Page MenuHomePhabricator
Create Task
Maniphest T364533

Migrate AQS and image-suggestions services to Calico Network Policies
Closed, ResolvedPublic
Actions

Description

We need to migrate all of the services that use the aqs-http-gateway chart to make use of the new external-services mechanism, which will make it easier to specify the correct network policies to enable access to their Cassandra and Druid data sources.

The following six are AQS services:

Service External Services
device-analyticscassandra aqs
edit-analyticscassandra aqs, druid-public
editor-analyticscassandra aqs, druid-public
geo-analyticscassandra aqs
media-analyticscassandra aqs
page-analyticscassandra aqs

In addition, we have one more service that uses the same chart:

Service External Services
image-suggestionscassandra aqs

Image-suggestions is not technically an AQS service, which is why it is listed separately.

Currently, we use symlinks to share a set of common network policies in an _aqs2-common_ folder for the cassandra hosts, specific to each data centre:

btullis@deploy1002:/srv/deployment-charts/helmfile.d/services$ find *-analytics -type l -exec ls -o {} \;
lrwxrwxrwx 1 root 34 Nov  1  2023 device-analytics/global-staging.yaml -> ../_aqs2-common_/global-eqiad.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 device-analytics/global-eqiad.yaml -> ../_aqs2-common_/global-eqiad.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 device-analytics/global-codfw.yaml -> ../_aqs2-common_/global-codfw.yaml
lrwxrwxrwx 1 root 34 May  2 17:43 editor-analytics/global-staging.yaml -> ../_aqs2-common_/global-eqiad.yaml
lrwxrwxrwx 1 root 34 May  2 17:43 editor-analytics/global-eqiad.yaml -> ../_aqs2-common_/global-eqiad.yaml
lrwxrwxrwx 1 root 34 May  2 17:43 editor-analytics/global-codfw.yaml -> ../_aqs2-common_/global-codfw.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 geo-analytics/global-staging.yaml -> ../_aqs2-common_/global-eqiad.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 geo-analytics/global-eqiad.yaml -> ../_aqs2-common_/global-eqiad.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 geo-analytics/global-codfw.yaml -> ../_aqs2-common_/global-codfw.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 media-analytics/global-staging.yaml -> ../_aqs2-common_/global-codfw.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 media-analytics/global-eqiad.yaml -> ../_aqs2-common_/global-eqiad.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 media-analytics/global-codfw.yaml -> ../_aqs2-common_/global-codfw.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 page-analytics/global-staging.yaml -> ../_aqs2-common_/global-codfw.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 page-analytics/global-eqiad.yaml -> ../_aqs2-common_/global-eqiad.yaml
lrwxrwxrwx 1 root 34 Nov  1  2023 page-analytics/global-codfw.yaml -> ../_aqs2-common_/global-codfw.yaml

We noticed when modifying editor-analytics to use both Cassandra and Druid that this mechanism would no longer be the most suitable, so we should migrate to Calico Network Policies.

In addition the druid-public extry in the external-services contains all of the brokers, but it doesn't contain the LVS service IP, which is what clients currently use.
We may want to consider adding this IP address to the network policy.

btullis@puppetmaster1001:~$ host 10.2.2.38
38.2.2.10.in-addr.arpa domain name pointer druid-public-broker.svc.eqiad.wmnet.

The druid analytics cluster doesn't use LVS, so it doesn't need modifying.

Details

SubjectRepoBranchLines +/-
Migrate AQS2 services and image-suggestions to calico network policiesoperations/deployment-chartsmaster+181 -323
Customize query in gerrit

Related Objects
Search...

Event Timeline

BTullis created this task.May 9 2024, 10:48 AM
BTullis mentioned this in T359423: Migrate charts to Calico Network Policies.May 9 2024, 10:50 AM
Sfaci subscribed.May 9 2024, 10:52 AM
Sfaci added a project: Data Products (Data Products Sprint 13).May 9 2024, 8:09 PM
Gehel triaged this task as Medium priority.May 10 2024, 8:21 AM
Gehel moved this task from Incoming to Toil / Automation on the Data-Platform-SRE board.
VirginiaPoundstone edited projects, added Data Products; removed Data Products (Data Products Sprint 13).May 13 2024, 3:43 PM
VirginiaPoundstone moved this task from Incoming to Radar (other teams) on the Data Products board.
BTullis edited projects, added Data-Platform-SRE (2024.05.06 - 2024.05.26); removed Data-Platform-SRE.May 16 2024, 4:54 PM
BTullis added a subscriber: WDoranWMF.

Moving this into our current sprint, since we would really like to get this done before the end of the month.

BTullis claimed this task.May 20 2024, 11:03 AM
BTullis moved this task from Backlog to In Progress on the Data-Platform-SRE (2024.05.06 - 2024.05.26) board.
gerritbot added a comment.May 22 2024, 11:46 AM

Change #1033405 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/deployment-charts@master] Migrate AQS2 services and image-suggestions to calico network policies

https://gerrit.wikimedia.org/r/1033405

gerritbot added a project: Patch-For-Review.May 22 2024, 11:46 AM
BTullis moved this task from In Progress to Needs Review on the Data-Platform-SRE (2024.05.06 - 2024.05.26) board.May 22 2024, 1:40 PM

I believe that this is ready for review now.

I have only used 'external-services' for the cassandra policy, not the druid-public policy.
The reason for that is that both services that access druid so so using the VIP of the LVS service, rather than the IP addresses of hosts themselves.

So I've left this existing druid network policy in place and only added external_services to the global-[eqiad-codfw].yaml symlink targets, for now.

gerritbot added a comment.May 24 2024, 11:05 AM

Change #1033405 merged by jenkins-bot:

[operations/deployment-charts@master] Migrate AQS2 services and image-suggestions to calico network policies

https://gerrit.wikimedia.org/r/1033405

Maintenance_bot removed a project: Patch-For-Review.May 24 2024, 11:31 AM
Gehel edited projects, added Data-Platform-SRE (2024.05.27 - 2024.06.16); removed Data-Platform-SRE (2024.05.06 - 2024.05.26).May 24 2024, 12:19 PM
Gehel moved this task from Backlog to Needs Review on the Data-Platform-SRE (2024.05.27 - 2024.06.16) board.
BTullis moved this task from Needs Review to To Be Deployed on the Data-Platform-SRE (2024.05.27 - 2024.06.16) board.May 24 2024, 12:51 PM
BTullis added a subscriber: mfossati.

All of the AQS services are now deployed, which unblocks the deployment of new versions of edit-analytics and editor-analytics by the end of the month, in support of: T355536: [Sprint 08 GOAL][SDS 2.6.5] AQS 2: Mediawiki history reduced snapshot automation

I will wait until next week to deploy image-suggestions but it should be similarly low-risk.
There is a small change to the list of cassandra servers that the application uses, so I would like to make sure that @mfossati is able to help verify that it is working, if possible.

BTullis closed this task as Resolved.Jun 4 2024, 4:08 PM
BTullis moved this task from To Be Deployed to Done on the Data-Platform-SRE (2024.05.27 - 2024.06.16) board.

I have now deployed image-suggestion with the new chart too. Marking this as resolved.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits