Page MenuHomePhabricator
Create Task
Maniphest T394789

Validate pybal config in CI
Open, Needs TriagePublic
Actions

Description

Creating this ticket based on an IRC discussion between myself, @ssingh and @CDanis from earlier this year.

We (Search Platform SRE) have inadvertently created invalid pybal configuration via a Puppet patch at least twice. Pybal configuration is protected by a schema, so this does not break Pybal.

However, invalid Pybal config does set off errors such as ConfdResourceFailed: confd resource _srv_config-master_pybal_eqiad_search-https.toml . Additionally, it requires rolling back Puppet patches and other operationally expensive actions.

Since we already have a schema, it makes sense to use the schema in CI so we can catch these errors before they are live in production.

Creating this ticket to:

  • Add pybal schema validation to CI
  • Verify operation

Related Objects

Event Timeline

bking created this task.May 20 2025, 2:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 20 2025, 2:38 PM
bking renamed this task from Consider validating pybal config in CI to Validate pybal config in CI.Sep 23 2025, 1:57 PM
bking added a project: Traffic.
bking updated the task description. (Show Details)
bking added subscribers: ssingh, CDanis.
bking moved this task from Incoming to Watching on the Data-Platform-SRE board.Sep 23 2025, 2:19 PM
ssingh added a comment.EditedSep 23 2025, 2:23 PM

Hi @bking. Thanks for the task! Do note that regardless of the task above, PyBal will soon be deprecated in favour of Liberica, once T368544 is resolved, which should happen within a few quarters.

I am just mentioning this so that we can factor the above in before doing any more work or investing engineering time on PyBal since the plan is to deprecate it soon. (Only eqiad and codfw have PyBal running and while that's significant, the only blocker is k8s stuff, otherwise we would have switched to Liberica there. We are intentionally not rolling out both Liberica and PyBal to keep things uniform.)

bking added a comment.Sep 30 2025, 2:15 PM

Thanks @ssingh , that's completely understandable. If PyBal is going away, it's probably not worth the effort to fix it.

But I'm wondering if Liberica has the same issue? In other words, is it possible to create an invalid Liberica config via Puppet patches, that would be caught by the ConfdResourceFailed alerts? If so, then the task is still valid, it just needs to change scope. Let me know what you think.

ssingh added a comment.Sep 30 2025, 2:22 PM
In T394789#11229562, @bking wrote:

Thanks @ssingh , that's completely understandable. If PyBal is going away, it's probably not worth the effort to fix it.

But I'm wondering if Liberica has the same issue? In other words, is it possible to create an invalid Liberica config via Puppet patches, that would be caught by the ConfdResourceFailed alerts? If so, then the task is still valid, it just needs to change scope. Let me know what you think.

I think that depends on which Liberica config -- Liberica will still refer to the service definitions under hieradata/common/service.yaml and read those (see modules/liberica/functions/service_from_wmflib.pp) and then there is a CI check that tries to compile the catalog (see modules/profile/spec/classes/profile_liberica_spec.rb), so it certainly has more guard rails than PyBal.

Can you remind me what the invalid configuration was in this case? That way we can compare it against the Liberica checks to see if they would have been caught.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits