Page MenuHomePhabricator
Create Task
Maniphest T356481

Configure ingress internal DNS records
Closed, ResolvedPublic
Actions

Description

We need to create internal DNS records (probably superset.eqiad.wmnet and superset-next.eqiad.wmnet as CNAME records pointing to k8s-ingress-dse.svc.eqiad.wmnet.

Details

SubjectRepoBranchLines +/-
superset: setup dyna mapping rulesoperations/puppetproduction+6 -0
Add superset/superset-next.svc.eqiad.wmnet recordsoperations/dnsmaster+3 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

brouberol renamed this task from Configure ingress DNS records to Configure ingress internal DNS records.Feb 2 2024, 8:04 AM
brouberol created this task.
brouberol mentioned this in T347710: Migrate the Analytics Superset instances to our DSE Kubernetes cluster.Feb 2 2024, 8:24 AM
gerritbot added a comment.Feb 2 2024, 8:43 AM

Change 995174 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/dns@master] Add superset/superset-next.svc.eqiad.wmnet records

https://gerrit.wikimedia.org/r/995174

gerritbot added a project: Patch-For-Review.Feb 2 2024, 8:43 AM
brouberol moved this task from Backlog to In Progress on the Data-Platform-SRE (2024.01.22 - 2024.02.11) board.Feb 2 2024, 8:43 AM
BTullis removed a project: Epic.Feb 2 2024, 11:33 AM
BTullis removed subscribers: Gehel, JAllemandou, MoritzMuehlenhoff, Volans.
brouberol moved this task from In Progress to Needs Review on the Data-Platform-SRE (2024.01.22 - 2024.02.11) board.Feb 6 2024, 10:30 AM
Stashbot added a comment.Feb 6 2024, 1:39 PM

Mentioned in SAL (#wikimedia-analytics) [2024-02-06T13:39:10Z] <brouberol> add new TLS SANs to the superset/superset-next certificates in dse-k8s-eqiad - T356481

gerritbot added a comment.Feb 6 2024, 2:36 PM

Change 997858 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] superset: setup dyna mapping rules

https://gerrit.wikimedia.org/r/997858

lbowmaker moved this task from Incoming (new tickets) to Radar (External Teams) on the Data-Engineering board.Feb 8 2024, 5:35 PM
Gehel edited projects, added Data-Platform-SRE (2024.02.12 - 2024.03.03); removed Data-Platform-SRE (2024.01.22 - 2024.02.11).Feb 9 2024, 10:45 AM
Gehel moved this task from Backlog to Needs Review on the Data-Platform-SRE (2024.02.12 - 2024.03.03) board.
Gehel triaged this task as High priority.Feb 9 2024, 1:36 PM
gerritbot added a comment.Feb 9 2024, 2:06 PM

Change 995174 merged by Brouberol:

[operations/dns@master] Add superset/superset-next.svc.eqiad.wmnet records

https://gerrit.wikimedia.org/r/995174

brouberol added a comment.Feb 9 2024, 2:11 PM
brouberol@dns1004:~$ dig +short superset-next.svc.eqiad.wmnet superset.svc.eqiad.wmnet
k8s-ingress-dse.svc.eqiad.wmnet.
10.2.2.91
k8s-ingress-dse.svc.eqiad.wmnet.
10.2.2.91
brouberol closed this task as Resolved.Feb 9 2024, 2:15 PM
brouberol@cumin1002:~$ curl -v https://superset-next.svc.eqiad.wmnet:30443/health
* Uses proxy env variable no_proxy == 'wikipedia.org,wikimedia.org,wikibooks.org,wikinews.org,wikiquote.org,wikisource.org,wikiversity.org,wikivoyage.org,wikidata.org,wikiworkshop.org,wikifunctions.org,wiktionary.org,mediawiki.org,wmfusercontent.org,w.wiki,wmnet,127.0.0.1,::1'
*   Trying 10.2.2.91:30443...
* Connected to superset-next.svc.eqiad.wmnet (10.2.2.91) port 30443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=superset-next.discovery.wmnet
*  start date: Feb  6 13:35:00 2024 GMT
*  expire date: Mar  5 13:35:00 2024 GMT
*  subjectAltName: host "superset-next.svc.eqiad.wmnet" matched cert's "superset-next.svc.eqiad.wmnet"
*  issuer: C=US; L=San Francisco; O=Wikimedia Foundation, Inc; OU=SRE Foundations; CN=discovery
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55909bdb7620)
> GET /health HTTP/2
> Host: superset-next.svc.eqiad.wmnet:30443
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
< HTTP/2 200
< server: istio-envoy
< date: Fri, 09 Feb 2024 14:15:48 GMT
< content-type: text/html; charset=utf-8
< content-length: 2
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< content-security-policy: base-uri 'self'; default-src 'self'; img-src 'self' blob: data:; worker-src 'self' blob:; connect-src 'self' https://api.mapbox.com https://events.mapbox.com; object-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'strict-dynamic' 'nonce-xwTUQ6z_gt5NndSTWFFBGjefB22LeVid'
< strict-transport-security: max-age=31556926; includeSubDomains
< referrer-policy: strict-origin-when-cross-origin
< vary: Accept-Encoding
< x-envoy-upstream-service-time: 1026
<
* Connection #0 to host superset-next.svc.eqiad.wmnet left intact
OK
gerritbot added a comment.Feb 12 2024, 11:09 AM

Change 997858 merged by Brouberol:

[operations/puppet@production] superset: setup dyna mapping rules

https://gerrit.wikimedia.org/r/997858

Maintenance_bot removed a project: Patch-For-Review.Feb 12 2024, 11:30 AM
brouberol reopened this task as Open.Feb 12 2024, 1:53 PM
brouberol added a subscriber: Fabfur.Feb 12 2024, 1:56 PM

It seems that https://superset-k8s.wikimedia.org and https://superset-next-k8s.wikimedia.org return 502 errors.

It might be expected for https://superset-k8s.wikimedia.org, as the current login layer, mirrored from our bare metal deployment, is causing loops between / --> /superset/welcome/ --> /login/ --> /...

However, I have deployed a different auth strategy to superset-next , causing / to redirect to /superset/welcome, which redirects to /login, which returns a 200.

I've reached out to @Fabfur and we're not sure of what's happening exactly, at the moment.

brouberol added a comment.Feb 14 2024, 2:45 PM

We figured it out. ATS was sending a request with the header Host: superset-next-k8s.wikimedia.org, which was not part of the Ingress alternative FQDNs. Once that was fixed, we started seeing requests coming through and being responded with 200s.

brouberol closed this task as Resolved.Feb 14 2024, 2:45 PM
Gehel moved this task from Needs Review to Done on the Data-Platform-SRE (2024.02.12 - 2024.03.03) board.Feb 15 2024, 2:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL