Page MenuHomePhabricator
Create Task
Maniphest T316323

[tbs.harbor.tools] Replicate toolsbeta harbor deployment
Closed, ResolvedPublic
Actions

Description

Replicate the same deployment we have in toolsbeta but in tools.

This will require also createing the proxy harbor.tools.wmflabs.org.

  1. Create tools-harbor-1.tools.eqiad1.wikimedia.cloud VM in the tools project
  2. Add a 500GB volume for the images (feel free to do some calculations to guess a good size)
  3. Add the hiera value profile::toolforge::harbor::cinder_attached: true to the instance puppet
  4. Create a prefix puppet config in horizon for the prefix tools-harbor- with the puppetclass role::wmcs::toolforge::harbor
  5. Run puppet on the new VM
  6. Run the script /srv/ops/harbor/prepare and run puppet again
  7. Check that harbor is up and running on that VM
  8. Add a proxy from horizon named tools-harbor.wmflabs.org pointing to the new harbor instance
  9. Create a security group in horizon allowing access on port 80 from 172.16.0.0/21 (would be nice to be more specific but I'm not really sure how)
  10. Create a Trove database and add the credentials to /etc/puppet/private in toolsbeta-puppetmaster-04 (profile::toolforge::harbor::db_harbor_pwd)
  11. Generate an admin password for Harbor and add that password to /etc/puppet/private in toolsbeta-puppetmaster-04 as profile::toolforge::harbor::admin_pwd
  12. Duplicate the maintain-harbor deployment for tools (TBD) moved to its own task: T332347

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+0 -2[tbs.harbor] Remove duplicate pwd
operations/puppetproduction+12 -14[tbs.harbor] Clean up admin pwd management
operations/puppetproduction+5 -5[tbs.harbor] Fix wrong paths for Harbor certs
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 StalledLucasWerkmeisterT320140 Migrate wd-shex-infer from Toolforge GridEngine to Toolforge Kubernetes
 StalledmatmarexT319707 Migrate dtcheck from Toolforge GridEngine to Toolforge Kubernetes
 OpenNoneT320062 Migrate steve-adder from Toolforge GridEngine to Toolforge Kubernetes
 OpenNoneT320011 Migrate rfa-voting-history from Toolforge GridEngine to Toolforge Kubernetes
 OpendcaroT194332 [Epic] Make Toolforge a proper platform as a service with push-to-deploy and build packs
 In ProgressdcaroT267374 [tbs.beta] Create a toolforge build service beta release
 OpenNoneT324827 tbs: user-story 3 - I want to cancel the build using the toolforge build cancel feature
 ResolvedRaymond_NdibeT324828 tbs: user-story 3 - cancel cli should give the right error when the service is down
 ResolvedRaymond_NdibeT331409 [tbs.cli] The cancel command should return a message saying that the build is already finished when trying to cancel a finished build
 ResolvedRaymond_NdibeT331410 [tbs.cli] The cancel command should show a useful message when the connection to tekton works but returns http error (requests.exceptions.HTTPError)
 OpenNoneT332294 [tbs][cli] build cancel --help lists the -v option twice
 ResolveddcaroT324833 tbs: user-story 5 - I want to check the status of a given build using the toolforge build show feature.
 OpenNoneT324830 tbs: user-story 4 - I want to check the status of the last build using the toolforge build show feature
 ResolvedRaymond_NdibeT324831 tbs: user-story 4 - show cli should give the right error when the service is down
 StalleddcaroT324823 tbs: user-story 2 - Feature: I can start a new build from a git url
 ResolvedRaymond_NdibeT324832 tbs: user-story 4 - show cli should use the latest build if no build id is passed
 OpenNoneT324834 tbs: user-story 6 - I want to start a webservice with the image I built earlier.
 StalledRaymond_NdibeT316327 [tbs] Deploy on tools
 StalledRaymond_NdibeT332347 Duplicate the maintain-harbor deployment for "tools"
 ResolvedfnegriT316323 [tbs.harbor.tools] Replicate toolsbeta harbor deployment
 ResolveddcaroT267616 [tbs.harbor] Puppetize the toolsbeta installation
 ResolvedAndrewT267618 Request increased quota for toolsbeta Cloud VPS project
 ResolvedSlst2020T316232 [tbs.harbor.toolsbeta] Create a postgres DB with trove and plug the current instance there
 ResolveddcaroT316233 [tbs.harbor.toolsbeta] Create a cinder volume and put there the storage for the container images
 ResolvedfnegriT332208 [tbs] Harbor broken in toolsbeta because of missing db password

Event Timeline

dcaro triaged this task as High priority.Aug 26 2022, 8:26 AM
dcaro created this task.
dcaro added a parent task: T194332: [Epic] Make Toolforge a proper platform as a service with push-to-deploy and build packs.
dcaro added a subtask: T267616: [tbs.harbor] Puppetize the toolsbeta installation.
dcaro edited parent tasks, added: T267374: [tbs.beta] Create a toolforge build service beta release; removed: T194332: [Epic] Make Toolforge a proper platform as a service with push-to-deploy and build packs.Aug 26 2022, 8:51 AM
dcaro edited parent tasks, added: T316327: [tbs] Deploy on tools; removed: T267374: [tbs.beta] Create a toolforge build service beta release.Aug 26 2022, 9:32 AM
dcaro changed the status of subtask T267616: [tbs.harbor] Puppetize the toolsbeta installation from Open to In Progress.Nov 10 2022, 2:44 PM
dcaro closed subtask T267616: [tbs.harbor] Puppetize the toolsbeta installation as Resolved.Dec 1 2022, 9:58 AM
dcaro added a parent task: T324823: tbs: user-story 2 - Feature: I can start a new build from a git url.Dec 9 2022, 10:08 AM
KHernandez-WMF mentioned this in T324823: tbs: user-story 2 - Feature: I can start a new build from a git url.Dec 15 2022, 7:49 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:37 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
dcaro updated the task description. (Show Details)Tue, Feb 28, 11:00 AM
dcaro updated the task description. (Show Details)Tue, Feb 28, 11:13 AM
dcaro renamed this task from [tbs.harbor.tools] Replicate toolsbeta deployment to [tbs.harbor.tools] Replicate toolsbeta harbor deployment.Tue, Mar 7, 9:12 AM
dcaro mentioned this in T316327: [tbs] Deploy on tools.
dcaro removed a parent task: T324823: tbs: user-story 2 - Feature: I can start a new build from a git url.
dcaro added a project: Toolforge Build Service (Focus Week!).Mon, Mar 13, 1:10 PM
fnegri claimed this task.Mon, Mar 13, 2:29 PM
dcaro updated the task description. (Show Details)Mon, Mar 13, 2:54 PM
fnegri changed the task status from Open to In Progress.Mon, Mar 13, 4:44 PM
Raymond_Ndibe added a subscriber: Raymond_Ndibe.Mon, Mar 13, 4:59 PM

@dcaro and @fnegri , for Duplicate the maintain-harbor deployment for tools It's theoretically possible possible to have the maintain-harbor tool on toolforge handle the maintenance for tools.harbor and toolsbeta.harbor, what I'm not sure of is if that is an acceptable flow. The last time we discussed this we weren't able to make up our minds. Maybe we can conclude here?

fnegri added a comment.Mon, Mar 13, 5:02 PM

@Raymond_Ndibe I think that might work, at least for the beta. @dcaro what do you think?

fnegri moved this task from Next Up to In Progress on the Toolforge Build Service (Focus Week!) board.Mon, Mar 13, 5:17 PM
fnegri added a comment.Mon, Mar 13, 6:13 PM

I created the instance and volume with the following params:

root@cloudcontrol1005:~# OS_PROJECT_ID=tools openstack server create --flavor g3.cores4.ram8.disk20 tools-harbor-1 --image debian-11.0-bullseye --network lan-flat-cloudinstances2b
root@cloudcontrol1005:~# OS_PROJECT_ID=tools openstack volume create --type high-iops --size 500 --description "Data volume for Harbor images" tools-harbor

I added the role::wmcs::toolforge::harbor Puppet role but it's failing with

Error: /Stage[main]/Profile::Toolforge::Harbor/File[/srv/harbor/data/secret/cert/server.crt]: Could not evaluate: Could not retrieve information from environment production source(s) file:///etc/acmecerts/toolforge/live/ec-prime256v1.chained.crt
Notice: /Stage[main]/Profile::Toolforge::Harbor/File[/srv/harbor/data/secret/cert/server.key]: Dependency File[/srv/harbor/data/secret/cert/server.crt] has failures: true
Warning: /Stage[main]/Profile::Toolforge::Harbor/File[/srv/harbor/data/secret/cert/server.key]: Skipping because of failed dependencies
Warning: /Stage[main]/Profile::Toolforge::Harbor/Exec[reload-nginx-on-tls-update]: Skipping because of failed dependencies
Warning: /Stage[main]/Profile::Toolforge::Harbor/Exec[ensure-compose-started]: Skipping because of failed dependencies
Error: /Stage[main]/Profile::Toolforge::Harbor/Acme_chief::Cert[toolforge]/File[/etc/acmecerts/toolforge]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: access denied
Error: /Stage[main]/Profile::Toolforge::Harbor/Acme_chief::Cert[toolforge]/File[/etc/acmecerts/toolforge]: Could not evaluate: Could not retrieve file metadata for puppet://tools-acme-chief-01.tools.eqiad.wmflabs/acmedata/toolforge: Error 403 on SERVER: access denied
fnegri updated the task description. (Show Details)Mon, Mar 13, 6:13 PM
fnegri edited projects, added cloud-services-team (FY2022/2023-Q3); removed cloud-services-team.Mon, Mar 13, 6:16 PM
fnegri moved this task from Backlog to In progress on the cloud-services-team (FY2022/2023-Q3) board.
dcaro added a comment.Mon, Mar 13, 6:31 PM
In T316323#8688991, @fnegri wrote:

I created the instance and volume with the following params:

root@cloudcontrol1005:~# OS_PROJECT_ID=tools openstack server create --flavor g3.cores4.ram8.disk20 tools-harbor-1 --image debian-11.0-bullseye --network lan-flat-cloudinstances2b
root@cloudcontrol1005:~# OS_PROJECT_ID=tools openstack volume create --type high-iops --size 500 --description "Data volume for Harbor images" tools-harbor

I added the role::wmcs::toolforge::harbor Puppet role but it's failing with

Error: /Stage[main]/Profile::Toolforge::Harbor/File[/srv/harbor/data/secret/cert/server.crt]: Could not evaluate: Could not retrieve information from environment production source(s) file:///etc/acmecerts/toolforge/live/ec-prime256v1.chained.crt
Notice: /Stage[main]/Profile::Toolforge::Harbor/File[/srv/harbor/data/secret/cert/server.key]: Dependency File[/srv/harbor/data/secret/cert/server.crt] has failures: true
Warning: /Stage[main]/Profile::Toolforge::Harbor/File[/srv/harbor/data/secret/cert/server.key]: Skipping because of failed dependencies
Warning: /Stage[main]/Profile::Toolforge::Harbor/Exec[reload-nginx-on-tls-update]: Skipping because of failed dependencies
Warning: /Stage[main]/Profile::Toolforge::Harbor/Exec[ensure-compose-started]: Skipping because of failed dependencies
Error: /Stage[main]/Profile::Toolforge::Harbor/Acme_chief::Cert[toolforge]/File[/etc/acmecerts/toolforge]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: access denied
Error: /Stage[main]/Profile::Toolforge::Harbor/Acme_chief::Cert[toolforge]/File[/etc/acmecerts/toolforge]: Could not evaluate: Could not retrieve file metadata for puppet://tools-acme-chief-01.tools.eqiad.wmflabs/acmedata/toolforge: Error 403 on SERVER: access denied

It looks like we have to tell acme to build a cert for it too somehow?

dcaro added a comment.Mon, Mar 13, 6:50 PM

I think I might have advanced a bit it, not sure if it was the right way :/

So as it was getting 403 from acme-chief, I checked the hiera data of the tools-acme-chief-* prefix, and there I added the harbor fqdn to the allowed list;

...
profile::acme_chief::certificates:
  toolforge:
    CN: toolforge.org
    SNI:
    - toolforge.org
    - '*.toolforge.org'
    - tools.wmflabs.org
    - '*.tools.wmflabs.org'
    authorized_regexes:
    - ^tools-proxy-[0-9]+\.tools\.eqiad\.wmflabs$
    - ^tools-docker-registry-[0-9]+\.tools\.eqiad\.wmflabs$
    - ^tools-docker-registry-[0-9]+\.tools\.eqiad1\.wikimedia\.cloud$
    - ^tools-harbor-[0-9]+\.tools\.eqiad1\.wikimedia\.cloud$    # <- this one
    challenge: dns-01
...

That allowed it to pull all the certs from acme-chief, but then fails with:

Error: Could not set 'file' on ensure: No such file or directory - A directory component in /srv/harbor/data/secret/cert/server.crt20230313-16828-1riyhvk.lock does not exist or is a dangling symbolic link (file: /etc/puppet/modules/profile/manifests/toolforge/harbor.pp, line: 99)
Error: Could not set 'file' on ensure: No such file or directory - A directory component in /srv/harbor/data/secret/cert/server.crt20230313-16828-1riyhvk.lock does not exist or is a dangling symbolic link (file: /etc/puppet/modules/profile/manifests/toolforge/harbor.pp, line: 99)
Wrapped exception:
No such file or directory - A directory component in /srv/harbor/data/secret/cert/server.crt20230313-16828-1riyhvk.lock does not exist or is a dangling symbolic link
Error: /Stage[main]/Profile::Toolforge::Harbor/File[/srv/harbor/data/secret/cert/server.crt]/ensure: change from 'absent' to 'file' failed: Could not set 'file' on ensure: No such file or directory - A directory component in /srv/harbor/data/secret/cert/server.crt20230313-16828-1riyhvk.lock does not exist or is a dangling symbolic link (file: /etc/puppet/modules/profile/manifests/toolforge/harbor.pp, line: 99)
Notice: /Stage[main]/Profile::Toolforge::Harbor/File[/srv/harbor/data/secret/cert/server.key]: Dependency File[/srv/harbor/data/secret/cert/server.crt] has failures: true
Warning: /Stage[main]/Profile::Toolforge::Harbor/File[/srv/harbor/data/secret/cert/server.key]: Skipping because of failed dependencies
Warning: /Stage[main]/Profile::Toolforge::Harbor/Exec[reload-nginx-on-tls-update]: Skipping because of failed dependencies
Warning: /Stage[main]/Profile::Toolforge::Harbor/Exec[ensure-compose-started]: Skipping because of failed dependencies

The dir /srv/harbor/data/secret/cert did not exist, so I manually created it (probably puppet should at some point), then it passed that point, and got errors when trying to bring the compose up (that's expected, as it requires manually running the first time).

dcaro added a comment.Mon, Mar 13, 6:51 PM

It does seem that there's some typo somewhere xd

root@tools-harbor-1:/srv# tree
/srv
├── harbor
│   └── data
│       └── secret
│           └── cert
│               ├── server.crt
│               └── server.key
└── ops
    └── harbor
        ├── data
        │   └── secret
        │       └── cert
        ├── harbor.yml
        └── prepare
gerritbot added a comment.Tue, Mar 14, 2:53 PM

Change 898773 had a related patch set uploaded (by FNegri; author: FNegri):

[operations/puppet@production] [tbs.harbor] Fix wrong paths for Harbor certs

https://gerrit.wikimedia.org/r/898773

gerritbot added a project: Patch-For-Review.Tue, Mar 14, 2:53 PM
fnegri added a comment.Tue, Mar 14, 2:55 PM

@dcaro thanks for finding the issue! I created a patch that will hopefully fix the missing paths.

fnegri added a comment.Tue, Mar 14, 4:58 PM

it passed that point, and got errors when trying to bring the compose up

It looks like it failed only one time, and the following Puppet runs do not show the error anymore, but the docker containers are not running.

(that's expected, as it requires manually running the first time).

Is that first manual run documented somewhere? I imagine I have to make some changes in the yaml file generated by Puppet?

fnegri added a comment.Tue, Mar 14, 5:17 PM

I checked the diff between the Puppet-generated yaml file and the one currently used in toolsbeta:

5c5
< hostname: dummy.harbor.fqdn
---
> hostname: harbor.toolsbeta.wmflabs.org
34c34
< harbor_admin_password: insecurityrules
---
> harbor_admin_password: xx
137c137
<     host: dummy.db.host
---
>     host: ttg4ncgzifw.svc.trove.eqiad1.wikimedia.cloud
204a205,210
>
> robot_accounts:
>   toolsbeta-image-builder:
>       password: "xx"
>   maintain-harbor:
>       password: "xx"

I have some questions:

  • I thought we were not using Trove because Postgres support was not good?
  • Are the robot_accounts credentials coming from Hiera?
dcaro added a comment.Wed, Mar 15, 2:44 PM

Is that first manual run documented somewhere? I imagine I have to make some changes in the yaml file generated by Puppet?

Not yet, we decided to delay writing admin docs :/, feel free to create some docs for it though!
It's simple though, you just have to run the prepare script in that dir: https://github.com/toolforge/buildservice/blob/main/utils/get_harbor.sh#L21

I thought we were not using Trove because Postgres support was not good?

We are \o/, so far it's good enough, though we might want to setup some kind of backups eventually (also delayed)

Are the robot_accounts credentials coming from Hiera?

Yes, from the secrets repository in the puppetmaster of the project, we can add them together if you want/have not done it yet

gerritbot added a comment.Wed, Mar 15, 2:59 PM

Change 898773 merged by FNegri:

[operations/puppet@production] [tbs.harbor] Fix wrong paths for Harbor certs

https://gerrit.wikimedia.org/r/898773

fnegri updated the task description. (Show Details)Wed, Mar 15, 5:49 PM
fnegri updated the task description. (Show Details)Wed, Mar 15, 6:03 PM
fnegri mentioned this in T332208: [tbs] Harbor broken in toolsbeta because of missing db password.Wed, Mar 15, 6:23 PM
fnegri changed the status of subtask T332208: [tbs] Harbor broken in toolsbeta because of missing db password from Open to In Progress.
gerritbot added a comment.Wed, Mar 15, 6:28 PM

Change 899724 had a related patch set uploaded (by FNegri; author: FNegri):

[operations/puppet@production] [tbs.harbor] Clean up admin pwd management

https://gerrit.wikimedia.org/r/899724

dcaro added a comment.Thu, Mar 16, 1:25 PM

I've reset the password for the toolsbeta-harbor database, and harbor is back up and running (added it also to the secrets in the puppetmaster)

fnegri closed subtask T332208: [tbs] Harbor broken in toolsbeta because of missing db password as Resolved.Thu, Mar 16, 5:05 PM
gerritbot added a comment.Thu, Mar 16, 5:18 PM

Change 899724 merged by FNegri:

[operations/puppet@production] [tbs.harbor] Clean up admin pwd management

https://gerrit.wikimedia.org/r/899724

gerritbot added a comment.Thu, Mar 16, 5:32 PM

Change 900400 had a related patch set uploaded (by FNegri; author: FNegri):

[operations/puppet@production] [tbs.harbor] Remove duplicate pwd

https://gerrit.wikimedia.org/r/900400

fnegri added a comment.Thu, Mar 16, 6:01 PM

I created a Trove DB for the new tools-harbor-1 instance and created a database and a user inside that instance with:

postgres=# CREATE DATABASE harbor;
CREATE DATABASE
postgres=# CREATE USER harbor WITH ENCRYPTED PASSWORD 'xx';
CREATE ROLE
postgres=# GRANT ALL PRIVILEGES ON DATABASE harbor TO harbor;
GRANT

The password is stored in /etc/puppet/private/ in tools-puppetmaster-02.

fnegri updated the task description. (Show Details)Thu, Mar 16, 6:34 PM
fnegri added a parent task: T332347: Duplicate the maintain-harbor deployment for "tools".Thu, Mar 16, 6:44 PM
fnegri closed this task as Resolved.Thu, Mar 16, 6:46 PM
fnegri updated the task description. (Show Details)

Up and running at https://tools-harbor.wmcloud.org/ 🎉

fnegri moved this task from In Progress to Done on the Toolforge Build Service (Focus Week!) board.Thu, Mar 16, 6:47 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL