Page MenuHomePhabricator
Create Task
Maniphest T402512

Export development_network_probe data to Puppet servers for CDN deployment
Open, MediumPublic
Actions

Description

As part of WE5.4.3, we need to export a subset of data that currently lives in Hive (event.development_network_probe) into the production Puppet servers.
The goal is to run a query daily, export its results, and make them available to Puppet so they can be deployed to the CDN servers.

Proposed approach (from Data Engineering feedback on Slack):

  • Generate the file daily on HDFS with Airflow + Spark.
  • Use an "archiver" to manage file naming and ensure consistency.
  • Configure the Puppet server to fetch the file from HDFS (e.g., via hdfs_rsync) and then deploy it to the CDN hosts.

Open questions / next steps:

Acceptance criteria:

  • Daily job exports query results to HDFS.
  • Puppet server fetches and stores the file in a way usable by Puppet manifests.
  • File is deployed to CDN servers via the normal Puppet workflows.

Details

Other Assignee
brouberol
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
role::cache::{text,upload}: enable webrequest tagging globallyoperations/puppetproduction+2 -6
role::cache::{text,upload}: enable webrequest tagging in eqsinoperations/puppetproduction+2 -0
role::cache::haproxy: move webrequest ip reputation exp to all magruoperations/puppetproduction+4 -2
P:cache::haproxy: guard webrequest IP reputation data for betaoperations/puppetproduction+17 -15
haproxy: Enable use_webrequest_ipreputation flag for cp7002/cp7012operations/puppetproduction+2 -0
profile::cache::haproxy: add webrequest-based ip reputation dataoperations/puppetproduction+34 -0
dse-k8s-services: update the base Airflow imageoperations/deployment-chartsmaster+1 -1
Increase the size of the WAL volume for postgresql-airflow-sreoperations/deployment-chartsmaster+3 -0
profile::puppetserver: rework and fix the analytics-sre configoperations/puppetproduction+10 -7
admin: set home dir for analytics-sreoperations/puppetproduction+1 -1
profile::puppetserver: simplify analytics-sre's authorized keyoperations/puppetproduction+1 -1
dse-k8s-services: add pvc config for airflow-sreoperations/deployment-chartsmaster+17 -0
airflow: ensure the ssh privatekey is b64 encoded in the Secretoperations/deployment-chartsmaster+2 -2
airflow: allow the definition of rsync/ssh configurationoperations/deployment-chartsmaster+114 -2
airflow-sre: enable ssh access from task pods to the puppetserversoperations/deployment-chartsmaster+41 -8
dse-k8s-services: add service-secrets to airflow-sre's helmfile configoperations/deployment-chartsmaster+9 -1
hadoop/yarn: allow analytics-sre to submit jobs to the production queueoperations/puppetproduction+3 -3
role::puppetserver: add the analytics-sre user key and configsoperations/puppetproduction+34 -0
Provision the OIDC config for airflow-sreoperations/puppetproduction+8 -0
trafficserver: setup caching and ATS rules to publicly expose airflow-sre.w.ooperations/puppetproduction+5 -0
dse-k8s-eqiad/airflow-sre: define deploy role and TLS SANoperations/deployment-chartsmaster+4 -0
dse-k8s-eqiad: define the airflow-sre serviceoperations/deployment-chartsmaster+71 -0
dse-k8s-eqiad: define the postgresql-airflow-sre serviceoperations/deployment-chartsmaster+60 -0
dse-k8s-eqiad: add the airflow-sre to the ceph/PG operator tenant nsoperations/deployment-chartsmaster+10 -7
Fix formatting of airflow-sre domain declarationsoperations/dnsmaster+2 -2
Define the airflow-sre public and internal domainsoperations/dnsmaster+3 -0
deployment_server: Fix group name typooperations/puppetproduction+1 -1
Define the airflow-sre kubeconfig filesoperations/puppetproduction+18 -0
Add fake kerberos keytabs for the Puppetserver hostslabs/privatemaster+0 -0
role::puppetserver: remove kerberos configoperations/puppetproduction+0 -10
WIP: profile::puppetserver::volatile: add hdfs rsync joboperations/puppetproduction+16 -0
role::puppetserver: add the profile to fetch the krb keytabsoperations/puppetproduction+1 -0
role::puppetserver: deploy kerberos keytab for analytics-sreoperations/puppetproduction+9 -0
admin: add the analytics-sre uid and gidoperations/puppetproduction+13 -2
Show related patches Customize query in gerrit
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
sre: fix container/pod security context for rsync taskrepos/data-engineering/airflow-dags!2153elukeyelukey_T402512_fix_security_contextmain
Create the first webrequest-based pipeline for SRErepos/data-engineering/airflow-dags!2100elukeyelukey_T402512main
Add the netaddr dependency and regenerate poetry's lockrepos/data-engineering/airflow-dags!2082elukeynetaddr_depmain
Define the sre root DAG folderrepos/data-engineering/airflow-dags!1930brouberolT402512main
Customize query in GitLab

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
BTullis added a comment.EditedJan 16 2026, 9:58 AM
In T402512#11527862, @brouberol wrote:

I can take care of spinning up the airflow instance if required @BTullis.

That would be great. Thanks.

brouberol added a comment.Jan 16 2026, 10:01 AM

Sure thing. I'd need a couple of details. from you @elukey, namely the defaut team name DAGs would be labeled with, as well as a default alert email for failing DAGs.

gerritbot added a comment.Jan 16 2026, 10:12 AM

Change #1227731 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/dns@master] Define the airflow-sre public and internal domains

https://gerrit.wikimedia.org/r/1227731

gerritbot added a project: Patch-For-Review.Jan 16 2026, 10:12 AM

Change #1227732 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] Define the airflow-sre kubeconfig files

https://gerrit.wikimedia.org/r/1227732

gerritbot added a comment.Jan 16 2026, 10:13 AM

Change #1227733 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] Setup the caching and ATS rules to publicly expose airflow-sre.wikimedia.org

https://gerrit.wikimedia.org/r/1227733

elukey added a comment.Jan 16 2026, 10:13 AM

@brouberol I'd say team name "sre" and the root wikimedia email as starter, then later on we can tune it with a different one!

MoritzMuehlenhoff added a comment.Jan 16 2026, 10:31 AM

For logging into the instance we can use cn=ops,ou=groups,dc=wikimedia,dc=org

gerritbot added a comment.Jan 16 2026, 10:48 AM

Change #1227732 merged by Brouberol:

[operations/puppet@production] Define the airflow-sre kubeconfig files

https://gerrit.wikimedia.org/r/1227732

gerritbot added a comment.Jan 16 2026, 3:51 PM

Change #1227829 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/puppet@production] deployment_server: Fix group name typo

https://gerrit.wikimedia.org/r/1227829

gerritbot added a comment.Jan 16 2026, 3:52 PM

Change #1227829 merged by Clément Goubert:

[operations/puppet@production] deployment_server: Fix group name typo

https://gerrit.wikimedia.org/r/1227829

elukey added a comment.Jan 16 2026, 4:29 PM

Next steps:

  • DP to create the Airflow SRE instance.
  • Me and DP to configure the rsync settings and credentials to be able to push data from the DSE Cluster to the puppetservers.
  • Me/Chris to test the Airflow workflow and publish the first bit of data to the puppetservers.
gerritbot added a comment.Jan 19 2026, 8:11 AM

Change #1227731 merged by Brouberol:

[operations/dns@master] Define the airflow-sre public and internal domains

https://gerrit.wikimedia.org/r/1227731

gerritbot added a comment.Jan 19 2026, 8:14 AM

Change #1228315 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/dns@master] Fix formatting of airflow-sre domain declarations

https://gerrit.wikimedia.org/r/1228315

gerritbot added a comment.Jan 19 2026, 8:15 AM

Change #1228315 merged by Brouberol:

[operations/dns@master] Fix formatting of airflow-sre domain declarations

https://gerrit.wikimedia.org/r/1228315

gerritbot added a comment.Jan 19 2026, 8:34 AM

Change #1228420 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] dse-k8s-eqiad: add the airflow-sre to the ceph/PG operator tenant ns

https://gerrit.wikimedia.org/r/1228420

gerritbot added a comment.Jan 19 2026, 8:34 AM

Change #1228421 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] dse-k8s-eqiad: define the postgresql-airflow-sre service

https://gerrit.wikimedia.org/r/1228421

gerritbot added a comment.Jan 19 2026, 8:34 AM

Change #1228422 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] dse-k8s-eqiad: define the airflow-sre service

https://gerrit.wikimedia.org/r/1228422

gerritbot added a comment.Jan 19 2026, 9:08 AM

Change #1228420 merged by Brouberol:

[operations/deployment-charts@master] dse-k8s-eqiad: add the airflow-sre to the ceph/PG operator tenant ns

https://gerrit.wikimedia.org/r/1228420

gerritbot added a comment.Jan 19 2026, 9:32 AM

Change #1228421 merged by jenkins-bot:

[operations/deployment-charts@master] dse-k8s-eqiad: define the postgresql-airflow-sre service

https://gerrit.wikimedia.org/r/1228421

CodeReviewBot added a comment.Jan 19 2026, 9:38 AM

brouberol opened https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/1930

Define the sre root DAG folder

brouberol added a comment.Jan 19 2026, 9:44 AM

@MoritzMuehlenhoff re cn=ops,ou=groups,dc=wikimedia,dc=org understood! The LDAP/Airflow role mapping is by default:

role_mappings:
  airflow-{{ $.Values.config.airflow.instance_name }}-ops: [Op]
  nda: [User]
  wmf: [User]
  ops: [Admin]

where the Op role is a powerful role, but not as powerful as admin. In our case, as we're provisioning the instance for SREs, all users will be members of ops anyway, meanining that they will all get Admin powers. There'd be no need to create the airflow-sre-ops LDAP group.

brouberol updated Other Assignee, added: brouberol.Jan 19 2026, 9:51 AM
CodeReviewBot added a comment.Jan 19 2026, 9:56 AM

brouberol merged https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/1930

Define the sre root DAG folder

gerritbot added a comment.Jan 19 2026, 10:27 AM

Change #1228422 merged by Brouberol:

[operations/deployment-charts@master] dse-k8s-eqiad: define the airflow-sre service

https://gerrit.wikimedia.org/r/1228422

gerritbot added a comment.Jan 19 2026, 10:41 AM

Change #1228437 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] dse-k8s-eqiad/airflow-sre: define deploy role and TLS SAN

https://gerrit.wikimedia.org/r/1228437

gerritbot added a comment.Jan 19 2026, 10:48 AM

Change #1228437 merged by Brouberol:

[operations/deployment-charts@master] dse-k8s-eqiad/airflow-sre: define deploy role and TLS SAN

https://gerrit.wikimedia.org/r/1228437

gerritbot added a comment.Jan 19 2026, 11:00 AM

Change #1227733 merged by Brouberol:

[operations/puppet@production] trafficserver: setup caching and ATS rules to publicly expose airflow-sre.w.o

https://gerrit.wikimedia.org/r/1227733

gerritbot added a comment.Jan 19 2026, 11:07 AM

Change #1228448 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] Provision the OIDC config for airflow-sre

https://gerrit.wikimedia.org/r/1228448

gerritbot added a comment.Jan 19 2026, 11:17 AM

Change #1228448 merged by Brouberol:

[operations/puppet@production] Provision the OIDC config for airflow-sre

https://gerrit.wikimedia.org/r/1228448

Maintenance_bot removed a project: Patch-For-Review.Jan 19 2026, 11:31 AM
brouberol added a comment.Jan 19 2026, 11:35 AM

https://airflow-sre.wikimedia.org has been deployed!

Screenshot 2026-01-19 at 12.35.22.png (1,435×484 px, 78 KB)

Give it a good hour for the ATS changes to propagate everywhere.

BTullis added a comment.Jan 20 2026, 3:23 PM
In T402512#11529638, @elukey wrote:

Next steps:

  • DP to create the Airflow SRE instance.

That's done now.

  • Me and DP to configure the rsync settings and credentials to be able to push data from the DSE Cluster to the puppetservers.

We're ready to start configuring this now, @elukey

Could you tell me which posix user will be permitted to SSH into the puppetservers, please?
Will it be a new user, specifically for this purpose, or an existing account?

We will need the following resources to be configured.

In Puppet
  • An ssh::userkey resource on the puppetservers - (example here.) - This is an authorized_keys file containing the public part of an SSH keypair, along with some options to restrict the source addresses. We could force the command to be rsync --server <snip> as was shown in this commit, if you would like to lock down the options as much as possible.
  • The corresponding SSH private key goes into the private puppet repository
  • A firewall::service on the puppetservers that open up port TCP/22 on the puppetservers to the DSE_KUBEPODS network. (Example: here.)
  • A profile::ssh::server::match_config block on the puppetservers (example here) that further restricts the options that apply to an SSH session matching this user. (e.g. AllowTcpForwarding: 'no')
In deployment-charts
  • A secret that contains the SSH private key mentioned earlier
  • ConfigMaps that contain the following:
    • A known_hosts file, containing the SSH host keys for the puppet servers
    • An rsync_targets file, containing the puppet server host names, and the posix username to be used
    • A config file containing other useful settings, such as the ciphers to use

You can look at these examples for the files themselves, plus the way that extra-config resources can be managed by the airflow chart.

There is no corresponding way of creating arbitrary secrets in the Airflow chart, in the way that the ConfigMap objects are managed. Perhaps we will want to add this, or perhaps we could add the secret using a raw YAML object in the helmfile.yaml for airflow-sre.

Have we decided whether to use cephfs or S3 for the intermediate data store? Either is fine by me.

gerritbot added a comment.Jan 21 2026, 3:42 PM

Change #1229590 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] role::puppetserver: add the analytics-sre user key and configs

https://gerrit.wikimedia.org/r/1229590

gerritbot added a project: Patch-For-Review.Jan 21 2026, 3:42 PM
elukey added a comment.Jan 21 2026, 3:58 PM

Thanks a lot for the detailed explanation Ben! I tried to work on the Puppet part in https://gerrit.wikimedia.org/r/1229590, and I'll do the deployment-charts hopefully tomorrow. From a quick glance I am a little concerned about the need for known_hosts, since it can easily get out of sync with reimages etc.. Have you duplicated them for the dumps use case, or did you use a different approach?

gerritbot added a comment.Jan 22 2026, 3:36 PM

Change #1229590 merged by Elukey:

[operations/puppet@production] role::puppetserver: add the analytics-sre user key and configs

https://gerrit.wikimedia.org/r/1229590

Maintenance_bot removed a project: Patch-For-Review.Jan 22 2026, 4:31 PM
elukey added a comment.Jan 23 2026, 3:28 PM

Replying to my own question - in helmfile.d/dse-k8s-services/mediawiki-dumps-legacy/values-dumps.yaml I see the following:

ssh_known_hosts:
  - clouddumps1001.wikimedia.org,208.80.154.142,2620:0:861:2:208:80:154:142 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMA/Al2V+CTWWEdMJmqzhSmtn5tche1OmBxh67/g8AP7wdtUSZ6urOUZBe8lcjiAif9heJb7jwWWSNe+VCKCq0g=
  - clouddumps1002.wikimedia.org,208.80.154.71,2620:0:861:3:208:80:154:71 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBExvftUq/vgRdl20f4hKYECNRYoZNI2C789OOxz92IQBrsDU8NqgMy1o9bdfVc2acZBC3VD/LNCtiLx1kWtetro=

This is probably fine for the moment but I am pretty sure it will cause some issues down the line when a host is reimaged/changed/etc.. and people forget to update these configs. I am wondering if there is a way in external-services or similar to pick the known hosts config from the deploy's trusted list and load it to a config map in k8s.

gerritbot added a comment.Jan 23 2026, 5:13 PM

Change #1230970 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] dse-k8s-services: add service-secrets to airflow-sre's helmfile config

https://gerrit.wikimedia.org/r/1230970

gerritbot added a project: Patch-For-Review.Jan 23 2026, 5:13 PM
brouberol added a comment.Jan 27 2026, 9:06 PM

I am wondering if there is a way in external-services or similar to pick the known hosts config from the deploy's trusted list and load it to a config map in k8s.

I'll admit that I don't know atm. Do you feel like this is a hard blocker? I'm happy to create a subticket for us to investigate, but still unblock you right now and proceed with keys you'd generate in puppet.

Once the keys are generated, I'll add some functionality to the airflow chart to support the definition of the known_hosts, rsync_targets and config file (config being .ssh/config) and mounting of these files in the task pods, when defined.

brouberol added a comment.Jan 27 2026, 9:21 PM

That being said, if that information is defined in a hiera value, we can export it to general-<env>.yaml via global_config.pp in puppet. If it's not in a hiera, we might still be able to fetch the known hosts with a PQL query?

gerritbot added a comment.Feb 2 2026, 4:17 PM

Change #1235837 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] hadoop/yarn: allow analytics-sre to submit jobs to the production queue

https://gerrit.wikimedia.org/r/1235837

gerritbot added a comment.Feb 2 2026, 4:22 PM

Change #1235837 merged by Brouberol:

[operations/puppet@production] hadoop/yarn: allow analytics-sre to submit jobs to the production queue

https://gerrit.wikimedia.org/r/1235837

gerritbot added a comment.Feb 2 2026, 4:33 PM

Change #1230970 merged by Elukey:

[operations/deployment-charts@master] dse-k8s-services: add service-secrets to airflow-sre's helmfile config

https://gerrit.wikimedia.org/r/1230970

Maintenance_bot removed a project: Patch-For-Review.Feb 2 2026, 5:32 PM
gerritbot added a comment.Feb 4 2026, 1:16 PM

Change #1236729 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] airflow-sre: enable ssh access from task pods to the puppetservers

https://gerrit.wikimedia.org/r/1236729

gerritbot added a project: Patch-For-Review.Feb 4 2026, 1:16 PM
gerritbot added a comment.Feb 4 2026, 2:29 PM

Change #1236756 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] airflow: allow the definition of rsync/ssh configuration

https://gerrit.wikimedia.org/r/1236756

gerritbot added a comment.Feb 4 2026, 4:05 PM

Change #1236756 merged by Brouberol:

[operations/deployment-charts@master] airflow: allow the definition of rsync/ssh configuration

https://gerrit.wikimedia.org/r/1236756

gerritbot added a comment.Feb 4 2026, 4:05 PM

Change #1236729 merged by Brouberol:

[operations/deployment-charts@master] airflow-sre: enable ssh access from task pods to the puppetservers

https://gerrit.wikimedia.org/r/1236729

Maintenance_bot removed a project: Patch-For-Review.Feb 4 2026, 4:31 PM
gerritbot added a comment.Feb 5 2026, 1:43 PM

Change #1237221 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] airflow: ensure the ssh privatekey is b64 encoded in the Secret

https://gerrit.wikimedia.org/r/1237221

gerritbot added a project: Patch-For-Review.Feb 5 2026, 1:43 PM
gerritbot added a comment.Feb 5 2026, 1:51 PM

Change #1237221 merged by Brouberol:

[operations/deployment-charts@master] airflow: ensure the ssh privatekey is b64 encoded in the Secret

https://gerrit.wikimedia.org/r/1237221

Maintenance_bot removed a project: Patch-For-Review.Feb 5 2026, 2:31 PM
brouberol added a comment.Feb 5 2026, 3:12 PM

We have deployed the "infrastructure" that will support rsync-ing files from airflow-sre task pods to the pupperserver hosts:

brouberol@deploy2002:~$ kubectl get configmap | grep puppetservers
airflow-rsync-puppetservers              1      54s
airflow-ssh-puppetservers                2      54s
brouberol@deploy2002:~$ kubectl get networkpolicies | grep puppetservers
airflow-production-task-pod-egress-ssh-puppetservers   app=airflow,component=task-pod,release=production   64s

We can see that task pods now have egress to the port 22 of the puppetservers enabled:

runuser@airflow-task-shell-66d66dd999-2mxbr:/opt/airflow$ ./usr/bin/is_port_open puppetserver1001.eqiad.wmnet 22
puppetserver1001.eqiad.wmnet:22 is open
elukey claimed this task.Feb 9 2026, 9:48 AM
gerritbot added a comment.Feb 12 2026, 11:15 AM

Change #1239029 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] dse-k8s-services: add pvc config for airflow-sre

https://gerrit.wikimedia.org/r/1239029

gerritbot added a project: Patch-For-Review.Feb 12 2026, 11:15 AM
gerritbot added a comment.Feb 12 2026, 1:28 PM

Change #1239029 merged by Elukey:

[operations/deployment-charts@master] dse-k8s-services: add pvc config for airflow-sre

https://gerrit.wikimedia.org/r/1239029

Maintenance_bot removed a project: Patch-For-Review.Feb 12 2026, 1:31 PM
elukey added a comment.Feb 12 2026, 3:03 PM

To keep archives happy - I created a new pvc called airflow-sre-webrequest-to-cdn for airflow-sre, and created another one with the same name in airflow-dev (following T396495#11128447) for testing purposes.

The main idea is the following for the DAG:

Hive queries webrequest and saves to a file on HDFS ---> the file is copied in a persistent volume (from hdfs) ---> the file is copied from the pvc to puppetservers via rsync

gerritbot added a comment.Feb 19 2026, 2:52 PM

Change #1240714 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] profile::puppetserver: simplify analytics-sre's authorized key

https://gerrit.wikimedia.org/r/1240714

gerritbot added a project: Patch-For-Review.Feb 19 2026, 2:52 PM
gerritbot added a comment.Feb 19 2026, 3:38 PM

Change #1240714 merged by Elukey:

[operations/puppet@production] profile::puppetserver: simplify analytics-sre's authorized key

https://gerrit.wikimedia.org/r/1240714

Maintenance_bot removed a project: Patch-For-Review.Feb 19 2026, 4:32 PM
gerritbot added a comment.Feb 20 2026, 3:22 PM

Change #1241004 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] admin: set home dir for analytics-sre

https://gerrit.wikimedia.org/r/1241004

gerritbot added a project: Patch-For-Review.Feb 20 2026, 3:23 PM
gerritbot added a comment.Feb 20 2026, 3:34 PM

Change #1241004 merged by Elukey:

[operations/puppet@production] admin: set home dir for analytics-sre

https://gerrit.wikimedia.org/r/1241004

Maintenance_bot removed a project: Patch-For-Review.Feb 20 2026, 4:32 PM
gerritbot added a comment.Feb 20 2026, 4:35 PM

Change #1241012 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] profile::puppetserver: rework and fix the analytics-sre config

https://gerrit.wikimedia.org/r/1241012

gerritbot added a project: Patch-For-Review.Feb 20 2026, 4:35 PM
gerritbot added a comment.Feb 23 2026, 10:08 AM

Change #1241012 merged by Elukey:

[operations/puppet@production] profile::puppetserver: rework and fix the analytics-sre config

https://gerrit.wikimedia.org/r/1241012

elukey added a comment.Mar 3 2026, 8:10 AM

I am finally able to query a week worth of IPs from webrequest and dump a txt file on the puppetserver1001's volatile dir (one IP for each line, something that haproxy can ingest).

The airflow dag is still running in the dev env, I'll polish it and send a patch to merge it in main.

Next steps:

  • Refine the query to Hive.
  • File the merge request for the main branch of the airflow dag repo.
CodeReviewBot added a comment.Mar 13 2026, 8:50 AM

elukey opened https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/2082

Add the netaddr dependency and regenerate poetry's lock

CodeReviewBot added a comment.Mar 13 2026, 9:22 AM

elukey merged https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/2082

Add the netaddr dependency and regenerate poetry's lock

gerritbot added a comment.Mar 16 2026, 10:38 AM

Change #1253422 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/deployment-charts@master] Increase the size of the WAL volume for postgresql-airflow-sre

https://gerrit.wikimedia.org/r/1253422

gerritbot added a comment.Mar 16 2026, 10:56 AM

Change #1253422 merged by jenkins-bot:

[operations/deployment-charts@master] Increase the size of the WAL volume for postgresql-airflow-sre

https://gerrit.wikimedia.org/r/1253422

gerritbot added a comment.Mar 18 2026, 11:47 AM

Change #1254887 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] dse-k8s-services: update the base Airflow image

https://gerrit.wikimedia.org/r/1254887

CodeReviewBot added a comment.Mar 18 2026, 12:19 PM

elukey updated https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/2100

Create the first webrequest-based pipeline for SRE

gerritbot added a comment.Mar 18 2026, 12:39 PM

Change #1254887 merged by Elukey:

[operations/deployment-charts@master] dse-k8s-services: update the base Airflow image

https://gerrit.wikimedia.org/r/1254887

CodeReviewBot added a comment.Apr 3 2026, 8:25 AM

elukey merged https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/2100

Create the first webrequest-based pipeline for SRE

CodeReviewBot added a comment.Apr 3 2026, 1:26 PM

elukey opened https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/2153

sre: fix container/pod security context for rsync task

CodeReviewBot added a comment.Apr 7 2026, 7:58 AM

elukey merged https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/2153

sre: fix container/pod security context for rsync task

gerritbot added a comment.May 6 2026, 3:55 PM

Change #1283821 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] profile::cache::haproxy: add webrequest-based ip reputation data

https://gerrit.wikimedia.org/r/1283821

gerritbot added a comment.Wed, May 20, 7:29 AM

Change #1283821 merged by Elukey:

[operations/puppet@production] profile::cache::haproxy: add webrequest-based ip reputation data

https://gerrit.wikimedia.org/r/1283821

gerritbot added a comment.Wed, May 20, 7:49 AM

Change #1289808 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] haproxy: Enable use_webrequest_ipreputation flag for cp7002/cp7012

https://gerrit.wikimedia.org/r/1289808

gerritbot added a comment.Wed, May 20, 8:02 AM

Change #1289808 merged by Elukey:

[operations/puppet@production] haproxy: Enable use_webrequest_ipreputation flag for cp7002/cp7012

https://gerrit.wikimedia.org/r/1289808

gerritbot added a comment.Wed, May 20, 7:14 PM

Change #1290047 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] P:cache::haproxy: guard webrequest IP reputation data for beta

https://gerrit.wikimedia.org/r/1290047

gerritbot added a comment.Thu, May 21, 12:52 PM

Change #1290047 merged by Ssingh:

[operations/puppet@production] P:cache::haproxy: guard webrequest IP reputation data for beta

https://gerrit.wikimedia.org/r/1290047

gerritbot added a comment.Thu, May 21, 1:30 PM

Change #1290767 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] role::cache::haproxy: move webrequest ip reputation exp to all magru

https://gerrit.wikimedia.org/r/1290767

gerritbot added a comment.Thu, May 21, 1:55 PM

Change #1290767 merged by Elukey:

[operations/puppet@production] role::cache::haproxy: move webrequest ip reputation exp to all magru

https://gerrit.wikimedia.org/r/1290767

gerritbot added a comment.Thu, Jun 4, 9:50 AM

Change #1297641 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] role::cache::{text,upload}: enable webrequest tagging in eqsin

https://gerrit.wikimedia.org/r/1297641

gerritbot added a comment.Thu, Jun 4, 1:21 PM

Change #1297641 merged by Elukey:

[operations/puppet@production] role::cache::{text,upload}: enable webrequest tagging in eqsin

https://gerrit.wikimedia.org/r/1297641

gerritbot added a comment.Fri, Jun 5, 3:55 PM

Change #1298318 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] role::cache::{text,upload}: enable webrequest tagging globally

https://gerrit.wikimedia.org/r/1298318

gerritbot added a comment.Mon, Jun 8, 3:06 PM

Change #1298318 merged by Elukey:

[operations/puppet@production] role::cache::{text,upload}: enable webrequest tagging globally

https://gerrit.wikimedia.org/r/1298318

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits