Page MenuHomePhabricator
Create Task
Maniphest T310175

Configure ingress for dse-k8s cluster
Closed, ResolvedPublic3 Estimated Story Points
Actions

Details

SubjectRepoBranchLines +/-
Add an entry for the cfssl-issuer service to the dse-k8s clusteroperations/puppetproduction+7 -0
Add an istio custom deploy configuration for dse-k8soperations/deployment-chartsmaster+169 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

JArguello-WMF created this task.Jun 8 2022, 2:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 8 2022, 2:34 PM
BTullis added a parent task: T310196: K8 DSE Kubernetes Cluster.Jun 23 2022, 9:07 AM
EChetty moved this task from Backlog to To be discussed on the Shared-Data-Infrastructure board.Jul 11 2022, 11:35 AM
EChetty added a project: Data-Engineering-Planning.Jul 25 2022, 12:36 PM
EChetty moved this task from To be discussed to Estimated/Discussed on the Shared-Data-Infrastructure board.Jul 29 2022, 2:46 PM
EChetty moved this task from Estimated/Discussed to In Progress before Value Stream Kickoff (before Aug 15th) on the Shared-Data-Infrastructure board.
EChetty moved this task from In Progress before Value Stream Kickoff (before Aug 15th) to To be discussed on the Shared-Data-Infrastructure board.Aug 1 2022, 3:58 PM
EChetty moved this task from Backlog to Shared Data Infra on the Data-Engineering-Planning board.Aug 15 2022, 8:45 AM
EChetty moved this task from To be discussed to In Progress before Value Stream Kickoff (before Aug 15th) on the Shared-Data-Infrastructure board.Aug 16 2022, 1:16 PM
EChetty moved this task from In Progress before Value Stream Kickoff (before Aug 15th) to Estimated/Discussed on the Shared-Data-Infrastructure board.
EChetty moved this task from Estimated/Discussed to Sprint 00 on the Shared-Data-Infrastructure board.Aug 16 2022, 1:20 PM
EChetty edited projects, added Shared-Data-Infrastructure (Sprint 00); removed Shared-Data-Infrastructure.
BTullis moved this task from Next Up to In Progress on the Shared-Data-Infrastructure (Sprint 00) board.Sep 5 2022, 2:29 PM
BTullis subscribed.Sep 5 2022, 2:32 PM

I have applied the istio network policies and proxy settings.

root@deploy1002:/srv/deployment-charts/helmfile.d/admin_ng# helmfile -e dse-k8s-eqiad -l name=istio-gateways-networkpolicies sync
helmfile.yaml: basePath=.
Affected releases are:
  istio-gateways-networkpolicies (wmf-stable/raw) UPDATED

Upgrading release=istio-gateways-networkpolicies, chart=wmf-stable/raw
Release "istio-gateways-networkpolicies" does not exist. Installing it now.
NAME: istio-gateways-networkpolicies
LAST DEPLOYED: Mon Sep  5 14:29:57 2022
NAMESPACE: istio-system
STATUS: deployed
REVISION: 1
TEST SUITE: None

Listing releases matching ^istio-gateways-networkpolicies$
istio-gateways-networkpolicies  istio-system    1               2022-09-05 14:29:57.801232075 +0000 UTC deployed        raw-0.3.0       0.2.3


UPDATED RELEASES:
NAME                             CHART            VERSION
istio-gateways-networkpolicies   wmf-stable/raw     0.3.0

helmfile.yaml: basePath=.
root@deploy1002:/srv/deployment-charts/helmfile.d/admin_ng# helmfile -e dse-k8s-eqiad -l name=istio-proxy-settings sync
helmfile.yaml: basePath=.
Affected releases are:
  istio-proxy-settings (wmf-stable/raw) UPDATED

Upgrading release=istio-proxy-settings, chart=wmf-stable/raw
Release "istio-proxy-settings" does not exist. Installing it now.
NAME: istio-proxy-settings
LAST DEPLOYED: Mon Sep  5 14:30:27 2022
NAMESPACE: istio-system
STATUS: deployed
REVISION: 1
TEST SUITE: None

Listing releases matching ^istio-proxy-settings$
istio-proxy-settings    istio-system    1               2022-09-05 14:30:27.496648357 +0000 UTC deployed        raw-0.3.0       0.2.3


UPDATED RELEASES:
NAME                   CHART            VERSION
istio-proxy-settings   wmf-stable/raw     0.3.0

helmfile.yaml: basePath=.
gerritbot added a comment.Sep 5 2022, 2:42 PM

Change 829822 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/deployment-charts@master] Add an istio custom deploy configuration for dse-k8s

https://gerrit.wikimedia.org/r/829822

gerritbot added a project: Patch-For-Review.Sep 5 2022, 2:42 PM
gerritbot added a comment.Sep 6 2022, 8:37 AM

Change 829822 merged by jenkins-bot:

[operations/deployment-charts@master] Add an istio custom deploy configuration for dse-k8s

https://gerrit.wikimedia.org/r/829822

BTullis added a comment.Sep 6 2022, 9:22 AM

I have installed the istio configs.

root@deploy1002:~# istioctl-1.9.5 manifest apply -f /srv/deployment-charts/custom_deploy.d/istio/dse-k8s/config.yaml

The Kubernetes version v1.16.15 is not supported by Istio 1.9.5. The minimum supported Kubernetes version is 1.17.
Proceeding with the installation, but you might experience problems. See https://istio.io/latest/docs/setup/platform-setup/ for a list of supported versions.

Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/v1.9/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
This will install the Istio 1.9.5  profile with ["Istio core" "Istiod" "CNI" "Ingress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ CNI installed
✔ Ingress gateways installed
✔ Installation complete
root@deploy1002:~#
BTullis added a comment.Sep 6 2022, 9:29 AM

I have begun work to add the cert-manager and cfssl-issuer deployments, which are required for istio TLS certificates.

root@deploy1002:/srv/deployment-charts/helmfile.d/admin_ng# helmfile -e dse-k8s-eqiad -l name=cert-manager-networkpolicies sync
root@deploy1002:/srv/deployment-charts/helmfile.d/admin_ng# helmfile -e dse-k8s-eqiad -l name=cert-manager sync
root@deploy1002:/srv/deployment-charts/helmfile.d/admin_ng# helmfile -e dse-k8s-eqiad -l name=cfssl-issuer-crds sync

These three commands completed successfully.

This one exited with an error:

root@deploy1002:/srv/deployment-charts/helmfile.d/admin_ng# helmfile -e dse-k8s-eqiad -l name=cfssl-issuer sync

STDERR:
  Error: execution error at (cfssl-issuer/templates/secret.yaml:13:10): authSecret needs a key

I will look at supplying this secret key.

Maintenance_bot removed a project: Patch-For-Review.Sep 6 2022, 9:30 AM
EChetty moved this task from Sprint 00 to Sprint 01 on the Shared-Data-Infrastructure board.Sep 6 2022, 11:21 AM
EChetty edited projects, added Shared-Data-Infrastructure (Sprint 01); removed Shared-Data-Infrastructure (Sprint 00).
EChetty set the point value for this task to 3.Sep 6 2022, 11:24 AM
EChetty moved this task from Next Up to In Progress on the Shared-Data-Infrastructure (Sprint 01) board.Sep 6 2022, 1:09 PM
gerritbot added a comment.Sep 7 2022, 10:11 AM

Change 830580 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Add an entry for the cfssl-issuer service to the dse-k8s cluster

https://gerrit.wikimedia.org/r/830580

gerritbot added a project: Patch-For-Review.Sep 7 2022, 10:11 AM
gerritbot added a comment.Sep 7 2022, 10:48 AM

Change 830580 merged by Btullis:

[operations/puppet@production] Add an entry for the cfssl-issuer service to the dse-k8s cluster

https://gerrit.wikimedia.org/r/830580

BTullis moved this task from In Progress to Done on the Shared-Data-Infrastructure (Sprint 01) board.Sep 7 2022, 11:02 AM

This is now all configured.

Maintenance_bot removed a project: Patch-For-Review.Sep 7 2022, 11:31 AM
BTullis closed this task as Resolved.Sep 8 2022, 8:27 AM
BTullis claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits