Page MenuHomePhabricator
Create Task
Maniphest T397298

Configure networking for the dse-k8s-codfw cluster
Closed, ResolvedPublic
Actions

Description

We have already reserved the IP ranges in netbox for the dse-k8s-codfw cluster, when we commissioned the cluster in eqiad.

We need to mark these ranges as active and configure the remaining settings before bootstrapping the cluster.

See these guidelines for details: https://wikitech.wikimedia.org/wiki/Kubernetes/Clusters/New#Networking

Step 0: DNS (Done)
Step 1: Add node to BGP (Done)
Step 2: Node installation (done)
Step 3: Add to conftool/LVS (Done)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
dse-k8s: disable cluster_dns to allow core-dns deploy.operations/puppetproduction+0 -2
dse-k8s: Add helmfile configuration for dse-k8s-codfwoperations/deployment-chartsmaster+406 -0
dse-k8s: Add dse-k8s-codfw to service listoperations/puppetproduction+6 -0
dse-k8s: add dse-k8s-codfw hosts to LVSoperations/puppetproduction+7 -1
dns: Define DNS records for the dse-k8s-codfw ingressoperations/dnsmaster+2 -1
Update firewall rules to add dse-k8s-codfwoperations/puppetproduction+6 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

BTullis created this task.Jun 18 2025, 10:08 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 18 2025, 10:08 AM
BTullis moved this task from Backlog - project to Backlog - operations on the Data-Platform-SRE (2025.06.13 - 2025.07.04) board.Jun 18 2025, 10:08 AM
BTullis mentioned this in T397301: Bootstrap the dse-k8s-codfw cluster.Jun 18 2025, 10:18 AM
BTullis edited projects, added Data-Platform-SRE (2025.07.05 - 2025.07.25); removed Data-Platform-SRE (2025.06.13 - 2025.07.04).Jul 4 2025, 3:59 PM
BTullis edited projects, added Data-Platform-SRE (2025.07.26 - 2025.08.15); removed Data-Platform-SRE (2025.07.05 - 2025.07.25).Jul 28 2025, 4:49 PM
BTullis triaged this task as High priority.Jul 28 2025, 6:20 PM
Stevemunene claimed this task.Aug 14 2025, 10:29 AM
Stevemunene moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.07.26 - 2025.08.15) board.
Stevemunene updated the task description. (Show Details)
gerritbot added a comment.Aug 14 2025, 10:34 AM

Change #1178834 had a related patch set uploaded (by Stevemunene; author: Stevemunene):

[operations/puppet@production] dse-k8s: add dse-k8s-codfw hosts to LVS

https://gerrit.wikimedia.org/r/1178834

gerritbot added a project: Patch-For-Review.Aug 14 2025, 10:34 AM
gerritbot added a comment.Aug 18 2025, 11:17 AM

Change #1179652 had a related patch set uploaded (by Stevemunene; author: Stevemunene):

[operations/puppet@production] Update firewall rules to add dse-k8s-codfw

https://gerrit.wikimedia.org/r/1179652

gerritbot added a comment.Aug 18 2025, 11:22 AM

Change #1179654 had a related patch set uploaded (by Stevemunene; author: Stevemunene):

[operations/deployment-charts@master] dse-k8s: Add helmfile configuration for dse-k8s-codfw

https://gerrit.wikimedia.org/r/1179654

gerritbot added a comment.Aug 18 2025, 12:15 PM

Change #1179652 merged by Stevemunene:

[operations/puppet@production] Update firewall rules to add dse-k8s-codfw

https://gerrit.wikimedia.org/r/1179652

gerritbot added a comment.Aug 18 2025, 3:24 PM

Change #1179723 had a related patch set uploaded (by Stevemunene; author: Stevemunene):

[operations/dns@master] dns: Define a DNS A record for the dse-k8s-codfw ingress

https://gerrit.wikimedia.org/r/1179723

gerritbot added a comment.Aug 19 2025, 10:31 AM

Change #1179723 merged by Stevemunene:

[operations/dns@master] dns: Define DNS records for the dse-k8s-codfw ingress

https://gerrit.wikimedia.org/r/1179723

gerritbot added a comment.Aug 19 2025, 11:23 AM

Change #1180116 had a related patch set uploaded (by Stevemunene; author: Stevemunene):

[operations/puppet@production] dse-k8s: Add dse-k8s-codfw to service list

https://gerrit.wikimedia.org/r/1180116

gerritbot added a comment.Aug 20 2025, 10:19 AM

Change #1178834 merged by Stevemunene:

[operations/puppet@production] dse-k8s: add dse-k8s-codfw hosts to LVS

https://gerrit.wikimedia.org/r/1178834

BTullis edited projects, added Data-Platform-SRE (2025.08.16 - 2025.09.05); removed Data-Platform-SRE (2025.07.26 - 2025.08.15).Aug 20 2025, 10:29 AM
BTullis moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.08.16 - 2025.09.05) board.
gerritbot added a comment.Aug 21 2025, 9:45 AM

Change #1180116 merged by Stevemunene:

[operations/puppet@production] dse-k8s: Add dse-k8s-codfw to service list

https://gerrit.wikimedia.org/r/1180116

gerritbot added a comment.Aug 21 2025, 11:18 AM

Change #1179654 merged by jenkins-bot:

[operations/deployment-charts@master] dse-k8s: Add helmfile configuration for dse-k8s-codfw

https://gerrit.wikimedia.org/r/1179654

Maintenance_bot removed a project: Patch-For-Review.Aug 21 2025, 11:31 AM
Stevemunene added a comment.Aug 21 2025, 1:14 PM

This is in progress and details on T397301#11106327

Stevemunene updated the task description. (Show Details)Aug 21 2025, 3:29 PM
Stevemunene closed this task as Resolved.Aug 27 2025, 9:58 AM
Stevemunene updated the task description. (Show Details)
Stevemunene moved this task from In Progress to Done on the Data-Platform-SRE (2025.08.16 - 2025.09.05) board.

Set the BGP value to true for the dse-k8s-codfw ctrl and worker hosts then ran homer from a cumin host

stevemunene@cumin1003:~$ sudo homer "cr*codfw*" diff
INFO:homer.devices:Initialized 105 devices
INFO:homer:Generating diff for query cr*codfw*
INFO:homer.devices:Matched 2 device(s) for query 'cr*codfw*'
INFO:homer:Generating configuration for cr1-codfw.wikimedia.org
INFO:homer.transports.junos:Running commit check on cr1-codfw.wikimedia.org
INFO:homer:Generating configuration for cr2-codfw.wikimedia.org
INFO:homer.transports.junos:Running commit check on cr2-codfw.wikimedia.org
Changes for 1 devices: ['cr1-codfw.wikimedia.org']

[edit policy-options]
+   prefix-list kubedse-pod-ips4 {
+       10.192.96.0/21;
+   }
+   prefix-list kubedse-pod-ips6 {
+       2620:0:860:308::/64;
+   }
[edit policy-options]
+   policy-statement kubedse_import {
+       term pod_ips4 {
+           from {
+               family inet;
+               protocol bgp;
+               prefix-list-filter kubedse-pod-ips4 longer;
+           }
+           then accept;
+       }
+       term pod_ips6 {
+           from {
+               family inet6;
+               protocol bgp;
+               prefix-list-filter kubedse-pod-ips6 longer;
+           }
+           then accept;
+       }
+       then reject;
+   }
[edit protocols bgp]
     group k8s-aux-ipv6 { ... }
+    group Kubedse4 {
+        type external;
+        multihop {
+            /* T328523 */
+            no-nexthop-change;
+        }
+        local-address 208.80.153.192;
+        hold-time 30;
+        /* T328523 */
+        advertise-peer-as;
+        import kubedse_import;
+        family inet {
+            unicast {
+                prefix-limit {
+                    maximum 50;
+                    teardown {
+                        80;
+                        idle-timeout forever;
+                    }
+                }
+            }
+        }
+        /* T328523 */
+        export kubernetes_export;
+        peer-as 64613;
+        multipath;
+        neighbor 10.192.32.6 {
+            description dse-k8s-ctrl2001;
+        }
+        neighbor 10.192.48.13 {
+            description dse-k8s-ctrl2002;
+        }
+    }
+    group Kubedse6 {
+        type external;
+        multihop {
+            /* T328523 */
+            no-nexthop-change;
+        }
+        local-address 2620:0:860:ffff::1;
+        hold-time 30;
+        /* T328523 */
+        advertise-peer-as;
+        import kubedse_import;
+        family inet6 {
+            unicast {
+                prefix-limit {
+                    maximum 50;
+                    teardown {
+                        80;
+                        idle-timeout forever;
+                    }
+                }
+            }
+        }
+        /* T328523 */
+        export kubernetes_export;
+        peer-as 64613;
+        multipath;
+        neighbor 2620:0:860:103:10:192:32:6 {
+            description dse-k8s-ctrl2001;
+        }
+        neighbor 2620:0:860:104:10:192:48:13 {
+            description dse-k8s-ctrl2002;
+        }
+    }

---------------
Changes for 1 devices: ['cr2-codfw.wikimedia.org']

[edit policy-options]
+   prefix-list kubedse-pod-ips4 {
+       10.192.96.0/21;
+   }
+   prefix-list kubedse-pod-ips6 {
+       2620:0:860:308::/64;
+   }
[edit policy-options]
+   policy-statement kubedse_import {
+       term pod_ips4 {
+           from {
+               family inet;
+               protocol bgp;
+               prefix-list-filter kubedse-pod-ips4 longer;
+           }
+           then accept;
+       }
+       term pod_ips6 {
+           from {
+               family inet6;
+               protocol bgp;
+               prefix-list-filter kubedse-pod-ips6 longer;
+           }
+           then accept;
+       }
+       then reject;
+   }
[edit protocols bgp]
     group k8s-aux-ipv6 { ... }
+    group Kubedse4 {
+        type external;
+        multihop {
+            /* T328523 */
+            no-nexthop-change;
+        }
+        local-address 208.80.153.193;
+        hold-time 30;
+        /* T328523 */
+        advertise-peer-as;
+        import kubedse_import;
+        family inet {
+            unicast {
+                prefix-limit {
+                    maximum 50;
+                    teardown {
+                        80;
+                        idle-timeout forever;
+                    }
+                }
+            }
+        }
+        /* T328523 */
+        export kubernetes_export;
+        peer-as 64613;
+        multipath;
+        neighbor 10.192.32.6 {
+            description dse-k8s-ctrl2001;
+        }
+        neighbor 10.192.48.13 {
+            description dse-k8s-ctrl2002;
+        }
+    }
+    group Kubedse6 {
+        type external;
+        multihop {
+            /* T328523 */
+            no-nexthop-change;
+        }
+        local-address 2620:0:860:ffff::2;
+        hold-time 30;
+        /* T328523 */
+        advertise-peer-as;
+        import kubedse_import;
+        family inet6 {
+            unicast {
+                prefix-limit {
+                    maximum 50;
+                    teardown {
+                        80;
+                        idle-timeout forever;
+                    }
+                }
+            }
+        }
+        /* T328523 */
+        export kubernetes_export;
+        peer-as 64613;
+        multipath;
+        neighbor 2620:0:860:103:10:192:32:6 {
+            description dse-k8s-ctrl2001;
+        }
+        neighbor 2620:0:860:104:10:192:48:13 {
+            description dse-k8s-ctrl2002;
+        }
+    }

---------------
INFO:homer:Homer run completed successfully on 2 devices: ['cr1-codfw.wikimedia.org', 'cr2-codfw.wikimedia.org']
gerritbot added a comment.Sep 1 2025, 2:00 PM

Change #1183691 had a related patch set uploaded (by Stevemunene; author: Stevemunene):

[operations/puppet@production] dse-k8s: disable cluster_dns to allow core-dns deploy.

https://gerrit.wikimedia.org/r/1183691

gerritbot added a project: Patch-For-Review.Sep 1 2025, 2:00 PM
gerritbot added a comment.Sep 5 2025, 10:32 AM

Change #1183691 abandoned by Btullis:

[operations/puppet@production] dse-k8s: disable cluster_dns to allow core-dns deploy.

Reason:

Not needed now.

https://gerrit.wikimedia.org/r/1183691

Maintenance_bot removed a project: Patch-For-Review.Sep 5 2025, 11:31 AM
Gehel moved this task from Done to Reported on the Data-Platform-SRE (2025.08.16 - 2025.09.05) board.Sep 5 2025, 12:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits