EPIC: Build dse-k8s-codfw Kubernetes cluster
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	bking
	Jun 10 2025, 1:03 PM

Description

DPE SRE is providing a new OpenSearch service, "Mutualized OpenSearch," which will run on Kubernetes (more details in parent ticket).

The service needs to be available in both primary datacenters, but we don't have a DSE k8s cluster in CODFW yet.

Creating this ticket as an epic/parent ticket for all tasks needed to bring the dse-k8s-codfw cluster online.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
dse-k8s: Enable active/active for dse-k8s clusters	operations/dns	master	+42 -38
dse-k8s-ingress: Enable active-active	operations/puppet	production	+2 -2
dse-k8s-codfw: enable pod-to-pod traffic cluster-wide	operations/deployment-charts	master	+4 -0
Redirect helmfile_admin_ng_pending_changes alerts for both dse-k8s-eqiad/codfw to dpe sre	operations/alerts	master	+31 -8
Fix typo in cephfs values namespaces	operations/deployment-charts	master	+1 -1
Add test namespace to ceph tenantNamepsaces dse-k8s-codfw	operations/deployment-charts	master	+2 -0
Upgrade the dse-k8s-codfw cluster to version 1.31	operations/puppet	production	+2 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T362105 EPIC: OpenSearch on K8s (formerly Mutualized opensearch cluster) - FY25/26 WE4.2.6
Resolved	• Stevemunene	T396478 EPIC: Build dse-k8s-codfw Kubernetes cluster
Resolved	BTullis	T396479 Decide initial hardware footprint of dse-k8s-codfw cluster
Resolved	BTullis	T353789 Re-purpose kafka-stretch200[1-2] as DSE workers in codfw
Resolved	• Stevemunene	T397293 Create dse-k8s-etcd cluster in codfw
Resolved	• Stevemunene	T400037 Determine dse-k8s-codfw Kubernetes IP ranges
Resolved	BTullis	T397295 Create the dse-k8s-ctrl servers in codfw
Resolved	• Stevemunene	T397297 Create helmfile.d/admin_ng structure required to bootstrap the dse-k8s-codfw cluster
Resolved	• Stevemunene	T397298 Configure networking for the dse-k8s-codfw cluster
Resolved	• Stevemunene	T397301 Bootstrap the dse-k8s-codfw cluster
Resolved	brouberol	T404068 Use a different set of namespaces for deployment to each of the two the dse-k8s clusters
Resolved	• Stevemunene	T404433 Deploy an echoserver service on dse-k8s-codfw behind ingress
Resolved	BTullis	T404576 Enable the Container Storage Interface (CSI) and the Ceph CSI plugin on dse-k8s-codfw cluster

Event Timeline

bking created this task.Jun 10 2025, 1:03 PM

BTullis moved this task from Incoming to Epics on the Data-Platform-SRE board.Jun 11 2025, 9:20 AM

BTullis closed subtask T396479: Decide initial hardware footprint of dse-k8s-codfw cluster as Resolved.Jun 18 2025, 9:49 AM

BTullis triaged this task as High priority.Jul 4 2025, 4:43 PM

BTullis moved this task from Epics to Quarterly Goals on the Data-Platform-SRE board.

bking mentioned this in T398986: Deploy next iteration of iPoid in dse-k8s-codfw.Jul 8 2025, 4:31 PM

BTullis closed subtask T397295: Create the dse-k8s-ctrl servers in codfw as Resolved.Jul 8 2025, 9:10 PM

• Stevemunene closed subtask T397293: Create dse-k8s-etcd cluster in codfw as Resolved.Aug 14 2025, 10:05 AM

• Stevemunene closed subtask T397297: Create helmfile.d/admin_ng structure required to bootstrap the dse-k8s-codfw cluster as Resolved.Aug 21 2025, 1:13 PM

• Stevemunene closed subtask T397298: Configure networking for the dse-k8s-codfw cluster as Resolved.Aug 27 2025, 9:58 AM

Change #1184043 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Upgrade the dse-k8s-codfw cluster to version 1.31

https://gerrit.wikimedia.org/r/1184043

gerritbot added a project: Patch-For-Review.Sep 2 2025, 9:58 AM

Change #1184043 merged by Btullis:

[operations/puppet@production] Upgrade the dse-k8s-codfw cluster to version 1.31

https://gerrit.wikimedia.org/r/1184043

Maintenance_bot removed a project: Patch-For-Review.Sep 2 2025, 3:31 PM

• Stevemunene closed subtask T397301: Bootstrap the dse-k8s-codfw cluster as Resolved.Sep 9 2025, 2:42 PM

Gehel added a subtask: T404068: Use a different set of namespaces for deployment to each of the two the dse-k8s clusters.Sep 12 2025, 3:08 PM

Gehel closed subtask T404068: Use a different set of namespaces for deployment to each of the two the dse-k8s clusters as Resolved.

BTullis reopened subtask T404068: Use a different set of namespaces for deployment to each of the two the dse-k8s clusters as Open.Sep 15 2025, 10:15 AM

brouberol changed the status of subtask T404068: Use a different set of namespaces for deployment to each of the two the dse-k8s clusters from Open to In Progress.Sep 16 2025, 10:07 AM

Gehel added a subtask: T404433: Deploy an echoserver service on dse-k8s-codfw behind ingress.Sep 17 2025, 9:46 AM

Gehel added a subtask: T404576: Enable the Container Storage Interface (CSI) and the Ceph CSI plugin on dse-k8s-codfw cluster.

brouberol closed subtask T404068: Use a different set of namespaces for deployment to each of the two the dse-k8s clusters as Resolved.Sep 17 2025, 2:58 PM

brouberol closed subtask T404576: Enable the Container Storage Interface (CSI) and the Ceph CSI plugin on dse-k8s-codfw cluster as Resolved.Sep 22 2025, 11:49 AM

brouberol closed subtask T404433: Deploy an echoserver service on dse-k8s-codfw behind ingress as Resolved.

BTullis mentioned this in Unknown Object (Task).Sep 23 2025, 10:49 AM

• Stevemunene claimed this task.Sep 24 2025, 9:45 AM

Gehel edited projects, added Data-Platform-SRE (2025.09.05 - 2025.09.26); removed Data-Platform-SRE.Sep 24 2025, 9:45 AM

Gehel moved this task from Backlog - project to Needs Review on the Data-Platform-SRE (2025.09.05 - 2025.09.26) board.

Gehel edited projects, added Data-Platform-SRE (2025.09.26 - 2025.10.17); removed Data-Platform-SRE (2025.09.05 - 2025.09.26).Sep 26 2025, 1:50 PM

Gehel moved this task from Backlog - project to Needs Review on the Data-Platform-SRE (2025.09.26 - 2025.10.17) board.

The dse-k8s-codfw cluster is up and running and the components can be verified as below:
A simple PVC definition as a raw block device

root@deploy2002:~# kube_env admin dse-k8s-codfw
root@deploy2002:~# kubectl create namespace stevemunene-pvc-tests
namespace/stevemunene-pvc-tests created
root@deploy2002:~# kubectl get namespaces
NAME                    STATUS   AGE
analytics-test          Active   47h
cert-manager            Active   10d
default                 Active   10d
echoserver              Active   10d
external-services       Active   10d
istio-system            Active   10d
kube-node-lease         Active   10d
kube-public             Active   10d
kube-system             Active   10d
opensearch-ipoid        Active   10d
opensearch-ipoid-test   Active   10d
opensearch-operator     Active   10d
opensearch-test         Active   10d
sidecar-controller      Active   10d
stevemunene-pvc-tests   Active   13s


root@deploy2002:~# cat /home/stevemunene/raw-block-pvc.yaml 
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: raw-block-pvc
  namespace: stevemunene-pvc-tests
spec:
  accessModes:
    - ReadWriteOnce
  volumeMode: Block
  resources:
    requests:
      storage: 1Gi
  storageClassName: ceph-rbd-ssd

create a very simple pod which attempts to bind this pvc.

---
apiVersion: v1
kind: Pod
metadata:
  name: pod-with-raw-block-volume
  namespace: stevemunene-pvc-tests
spec:
  containers:
    - name: do-nothing
      image: docker-registry.discovery.wmnet/bookworm:20240630
      command: ["/bin/sh", "-c"]
      args: ["tail -f /dev/null"]
      volumeDevices:
        - name: data
          devicePath: /dev/xvda
  volumes:
    - name: data
      persistentVolumeClaim:
        claimName: raw-block-pvc

Apply and watch

root@deploy2002:~kubectl apply -f /home/stevemunene/raw-block-pod.yamlml
pod/pod-with-raw-block-volume created
root@deploy2002:~# kubectl -n stevemunene-pvc-tests get events -w
LAST SEEN   TYPE      REASON                 OBJECT                                MESSAGE
4s          Warning   FailedScheduling       pod/pod-with-raw-block-volume         0/4 nodes are available: pod has unbound immediate PersistentVolumeClaims. preemption: 0/4 nodes are available: 4 Preemption is not helpful for scheduling.
3m25s       Normal    ExternalProvisioning   persistentvolumeclaim/raw-block-pvc   Waiting for a volume to be created either by the external provisioner 'rbd.csi.ceph.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.
0s          Normal    ExternalProvisioning   persistentvolumeclaim/raw-block-pvc   Waiting for a volume to be created either by the external provisioner 'rbd.csi.ceph.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.

Pending for a while now,
To investigate we have

Verified all the keys match as expected
Code verification of the firewall settings and envoy https://github.com/wikimedia/operations-puppet/blob/production/modules/profile/manifests/ceph/server/firewall.pp#L29 https://github.com/wikimedia/operations-puppet/blob/production/modules/profile/manifests/tlsproxy/envoy.pp#L299-L313

Still to do:

check if there are improvements in the Ceph plugin to see if it is worth upgrading the Ceph plugin or something else (kernel?), by reading the release notes
if needed, do the appropriate upgrades (create a subtask for it)

Going through the ceph-csi-releases for any change that might have impacted us in the 1.31 upgrade.

For now I have cleared the current deployment as it was still in a waiting state for a while ie.

root@deploy2002:~# kubectl -n stevemunene-pvc-tests get events -w
LAST SEEN TYPE REASON OBJECT MESSAGE
6m30s Warning FailedScheduling pod/pod-with-raw-block-volume 0/4 nodes are available: pod has unbound immediate PersistentVolumeClaims. preemption: 0/4 nodes are available: 4 Preemption is not helpful for scheduling.
2m32s Normal ExternalProvisioning persistentvolumeclaim/raw-block-pvc Waiting for a volume to be created either by the external provisioner 'rbd.csi.ceph.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.
0s Normal ExternalProvisioning persistentvolumeclaim/raw-block-pvc Waiting for a volume to be created either by the external provisioner 'rbd.csi.ceph.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.
0s Normal ExternalProvisioning persistentvolumeclaim/raw-block-pvc Waiting for a volume to be created either by the external provisioner 'rbd.csi.ceph.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.
0s Normal ExternalProvisioning persistentvolumeclaim/raw-block-pvc Waiting for a volume to be created either by the external provisioner 'rbd.csi.ceph.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.

delete pvc and pod

root@deploy2002:~# kubectl delete -f /home/stevemunene/raw-block-pvc.yaml 
persistentvolumeclaim "raw-block-pvc" deleted
root@deploy2002:~# kubectl delete  -f /home/stevemunene/raw-block-pod.yaml
pod "pod-with-raw-block-volume" deleted
root@deploy2002:~#

Change #1193190 had a related patch set uploaded (by Stevemunene; author: Stevemunene):

[operations/deployment-charts@master] Add test namespace to ceph tenantNamepsaces dse-k8s-codfw

https://gerrit.wikimedia.org/r/1193190

gerritbot added a project: Patch-For-Review.Oct 2 2025, 7:43 PM

Change #1193190 merged by jenkins-bot:

[operations/deployment-charts@master] Add test namespace to ceph tenantNamepsaces dse-k8s-codfw

https://gerrit.wikimedia.org/r/1193190

Change #1193369 had a related patch set uploaded (by Stevemunene; author: Stevemunene):

[operations/deployment-charts@master] Fix typo in cephfs values namespaces

https://gerrit.wikimedia.org/r/1193369

Change #1193369 merged by jenkins-bot:

[operations/deployment-charts@master] Fix typo in cephfs values namespaces

https://gerrit.wikimedia.org/r/1193369

The initial error was from the fact that we did not have the namespace defined in the list of available tenandNamespaces. This was added, then proceeded to recreate the pvc in the namespace and we are now seeing a different error message.

root@deploy2002:~# kubectl apply -f /home/stevemunene/raw-block-pvc.yaml 
persistentvolumeclaim/raw-block-pvc created
root@deploy2002:~# kubectl apply -f /home/stevemunene/raw-block-pod.yaml
pod/pod-with-raw-block-volume created
root@deploy2002:~# kubectl -n stevemunene-pvc-tests get events -w
LAST SEEN   TYPE      REASON                 OBJECT                                MESSAGE
9s          Warning   FailedScheduling       pod/pod-with-raw-block-volume         0/4 nodes are available: pod has unbound immediate PersistentVolumeClaims. preemption: 0/4 nodes are available: 4 Preemption is not helpful for scheduling.
11s         Normal    Provisioning           persistentvolumeclaim/raw-block-pvc   External provisioner is provisioning volume for claim "stevemunene-pvc-tests/raw-block-pvc"
14s         Normal    ExternalProvisioning   persistentvolumeclaim/raw-block-pvc   Waiting for a volume to be created either by the external provisioner 'rbd.csi.ceph.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.

Maintenance_bot removed a project: Patch-For-Review.Oct 3 2025, 9:31 AM

Change #1193406 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/alerts@master] Redirect helmfile_admin_ng_pending_changes alerts for both dse-k8s-eqiad/codfw to dpe sre

https://gerrit.wikimedia.org/r/1193406

gerritbot added a project: Patch-For-Review.Oct 3 2025, 12:22 PM

Change #1193406 merged by Brouberol:

[operations/alerts@master] Redirect helmfile_admin_ng_pending_changes alerts for both dse-k8s-eqiad/codfw to dpe sre

https://gerrit.wikimedia.org/r/1193406

Maintenance_bot removed a project: Patch-For-Review.Oct 3 2025, 12:31 PM

• Stevemunene reopened subtask T404576: Enable the Container Storage Interface (CSI) and the Ceph CSI plugin on dse-k8s-codfw cluster as Open.Oct 7 2025, 7:19 AM

BTullis closed subtask T404576: Enable the Container Storage Interface (CSI) and the Ceph CSI plugin on dse-k8s-codfw cluster as Resolved.Oct 13 2025, 9:32 PM

In T396478#11232581, @Gehel wrote:

Still to do:

check if there are improvements in the Ceph plugin to see if it is worth upgrading the Ceph plugin or something else (kernel?), by reading the release notes

if needed, do the appropriate upgrades (create a subtask for it)

I have created: T407166: Upgrade the ceph-csi-plugin to the latest release compatible with kubernetes version 1.31

I think that we can wait until we have planned out the upgrade of dse-k8s-eqiad to Kubernetes version 1.31 before looking again at the version of the ceph-csi plugin.
What we have shown in T404576 is that version 3.7.2 of the ceph-csi plugin works with kubernetes version 1.31 - which is great!

Hopefully over the next couple of weeks we will get more confident in this version match and that will mean that we don't have to upgrade both k8s and the ceph-csi plugin together on dse-k8s-eqiad.
It would be ideal if we could upgrade k8s first, then work on the csi plugin afterwards.