AC:
- One TLS cert each, generated via cergen, for:
- full-graph
- main-graph
- scholarly-articles
AC:
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T335067 Epic: Wikidata Query Service stabilization | |||
Open | None | T337013 [Epic] Splitting the graph in WDQS | |||
Resolved | Gehel | T350464 Expose SPARQL endpoints with full wikidata data set and with split graph to enable experimentation on federation with a split graph | |||
Resolved | RKemper | T351650 Expose 3 new dedicated WDQS endpoints | |||
Resolved | RKemper | T354661 Generate TLS certs for new WDQS endpoints | |||
Open | None | T354043 Decide the name, domain and logo of WDQS for scholarly articles |
I wonder whether should look at using the PKI for these certificates, rather than cergen.
I can look out some examples of where we have done this elsewhere in the Data Engineering infrastrcuture, in case that helps.
https://wikitech.wikimedia.org/wiki/PKI/Clients
We did the initial work to get envoy via PKI / cfssl operational in https://phabricator.wikimedia.org/T354555#9454855. Next up is adding specific alt-names for the three new endpoints. Here's a few different proposals for naming scheme:
Basically the main uncertainties are: do we want query in the domain? If so, do we want it to be X.query.wikidata.org where X is one of [full, main, scholarly] or rather X-query.wikidata.org?
Talked with gehel, ebernhardson, and inflatador. We're going to start with full-experimental.query.wikidata.org, main-experimental.query.wikidata.org, scholarly-experimental.query.wikidata.org to get these 3 test endpoints up. Meanwhile, we can open up the convo with the community as far as what the ultimate "final" naming/domain scheme will be wrt https://phabricator.wikimedia.org/T354043
Change 991088 had a related patch set uploaded (by Ryan Kemper; author: Ryan Kemper):
[operations/puppet@production] wdqs: add exp graph split endpoints to alt_names
Change 991088 merged by Ryan Kemper:
[operations/puppet@production] wdqs: add exp graph split endpoints to alt_names
Change 991089 had a related patch set uploaded (by Ryan Kemper; author: Ryan Kemper):
[operations/puppet@production] wdqs graph-split: subdomain of query.wikidata.org
Change 991089 merged by Ryan Kemper:
[operations/puppet@production] wdqs graph-split: subdomain of query.wikidata.org
These 3 new services have their internal certs working with Envoy. Moving to Done and spun off https://phabricator.wikimedia.org/T355593 for the last cert-related work.