Page MenuHomePhabricator

Allow access to Toolforge web services from Gitlab shared runners
Closed, ResolvedPublicFeature

Description

Feature summary (what you would like to be able to do and where):

Add *.toolforge.org to profile::gitlab::runner::allowed_services. *.wmcloud.org hosts were added to the allow list in rOPUP10b498b8e2c5: gitlab.runners: allow cloudvps public proxied serivces (T336130).

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

The Ultraviolet userscript uses Gitlab CI to build artifacts, and uploads them to a deploy server on Toolforge, where the assets are copied to /www/static for serving on https://tools-static.wmflabs.org/. This works from the cloud runners (hosted by Digital Ocean), but the CI job fails from the shared runners (hosted by Cloud VPS), where it fails to connect to the Toolforge hosted deploy server.

Gitlab Job #266205:

$ curl -sSf -T dist.tar.gz -H "Authorization: $UV_DEPLOY_TOKEN" "https://ultraviolet.toolforge.org/deployment/$CI_COMMIT_REF_SLUG"
curl: (7) Failed to connect to ultraviolet.toolforge.org port 443 after 4 ms: Couldn't connect to server
Cleaning up project directory and file based variables 00:01
ERROR: Job failed: exit code 1

Benefits (why should this be implemented?):

Since *.wmcloud.org hosts are already on the allow list for use, adding Toolforge hosts shouldn't increase the attack surface much, while allowing Toolforge services to be accessed would prevent existing tools having to be moved to Cloud VPS just to be accessible from Gitlab.

Event Timeline

taavi renamed this task from Whitelist Toolforge hosts in Gitlab shared runners to Allow access to Toolforge web services in Gitlab shared runners.May 22 2024, 8:24 AM
taavi removed a project: Toolforge.
taavi updated the task description. (Show Details)
bd808 renamed this task from Allow access to Toolforge web services in Gitlab shared runners to Allow access to Toolforge web services from Gitlab shared runners.May 22 2024, 3:15 PM
bd808 updated the task description. (Show Details)

Change #1034971 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[operations/puppet@production] gitlab.runners: Add *.toolforge.org to allowed services

https://gerrit.wikimedia.org/r/1034971

bd808 triaged this task as Medium priority.May 22 2024, 3:46 PM

Change #1034971 merged by Jelto:

[operations/puppet@production] gitlab.runners: Add *.toolforge.org to allowed services

https://gerrit.wikimedia.org/r/1034971