Page MenuHomePhabricator

Open Openstack APIs to the public internet
Closed, ResolvedPublic

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 838903 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Keystone: Expose the Keystone public API

https://gerrit.wikimedia.org/r/838903

Change 838904 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Nova: Expose the Nova public API

https://gerrit.wikimedia.org/r/838904

Change 838905 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Glance: Expose the Glance public API

https://gerrit.wikimedia.org/r/838905

Change 838906 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Cinder: Expose the Cinder public API

https://gerrit.wikimedia.org/r/838906

Change 838907 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Neutron: Expose the Neutron public API

https://gerrit.wikimedia.org/r/838907

Change 838908 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Openstack Designate: Expose the Designate public API

https://gerrit.wikimedia.org/r/838908

Change 838903 merged by Andrew Bogott:

[operations/puppet@production] Openstack Keystone: Expose the Keystone public API

https://gerrit.wikimedia.org/r/838903

Change 838904 merged by Andrew Bogott:

[operations/puppet@production] Openstack Nova: Expose the Nova public API

https://gerrit.wikimedia.org/r/838904

From my laptop:

andrew@buster:~/openstackclientthings$ cat appcreddemo.py 

from keystoneauth1.identity.v3 import ApplicationCredential
from keystoneauth1 import session as keystone_session
from novaclient import client as nova_client

auth = ApplicationCredential(
    auth_url="https://openstack.codfw1dev.wikimediacloud.org:25000/v3",
    application_credential_secret='<redacted>',
    application_credential_id='1d083ef393ea4dafb86446da920a4c61',
    user_domain_id='default',
    )

session = keystone_session.Session(auth=auth)
client = nova_client.Client(
                '2', session=session, connect_retries=5, timeout=300,
                region_name='codfw1dev-r')
print(client.servers.list())

andrew@buster:~/openstackclientthings$ python3 ./appcreddemo.py 

[<Server: util-bullseye-codfw1dev>, <Server: util-codfw1dev>]

Change 838905 merged by Andrew Bogott:

[operations/puppet@production] Openstack Glance: Expose the Glance public API

https://gerrit.wikimedia.org/r/838905

Change 838906 merged by Andrew Bogott:

[operations/puppet@production] Openstack Cinder: Expose the Cinder public API

https://gerrit.wikimedia.org/r/838906

Change 838907 merged by Andrew Bogott:

[operations/puppet@production] Openstack Neutron: Expose the Neutron public API

https://gerrit.wikimedia.org/r/838907

Change 838908 merged by Andrew Bogott:

[operations/puppet@production] Openstack Designate: Expose the Designate public API

https://gerrit.wikimedia.org/r/838908

With the CLI:

$ apt-get install python3-openstackclient

$ export OS_AUTH_URL="https://openstack.codfw1dev.wikimediacloud.org:25000/v3"
$ export OS_IDENTITY_API_VERSION=3
$ export OS_AUTH_TYPE=v3applicationcredential
$ export OS_APPLICATION_CREDENTIAL_SECRET=<redacted>
$ export OS_APPLICATION_CREDENTIAL_ID=f20108fb41324be19587c48d47bf76fe
$ export OS_APPLICATION_CREDENTIAL_NAME=clidemo
$ export OS_INTERFACE=public

$ openstack server list
+--------------------------------------+-------------------------+--------+------------------------------------------+----------------------------------------------+-----------------------+

IDNameStatusNetworksImageFlavor

+--------------------------------------+-------------------------+--------+------------------------------------------+----------------------------------------------+-----------------------+

cd0838db-578b-4fc8-b99b-be6300ef6a66util-bullseye-codfw1devACTIVElan-flat-cloudinstances2b=172.16.128.70debian-11.0-bullseye (deprecated 2022-06-02)g2.cores1.ram2.disk20
b6e7ea90-7072-4536-9571-072c88c2e930util-codfw1devACTIVElan-flat-cloudinstances2b=172.16.128.122debian-11.0-bullseye (deprecated 2022-06-02)g2.cores1.ram2.disk20

+--------------------------------------+-------------------------+--------+------------------------------------------+----------------------------------------------+-----------------------+

Mentioned in SAL (#wikimedia-cloud) [2022-10-13T14:00:51Z] <andrewbogott> added proxy-api security group to proxy0[34], opening the proxy API to the public for T319312

Change 844457 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:openstack: expose remaining APIs to the internet

https://gerrit.wikimedia.org/r/844457

Change 844506 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Keep Nova API public in eqiad1 but restrict in codfw1dev

https://gerrit.wikimedia.org/r/844506

Change 844506 merged by Andrew Bogott:

[operations/puppet@production] Keep Nova API public in eqiad1 but restrict in codfw1dev

https://gerrit.wikimedia.org/r/844506

Change 845063 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] OpenStack HAProxy: support frontend ferm rules into haproxy

https://gerrit.wikimedia.org/r/845063

Change 845064 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] OpenStack nova: move the frontend firewall handling to haproxy code

https://gerrit.wikimedia.org/r/845064

Change 845063 merged by Andrew Bogott:

[operations/puppet@production] OpenStack HAProxy: support frontend ferm rules into haproxy

https://gerrit.wikimedia.org/r/845063

Change 845064 merged by Andrew Bogott:

[operations/puppet@production] OpenStack nova: move the frontend firewall handling to haproxy code

https://gerrit.wikimedia.org/r/845064

Change 849098 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Neutron, glance, cinder, keystone: Move api firewall rules into haproxy code

https://gerrit.wikimedia.org/r/849098

Change 849098 merged by Andrew Bogott:

[operations/puppet@production] Neutron, glance, cinder, keystone: Move api firewall rules into haproxy code

https://gerrit.wikimedia.org/r/849098

Change 849104 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] haproxy: correct srange syntax for internal apis

https://gerrit.wikimedia.org/r/849104

Change 849104 merged by Andrew Bogott:

[operations/puppet@production] haproxy: correct srange syntax for internal apis

https://gerrit.wikimedia.org/r/849104

Change 849127 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] OpenStack trove: expose API to the public internet

https://gerrit.wikimedia.org/r/849127

Change 849127 merged by Andrew Bogott:

[operations/puppet@production] OpenStack trove: expose API to the public internet

https://gerrit.wikimedia.org/r/849127

Change 849128 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] haproxy/ferm: rename internal ferm rules 'internal' rather than 'public'

https://gerrit.wikimedia.org/r/849128

Change 849128 merged by Andrew Bogott:

[operations/puppet@production] haproxy/ferm: rename internal ferm rules 'internal' rather than 'public'

https://gerrit.wikimedia.org/r/849128

All done. There's at least one remaining api to open up: the puppet ENC. That's tracked in the subtasks of T317478

Change 854092 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Open magnum and heat apis to the greater internet

https://gerrit.wikimedia.org/r/854092

Change 854092 abandoned by Andrew Bogott:

[operations/puppet@production] Open magnum and heat apis to the greater internet

Reason:

This is long done via the haproxy layer

https://gerrit.wikimedia.org/r/854092

Change 844457 abandoned by Majavah:

[operations/puppet@production] P:openstack: expose remaining APIs to the internet

Reason:

superseded by cloudlb work

https://gerrit.wikimedia.org/r/844457