Page MenuHomePhabricator
Create Task
Maniphest T319312

Open Openstack APIs to the public internet
Closed, ResolvedPublic
Actions

Details

Related Changes in Gerrit:
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

Andrew created this task.Oct 4 2022, 3:31 PM
Restricted Application added a project: cloud-services-team (Kanban). · View Herald TranscriptOct 4 2022, 3:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Andrew added a subtask: T267194: CloudVPS: enable TLS in openstack API endpoints.Oct 4 2022, 3:31 PM
taavi added a subtask: T319313: Prepare to block and throttle Openstack APIs.Oct 4 2022, 3:36 PM
taavi closed subtask T267194: CloudVPS: enable TLS in openstack API endpoints as Resolved.Oct 4 2022, 7:26 PM
gerritbot added a comment.Oct 5 2022, 9:02 PM

Change 838903 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Keystone: Expose the Keystone public API

https://gerrit.wikimedia.org/r/838903

gerritbot added a project: Patch-For-Review.Oct 5 2022, 9:02 PM

Change 838904 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Nova: Expose the Nova public API

https://gerrit.wikimedia.org/r/838904

gerritbot added a comment.Oct 5 2022, 9:02 PM

Change 838905 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Glance: Expose the Glance public API

https://gerrit.wikimedia.org/r/838905

gerritbot added a comment.Oct 5 2022, 9:02 PM

Change 838906 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Cinder: Expose the Cinder public API

https://gerrit.wikimedia.org/r/838906

gerritbot added a comment.Oct 5 2022, 9:02 PM

Change 838907 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Neutron: Expose the Neutron public API

https://gerrit.wikimedia.org/r/838907

gerritbot added a comment.Oct 5 2022, 9:02 PM

Change 838908 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Designate: Expose the Designate public API

https://gerrit.wikimedia.org/r/838908

taavi added a parent task: T294195: Openstack API access credentials.Oct 11 2022, 2:35 PM
taavi removed a parent task: T294195: Openstack API access credentials.
taavi added a subtask: T294195: Openstack API access credentials.
taavi closed subtask T294195: Openstack API access credentials as Resolved.
taavi mentioned this in T294195: Openstack API access credentials.
fgiunchedi subscribed.Oct 11 2022, 2:52 PM
gerritbot added a comment.Oct 11 2022, 4:47 PM

Change 838903 merged by Andrew Bogott:

[operations/puppet@production] Openstack Keystone: Expose the Keystone public API

https://gerrit.wikimedia.org/r/838903

gerritbot added a comment.Oct 12 2022, 3:07 AM

Change 838904 merged by Andrew Bogott:

[operations/puppet@production] Openstack Nova: Expose the Nova public API

https://gerrit.wikimedia.org/r/838904

Andrew added a comment.Oct 12 2022, 3:14 AM

From my laptop:

andrew@buster:~/openstackclientthings$ cat appcreddemo.py 

from keystoneauth1.identity.v3 import ApplicationCredential
from keystoneauth1 import session as keystone_session
from novaclient import client as nova_client

auth = ApplicationCredential(
    auth_url="https://openstack.codfw1dev.wikimediacloud.org:25000/v3",
    application_credential_secret='<redacted>',
    application_credential_id='1d083ef393ea4dafb86446da920a4c61',
    user_domain_id='default',
    )

session = keystone_session.Session(auth=auth)
client = nova_client.Client(
                '2', session=session, connect_retries=5, timeout=300,
                region_name='codfw1dev-r')
print(client.servers.list())

andrew@buster:~/openstackclientthings$ python3 ./appcreddemo.py 

[<Server: util-bullseye-codfw1dev>, <Server: util-codfw1dev>]
gerritbot added a comment.Oct 12 2022, 3:23 AM

Change 838905 merged by Andrew Bogott:

[operations/puppet@production] Openstack Glance: Expose the Glance public API

https://gerrit.wikimedia.org/r/838905

gerritbot added a comment.Oct 12 2022, 3:24 AM

Change 838906 merged by Andrew Bogott:

[operations/puppet@production] Openstack Cinder: Expose the Cinder public API

https://gerrit.wikimedia.org/r/838906

gerritbot added a comment.Oct 12 2022, 5:40 PM

Change 838907 merged by Andrew Bogott:

[operations/puppet@production] Openstack Neutron: Expose the Neutron public API

https://gerrit.wikimedia.org/r/838907

gerritbot added a comment.Oct 12 2022, 5:40 PM

Change 838908 merged by Andrew Bogott:

[operations/puppet@production] Openstack Designate: Expose the Designate public API

https://gerrit.wikimedia.org/r/838908

Maintenance_bot removed a project: Patch-For-Review.Oct 12 2022, 6:30 PM
Andrew added a comment.Oct 12 2022, 9:02 PM

With the CLI:

$ apt-get install python3-openstackclient

$ export OS_AUTH_URL="https://openstack.codfw1dev.wikimediacloud.org:25000/v3"
$ export OS_IDENTITY_API_VERSION=3
$ export OS_AUTH_TYPE=v3applicationcredential
$ export OS_APPLICATION_CREDENTIAL_SECRET=<redacted>
$ export OS_APPLICATION_CREDENTIAL_ID=f20108fb41324be19587c48d47bf76fe
$ export OS_APPLICATION_CREDENTIAL_NAME=clidemo
$ export OS_INTERFACE=public

$ openstack server list
+--------------------------------------+-------------------------+--------+------------------------------------------+----------------------------------------------+-----------------------+

IDNameStatusNetworksImageFlavor

+--------------------------------------+-------------------------+--------+------------------------------------------+----------------------------------------------+-----------------------+

cd0838db-578b-4fc8-b99b-be6300ef6a66util-bullseye-codfw1devACTIVElan-flat-cloudinstances2b=172.16.128.70debian-11.0-bullseye (deprecated 2022-06-02)g2.cores1.ram2.disk20
b6e7ea90-7072-4536-9571-072c88c2e930util-codfw1devACTIVElan-flat-cloudinstances2b=172.16.128.122debian-11.0-bullseye (deprecated 2022-06-02)g2.cores1.ram2.disk20

+--------------------------------------+-------------------------+--------+------------------------------------------+----------------------------------------------+-----------------------+

Andrew added a comment.Oct 13 2022, 4:36 AM

some docs: https://wikitech.wikimedia.org/wiki/Help:Using_OpenStack_APIs

taavi added a parent task: T316436: Cloud VPS Terraform support.Oct 13 2022, 9:24 AM
Stashbot added a comment.Oct 13 2022, 2:00 PM

Mentioned in SAL (#wikimedia-cloud) [2022-10-13T14:00:51Z] <andrewbogott> added proxy-api security group to proxy0[34], opening the proxy API to the public for T319312

gerritbot added a comment.Oct 19 2022, 10:28 AM

Change 844457 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:openstack: expose remaining APIs to the internet

https://gerrit.wikimedia.org/r/844457

gerritbot added a project: Patch-For-Review.Oct 19 2022, 10:28 AM
gerritbot added a comment.Oct 19 2022, 4:42 PM

Change 844506 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Keep Nova API public in eqiad1 but restrict in codfw1dev

https://gerrit.wikimedia.org/r/844506

gerritbot added a comment.Oct 20 2022, 2:53 PM

Change 844506 merged by Andrew Bogott:

[operations/puppet@production] Keep Nova API public in eqiad1 but restrict in codfw1dev

https://gerrit.wikimedia.org/r/844506

gerritbot added a comment.Oct 20 2022, 10:06 PM

Change 845063 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] OpenStack HAProxy: support frontend ferm rules into haproxy

https://gerrit.wikimedia.org/r/845063

gerritbot added a comment.Oct 20 2022, 10:06 PM

Change 845064 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] OpenStack nova: move the frontend firewall handling to haproxy code

https://gerrit.wikimedia.org/r/845064

gerritbot added a comment.Oct 25 2022, 1:33 PM

Change 845063 merged by Andrew Bogott:

[operations/puppet@production] OpenStack HAProxy: support frontend ferm rules into haproxy

https://gerrit.wikimedia.org/r/845063

gerritbot added a comment.Oct 25 2022, 1:39 PM

Change 845064 merged by Andrew Bogott:

[operations/puppet@production] OpenStack nova: move the frontend firewall handling to haproxy code

https://gerrit.wikimedia.org/r/845064

gerritbot added a comment.Oct 25 2022, 1:54 PM

Change 849098 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Neutron, glance, cinder, keystone: Move api firewall rules into haproxy code

https://gerrit.wikimedia.org/r/849098

gerritbot added a comment.Oct 25 2022, 2:02 PM

Change 849098 merged by Andrew Bogott:

[operations/puppet@production] Neutron, glance, cinder, keystone: Move api firewall rules into haproxy code

https://gerrit.wikimedia.org/r/849098

gerritbot added a comment.Oct 25 2022, 2:16 PM

Change 849104 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] haproxy: correct srange syntax for internal apis

https://gerrit.wikimedia.org/r/849104

gerritbot added a comment.Oct 25 2022, 2:23 PM

Change 849104 merged by Andrew Bogott:

[operations/puppet@production] haproxy: correct srange syntax for internal apis

https://gerrit.wikimedia.org/r/849104

Andrew closed subtask T320541: Remove or modify the keystone 'safelist' password extension? as Declined.Oct 25 2022, 5:00 PM
Andrew closed subtask T319313: Prepare to block and throttle Openstack APIs as Resolved.
gerritbot added a comment.Oct 25 2022, 5:02 PM

Change 849127 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] OpenStack trove: expose API to the public internet

https://gerrit.wikimedia.org/r/849127

gerritbot added a comment.Oct 25 2022, 5:10 PM

Change 849127 merged by Andrew Bogott:

[operations/puppet@production] OpenStack trove: expose API to the public internet

https://gerrit.wikimedia.org/r/849127

gerritbot added a comment.Oct 25 2022, 5:12 PM

Change 849128 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] haproxy/ferm: rename internal ferm rules 'internal' rather than 'public'

https://gerrit.wikimedia.org/r/849128

gerritbot added a comment.Oct 25 2022, 5:14 PM

Change 849128 merged by Andrew Bogott:

[operations/puppet@production] haproxy/ferm: rename internal ferm rules 'internal' rather than 'public'

https://gerrit.wikimedia.org/r/849128

Andrew closed this task as Resolved.Oct 27 2022, 10:29 PM

All done. There's at least one remaining api to open up: the puppet ENC. That's tracked in the subtasks of T317478

gerritbot added a comment.Nov 7 2022, 7:41 PM

Change 854092 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Open magnum and heat apis to the greater internet

https://gerrit.wikimedia.org/r/854092

taavi mentioned this in T332476: Toolforge: expose API gateway to the internet.Mar 18 2023, 2:26 PM
gerritbot added a comment.Oct 23 2023, 2:36 PM

Change 854092 abandoned by Andrew Bogott:

[operations/puppet@production] Open magnum and heat apis to the greater internet

Reason:

This is long done via the haproxy layer

https://gerrit.wikimedia.org/r/854092

gerritbot added a comment.Jan 19 2024, 12:19 PM

Change 844457 abandoned by Majavah:

[operations/puppet@production] P:openstack: expose remaining APIs to the internet

Reason:

superseded by cloudlb work

https://gerrit.wikimedia.org/r/844457

Maintenance_bot removed a project: Patch-For-Review.Jan 19 2024, 12:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits