Page MenuHomePhabricator
Create Task
Maniphest T350353

Parsoid instance on beta not accesible from restbase CI/dev envs
Open, HighPublic
Actions

Description

Development environments and CI for RESTBase are using beta cluster for testing purposes. One of the main backing services is parsoid API.

Until lately we were able to access the beta instance of parsoid on:
http://parsoid-external-ci-access.beta.wmflabs.org

For the past few weeks parsoid instance is only accessible only using HTTPS without enforcing cert verification.
Can we either allow port 80 on deployment-parsoid12 or make sure that the certificate served using HTTPS works in our test environments?

Currently, RESTbase CI is broken on Guthub.
Here is a dummy commit on Github that shows the issue: https://github.com/wikimedia/restbase/pull/1338

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedBUG REPORTNoneT351193 RESTbase broken on beta cluster
 OpenNoneT350353 Parsoid instance on beta not accesible from restbase CI/dev envs

Event Timeline

Jgiannelos created this task.Nov 2 2023, 10:17 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 2 2023, 10:17 AM
daniel mentioned this in T344982: Make cxserver call parsoid endpoints on MediaWiki, instead of going through RESTbase.Nov 2 2023, 10:51 AM
TheresNoTime mentioned this in T351193: RESTbase broken on beta cluster.Nov 14 2023, 11:34 AM
TheresNoTime added a parent task: T351193: RESTbase broken on beta cluster.
Vgutierrez subscribed.Nov 20 2023, 11:47 AM

hmm there must have been some change impacting the kind of certificate used for that endpoint. Right now it's using a WMF PKI issued cert:

---
Certificate chain
 0 s:CN = parsoid.svc.deployment-prep.eqiad1.wikimedia.cloud
   i:C = US, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = Cloud Services, CN = discovery
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA512
   v:NotBefore: Nov 19 12:24:00 2023 GMT; NotAfter: Dec 17 12:24:00 2023 GMT
 1 s:C = US, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = Cloud Services, CN = discovery
   i:C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc", OU = Cloud Services, CN = WMF_TEST_CA
   a:PKEY: id-ecPublicKey, 521 (bit); sigalg: ecdsa-with-SHA512
   v:NotBefore: Jan 28 12:02:00 2022 GMT; NotAfter: Jan 27 12:02:00 2027 GMT
---
Vgutierrez added a subscriber: hnowlan.Nov 20 2023, 5:31 PM

as mentioned on IRC:

<vgutierrez> it looks like profile::tlsproxy::envoy::ssl_provider should be set to acme for deployment-parsoid12 (after configuring acme-chief there to issue the expected certificate)

I'm happy to assist if needed but probably @hnowlan knows his way better around parsoid puppetization than I do

daniel triaged this task as High priority.Nov 27 2023, 3:28 PM
daniel updated the task description. (Show Details)
daniel mentioned this in T351930: HTTP 504 connection timeout error accessing MW API on Beta cluster.Dec 4 2023, 9:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL