Page MenuHomePhabricator
Create Task
Maniphest T411508

network::constants::mw_appserver_networks is out of date (or named poorly?)
Open, LowPublic
Actions

Description

The $network::constants::mw_appserver_networks Puppet variable, used for access control in various places in Puppet, currently contains:

  • The public networks in eqiad/codfw rows a/b/c/d
  • The private networks in eqiad/codfw rows a/b/c/d/e/f
  • Kubernetes pod ranges for all production K8s clusters

There have been no MW app servers in the public networks since Wikitech was moved to Kubernetes, and recently there's been no app servers outside K8s at all. So if we're believing the original name of the variable, presumably only Wikikube ranges should remain listed in there and the rest need to be removed.

However, that variable (and the related deployable_networks variable) seem to be used for various other things these days. For example it seems like the Apache site for Scap3 deploys is restricted to that ACL as well. So it's possible that the variable just needs a rename (or some explanatory comments) to match its purpose in reality. (Or perhaps it should be removed entirely and replaced with some other authentication mechanism that doesn't rely on all-or-nothing network trusts?)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Drop use of MW_APPSERVER_NETWORKS for ircstream now that mw* servers are goneoperations/puppetproduction+1 -1
Customize query in gerrit

Event Timeline

taavi created this task.Tue, Dec 2, 3:31 PM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptTue, Dec 2, 3:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
taavi removed projects: netops, Infrastructure-Foundations.Tue, Dec 2, 3:41 PM
Clement_Goubert triaged this task as Low priority.EditedTue, Dec 2, 3:49 PM
Clement_Goubert moved this task from Incoming 🐫 to 🥋Good First Task on the serviceops board.
Clement_Goubert added subscribers: Blake, jasmine_, Clement_Goubert.

Probably a good task to pair on with @Blake or @jasmine_, tracking down where that's used in puppet, how, and what we can deprecate or change to clarify intent.

gerritbot added a comment.Tue, Dec 2, 3:57 PM

Change #1214094 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Drop use of MW_APPSERVER_NETWORKS for ircstream now that mw* servers are gone

https://gerrit.wikimedia.org/r/1214094

gerritbot added a project: Patch-For-Review.Tue, Dec 2, 3:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits