Page MenuHomePhabricator
Create Task
Maniphest T354661

Generate TLS certs for new WDQS endpoints
Closed, ResolvedPublic
Actions

Description

AC:

  • One TLS cert each, generated via cergen, for:
    • full-graph
    • main-graph
    • scholarly-articles

Details

SubjectRepoBranchLines +/-
wdqs graph-split: subdomain of query.wikidata.orgoperations/puppetproduction+3 -3
wdqs: add exp graph split endpoints to alt_namesoperations/puppetproduction+3 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

RKemper created this task.Jan 9 2024, 3:58 PM
BTullis subscribed.Jan 9 2024, 4:19 PM

I wonder whether should look at using the PKI for these certificates, rather than cergen.
I can look out some examples of where we have done this elsewhere in the Data Engineering infrastrcuture, in case that helps.
https://wikitech.wikimedia.org/wiki/PKI/Clients

Gehel moved this task from Incoming to Blocked/Waiting on the Discovery-Search (Current work) board.Jan 15 2024, 3:14 PM
Gehel removed a project: Wikidata-Query-Service.
Gehel added a subtask: T354043: Decide the name, domain and logo of WDQS for scholarly articles.Jan 15 2024, 3:18 PM
Gehel moved this task from Blocked/Waiting to DPE-SRE on the Discovery-Search (Current work) board.Jan 16 2024, 3:17 PM
Gehel moved this task from Backlog to In Progress on the Data-Platform-SRE (2024.01.01 - 2024.01.21) board.Jan 16 2024, 4:31 PM
RKemper added a comment.Jan 16 2024, 7:26 PM

We did the initial work to get envoy via PKI / cfssl operational in https://phabricator.wikimedia.org/T354555#9454855. Next up is adding specific alt-names for the three new endpoints. Here's a few different proposals for naming scheme:

  • full.query.wikidata.org, main.query.wikidata.org, scholar.query.wikidata.org
  • full.wikidata.org, main.wikidata.org, scholar.wikidata.org
  • full-query.wikidata.org, main-query.wikidata.org, and scholarly-query.wikidata.org
  • full-query.wikidata.org, main-query.wikidata.org, and scholar.wikidata.org
  • full-graph.wikidata.org, main-graph.wikidata.org, and scholar-graph.wikidata.org

Basically the main uncertainties are: do we want query in the domain? If so, do we want it to be X.query.wikidata.org where X is one of [full, main, scholarly] or rather X-query.wikidata.org?

RKemper added a comment.EditedJan 16 2024, 7:35 PM

Talked with gehel, ebernhardson, and inflatador. We're going to start with full-experimental.query.wikidata.org, main-experimental.query.wikidata.org, scholarly-experimental.query.wikidata.org to get these 3 test endpoints up. Meanwhile, we can open up the convo with the community as far as what the ultimate "final" naming/domain scheme will be wrt https://phabricator.wikimedia.org/T354043

gerritbot added a comment.Jan 16 2024, 7:38 PM

Change 991088 had a related patch set uploaded (by Ryan Kemper; author: Ryan Kemper):

[operations/puppet@production] wdqs: add exp graph split endpoints to alt_names

https://gerrit.wikimedia.org/r/991088

gerritbot added a project: Patch-For-Review.Jan 16 2024, 7:38 PM
gerritbot added a comment.Jan 16 2024, 7:42 PM

Change 991088 merged by Ryan Kemper:

[operations/puppet@production] wdqs: add exp graph split endpoints to alt_names

https://gerrit.wikimedia.org/r/991088

Gehel mentioned this in T354043: Decide the name, domain and logo of WDQS for scholarly articles.Jan 16 2024, 7:50 PM
gerritbot added a comment.Jan 16 2024, 7:54 PM

Change 991089 had a related patch set uploaded (by Ryan Kemper; author: Ryan Kemper):

[operations/puppet@production] wdqs graph-split: subdomain of query.wikidata.org

https://gerrit.wikimedia.org/r/991089

gerritbot added a comment.Jan 16 2024, 8:15 PM

Change 991089 merged by Ryan Kemper:

[operations/puppet@production] wdqs graph-split: subdomain of query.wikidata.org

https://gerrit.wikimedia.org/r/991089

Maintenance_bot removed a project: Patch-For-Review.Jan 16 2024, 8:30 PM
Gehel edited projects, added Data-Platform-SRE (2024.01.22 - 2024.02.11); removed Data-Platform-SRE (2024.01.01 - 2024.01.21).Jan 22 2024, 1:42 PM
Gehel moved this task from Backlog to In Progress on the Data-Platform-SRE (2024.01.22 - 2024.02.11) board.Jan 22 2024, 1:43 PM
Gehel triaged this task as High priority.Jan 22 2024, 2:27 PM
RKemper moved this task from In Progress to Done on the Data-Platform-SRE (2024.01.22 - 2024.02.11) board.Jan 22 2024, 8:01 PM

These 3 new services have their internal certs working with Envoy. Moving to Done and spun off https://phabricator.wikimedia.org/T355593 for the last cert-related work.

Gehel closed this task as Resolved.Jan 23 2024, 2:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL