-ctrloperations/puppetproduction+1 -1
Enable the LVS realserver profile for dse-k8s-ctrloperations/puppetproduction+2 -2
Add an entry for dse-k8s-ctrl to the service catalogoperations/puppetproduction+23 -0
Add etcd data for dse-k8s kubeserver-api backend selection.operations/puppetproduction+3 -0
Add a new intermediate CA for kubernetesoperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

JArguello-WMF created this task.Jun 8 2022, 2:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 8 2022, 2:33 PM
BTullis added a parent task: T310196: K8 DSE Kubernetes Cluster.Jun 23 2022, 9:07 AM
EChetty moved this task from Backlog to Estimated/Discussed on the Shared-Data-Infrastructure board.Jul 11 2022, 11:35 AM
EChetty moved this task from Estimated/Discussed to To be discussed on the Shared-Data-Infrastructure board.
EChetty moved this task from To be discussed to Estimated/Discussed on the Shared-Data-Infrastructure board.Jul 25 2022, 12:35 PM
EChetty moved this task from Estimated/Discussed to In Progress before Value Stream Kickoff (before Aug 15th) on the Shared-Data-Infrastructure board.
EChetty added a project: Data-Engineering-Planning.
EChetty moved this task from In Progress before Value Stream Kickoff (before Aug 15th) to Done before Values Stream Kickoff (before Aug 15th) on the Shared-Data-Infrastructure board.Jul 29 2022, 2:46 PM
EChetty assigned this task to BTullis.Aug 1 2022, 4:03 PM
EChetty moved this task from Done before Values Stream Kickoff (before Aug 15th) to Estimated/Discussed on the Shared-Data-Infrastructure board.
EChetty edited projects, added Data-Engineering-Planning (Sprint 02); removed Data-Engineering-Planning.
EChetty set the point value for this task to 5.
EChetty moved this task from Ready to Next Up on the Data-Engineering-Planning (Sprint 02) board.Aug 1 2022, 4:08 PM
JArguello-WMF moved this task from Estimated/Discussed to In Progress before Value Stream Kickoff (before Aug 15th) on the Shared-Data-Infrastructure board.Aug 2 2022, 3:26 PM
BTullis triaged this task as High priority.Aug 11 2022, 4:39 PM
BTullis moved this task from Next Up to In progress on the Data-Engineering-Planning (Sprint 02) board.
EChetty edited projects, added Data-Engineering-Planning; removed Data-Engineering-Planning (Sprint 02).Aug 15 2022, 8:34 AM
EChetty moved this task from Backlog to Shared Data Infra on the Data-Engineering-Planning board.Aug 15 2022, 8:44 AM
EChetty moved this task from In Progress before Value Stream Kickoff (before Aug 15th) to Sprint 00 on the Shared-Data-Infrastructure board.Aug 16 2022, 1:14 PM
EChetty edited projects, added Shared-Data-Infrastructure (Sprint 00); removed Shared-Data-Infrastructure.
EChetty moved this task from Next Up to In Progress on the Shared-Data-Infrastructure (Sprint 00) board.Aug 17 2022, 9:31 AM
gerritbot added a comment.Aug 17 2022, 10:38 AM

Change 824161 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Add a new intermediate CA for kubernetes

https://gerrit.wikimedia.org/r/824161

gerritbot added a project: Patch-For-Review.Aug 17 2022, 10:38 AM
BTullis added a subscriber: jbond.Aug 17 2022, 10:42 AM

I have discussed with @jbond and we would like to take this opportunity, if possible, to allow Kubernetes clusters to use the cfssl based PKI instead of Puppet CA certificates.

The first step will require creating a new intermediate CA, since we cannot use the discovery CA for this purpose. We need client authentication, which the discovery CA doesn't allow.

jbond added subscribers: JMeybohm, elukey, akosiaris.Aug 17 2022, 11:30 AM

Ahh this ticket already confirms my first question on the CR i.e. the CA is just for the control plane and not the pods.

In T310172#8161105, @BTullis wrote:

I have discussed with @jbond and we would like to take this opportunity, if possible, to allow Kubernetes clusters to use the cfssl based PKI instead of Puppet CA certificates.

The first step will require creating a new intermediate CA, since we cannot use the discovery CA for this purpose. We need client authentication, which the discovery CA doesn't allow.

i think we should also consider if we should have one intermediate per k8 cluster or if we just have a generic Kubernetes CA for all clusters· Personally i would go with the former as it would by design prevent k8 cluster components talking to the wrong cluster but perhaps that is overly cautious (cc @akosiaris @elukey @JMeybohm )

gerritbot added a comment.Aug 17 2022, 12:53 PM

Change 824161 abandoned by Btullis:

[operations/puppet@production] Add a new intermediate CA for kubernetes

Reason:

Decided not to go about it this way right now.

https://gerrit.wikimedia.org/r/824161

Maintenance_bot removed a project: Patch-For-Review.Aug 17 2022, 1:33 PM
gerritbot added a comment.Aug 19 2022, 10:54 AM

Change 824705 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Add etcd data for dse-k8s kubeserver-api backend selection.

https://gerrit.wikimedia.org/r/824705

gerritbot added a project: Patch-For-Review.Aug 19 2022, 10:54 AM
gerritbot added a comment.Aug 22 2022, 11:25 AM

Change 824705 merged by Btullis:

[operations/puppet@production] Add etcd data for dse-k8s kubeserver-api backend selection.

https://gerrit.wikimedia.org/r/824705

Maintenance_bot removed a project: Patch-For-Review.Aug 22 2022, 11:30 AM
gerritbot added a comment.Aug 22 2022, 1:38 PM

Change 825348 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Add an extry for dse-k8s-ctrl to the service catalog

https://gerrit.wikimedia.org/r/825348

gerritbot added a project: Patch-For-Review.Aug 22 2022, 1:38 PM
gerritbot added a comment.Aug 23 2022, 9:06 AM

Change 825348 merged by Btullis:

[operations/puppet@production] Add an entry for dse-k8s-ctrl to the service catalog

https://gerrit.wikimedia.org/r/825348

BTullis mentioned this in T300744: Move kubernetes workers to bullseye and docker to overlayfs.Aug 23 2022, 9:15 AM
Maintenance_bot removed a project: Patch-For-Review.Aug 23 2022, 9:30 AM
BTullis added a comment.Aug 23 2022, 10:50 AM

I have enabled the kubemaster backend servers for the dse-k8s service with conftool.

btullis@puppetmaster1001:~$ sudo -i confctl select cluster=dse-k8s get
{"dse-k8s-ctrl1001.eqiad.wmnet": {"weight": 0, "pooled": "inactive"}, "tags": "dc=eqiad,cluster=dse-k8s,service=kubemaster"}
{"dse-k8s-ctrl1002.eqiad.wmnet": {"weight": 0, "pooled": "inactive"}, "tags": "dc=eqiad,cluster=dse-k8s,service=kubemaster"}
btullis@puppetmaster1001:~$ sudo -i confctl select 'cluster=dse-k8s,service=kubemaster' set/pooled=yes:weight=1
The selector you chose has selected the following objects:
{"/eqiad/dse-k8s/kubemaster": ["dse-k8s-ctrl1001.eqiad.wmnet", "dse-k8s-ctrl1002.eqiad.wmnet"]}
Ok to continue? [y/N]
confctl>y
eqiad/dse-k8s/kubemaster/dse-k8s-ctrl1001.eqiad.wmnet: pooled changed inactive => yes
eqiad/dse-k8s/kubemaster/dse-k8s-ctrl1001.eqiad.wmnet: weight changed 0 => 1
eqiad/dse-k8s/kubemaster/dse-k8s-ctrl1002.eqiad.wmnet: pooled changed inactive => yes
eqiad/dse-k8s/kubemaster/dse-k8s-ctrl1002.eqiad.wmnet: weight changed 0 => 1
WARNING:conftool.announce:conftool action : set/pooled=yes:weight=1; selector: cluster=dse-k8s,service=kubemaster
btullis@puppetmaster1001:~$ sudo -i confctl select cluster=dse-k8s get
{"dse-k8s-ctrl1001.eqiad.wmnet": {"weight": 1, "pooled": "yes"}, "tags": "dc=eqiad,cluster=dse-k8s,service=kubemaster"}
{"dse-k8s-ctrl1002.eqiad.wmnet": {"weight": 1, "pooled": "yes"}, "tags": "dc=eqiad,cluster=dse-k8s,service=kubemaster"}
gerritbot added a comment.Aug 23 2022, 10:52 AM

Change 825726 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Enable the LVS realserver profile for dse-k8s-ctrl

https://gerrit.wikimedia.org/r/825726

gerritbot added a project: Patch-For-Review.Aug 23 2022, 10:52 AM
gerritbot added a comment.Aug 24 2022, 1:15 PM

Change 825726 merged by Btullis:

[operations/puppet@production] Enable the LVS realserver profile for dse-k8s-ctrl

https://gerrit.wikimedia.org/r/825726

Maintenance_bot removed a project: Patch-For-Review.Aug 24 2022, 1:30 PM
gerritbot added a comment.Aug 24 2022, 1:38 PM

Change 826296 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Configure the load-balancers for dse-k8s-ctrl

https://gerrit.wikimedia.org/r/826296

gerritbot added a project: Patch-For-Review.Aug 24 2022, 1:38 PM
gerritbot added a comment.Aug 24 2022, 2:53 PM

Change 826296 merged by Btullis:

[operations/puppet@production] Configure the load-balancers for dse-k8s-ctrl

https://gerrit.wikimedia.org/r/826296

BTullis moved this task from In Progress to Done on the Shared-Data-Infrastructure (Sprint 00) board.Aug 25 2022, 10:07 AM

I believe that this step of the process is now broadly complete.

BTullis added a comment.Aug 30 2022, 3:56 PM

I have labelled the master nodes as follows:

root@deploy1002:/srv/deployment-charts/helmfile.d/admin_ng# kubectl label nodes dse-k8s-ctrl1001.eqiad.wmnet node-role.kubernetes.io/master=""
node/dse-k8s-ctrl1001.eqiad.wmnet labeled
root@deploy1002:/srv/deployment-charts/helmfile.d/admin_ng# kubectl label nodes dse-k8s-ctrl1002.eqiad.wmnet node-role.kubernetes.io/master=""
node/dse-k8s-ctrl1002.eqiad.wmnet labeled
gerritbot added a comment.Aug 30 2022, 3:56 PM

Change 828049 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Add a kublet node_label to each master of the dse-k8s cluster

https://gerrit.wikimedia.org/r/828049

BTullis closed this task as Resolved.Sep 5 2022, 2:52 PM
gerritbot added a comment.Sep 8 2022, 8:18 AM

Change 828049 merged by Btullis:

[operations/puppet@production] Add a kublet node_label to each master of the dse-k8s cluster

https://gerrit.wikimedia.org/r/828049

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits