Page MenuHomePhabricator
Create Task
Maniphest T403125

Investigate WMCS Magnum for GitLab runners
Closed, ResolvedPublic
Actions

Description

We run a Kubernetes cluster on Digital Ocean which runs testing workloads for GitLab CI on https://gitlab.wikimedia.org.

But accessing WMF infrastructure (either to call a MediaWiki api, Gerrit, or GitLab itself) is difficult from Digital Ocean due to rate-limiting and bot protection. Users are bumping up against this problem, too.

These problems go away if we use internal, WMF infrastructure.

This is a task to investigate running GitLab CI Kubernetes cluster on WMCS magnum.

Details

Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
Draft: wmcs: Support WMCS Magnum as a k8s providerrepos/releng/gitlab-cloud-runner!551dduvallspike/wmcs-magnummain
Customize query in GitLab

Related Objects
Search...

Event Timeline

thcipriani created this task.Aug 27 2025, 9:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 27 2025, 9:00 PM
bd808 added a comment.Aug 27 2025, 9:09 PM

Tofu seems to be the nicest way to deploy a Magnum cluster. The https://gitlab.wikimedia.org/repos/releng/zuul/tofu-provisioning config is the most recent config I have been working on that includes Magnum/Kubernetes things.

One of the things needed is a Developer account and credentials to act as the service account for running Tofu. https://ldap.toolforge.org/user/zuuldevopsbot is an example of such an account. Using the release-engineering.$SUBPROJECT@toolforge.org email pattern means that all of the fine folks who are maintainers of https://toolsadmin.wikimedia.org/tools/id/release-engineering will get an email when something emails the bot. See T396902: Create service account user for OpenTofu automation for a past task for this sort of thing. T396247: Set up new project for Zuulv3+ pre-merge and non-image-build workloads and subtasks may have other interesting bits of information.

dduvall added a subtask: T406271: Grant gitlab-runners-staging access to fast-iops volume type and a 4xiops instance flavor.Oct 2 2025, 9:18 PM
bking subscribed.Oct 2 2025, 9:26 PM
Andrew closed subtask T406271: Grant gitlab-runners-staging access to fast-iops volume type and a 4xiops instance flavor as Resolved.Oct 8 2025, 2:59 PM
Jelto added a project: collaboration-services.Dec 4 2025, 9:42 AM
Jelto subscribed.
LSobanski moved this task from Incoming to Consultation on the collaboration-services board.Dec 8 2025, 4:47 PM
LSobanski subscribed.
dduvall merged a task: T353356: Experiment with WMCS as a k8s provider for gitlab-cloud-runner cluster.Feb 2 2026, 7:25 PM
dduvall added subscribers: dcaro, Andrew, Raymond_Ndibe and 2 others.
CodeReviewBot added a project: Patch-For-Review.Feb 2 2026, 8:13 PM

dduvall opened https://gitlab.wikimedia.org/repos/releng/gitlab-cloud-runner/-/merge_requests/551

Draft: wmcs: Support WMCS Magnum as a k8s provider

dduvall added a comment.Feb 2 2026, 8:22 PM

With some moderate refactoring (see https://gitlab.wikimedia.org/repos/releng/gitlab-cloud-runner/-/merge_requests/551), gitlab-cloud-runner has been successfully provisioned using WMCS Magnum. From the commit message:

  1. buildkit: Allow configuration of storage class and whether autoscaling should be enabled (we won't need to autoscale on WMCS). Also remove the configuration of a s3 based cache which has never been utilized.
  2. gitlab: Remove node selector/tolerations and parameterize s3 cache server configuration.
  3. digitalocean: Define outputs for configuration that can vary between k8s providers such k8s auth info, s3 server, and ingress cluster IP. Remove unused variables.
  4. wmcs: Introduce new module for WMCS Magnum based k8s provisioning. Outputs are all consistent with the digitalocean module so either can be used in the main cluster config.
  5. externaldns: Refactor to use the newer version.
  6. externaldns-designate: New module for DNS management via OpenStack Designate. This gives us host names for externally facing services (e.g. registry.gitlab-runners-staging.wmcloud.org).
  7. cluster: Select k8s provider module based on new cluster_provider variable and set a cluster local for provider module outputs. Refactor old references to digitalocean properties and use local.cluster instead. Move provider specific resources into wmcs.tf and digitalocean.tf.

Performance is comparable to the existing DO runners/buildkitd when using the new 4xiops volumes. We will also want to have node flavors with better iops in a production cluster. Multiple setup/teardown cycles show the Tofu based provisioning to be fairly reliable or at least as reliable as Tofu provisioning of DO resources.

dduvall closed this task as Resolved.Feb 2 2026, 10:16 PM
dduvall claimed this task.
dduvall mentioned this in T416256: [Epic] Migrate gitlab-cloud-runner to WMCS.
dduvall added a parent task: T416256: [Epic] Migrate gitlab-cloud-runner to WMCS.
fnegri added a comment.Feb 3 2026, 9:47 AM

Awesome work @dduvall, very excited to see this working! <3

Jelto awarded a token.Feb 9 2026, 10:54 AM
dcaro awarded a token.Feb 9 2026, 5:52 PM
thcipriani added a project: Essential-Work.Feb 21 2026, 12:00 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits