Page MenuHomePhabricator
Create Task
Maniphest T411895

gerrit behind CDN
Closed, ResolvedPublic
Actions

Description

public tracking version of T365259

  • Assign the new public IPs: a v4 and a v6 in each of the DC-specific public service address ranges (example)
    • create DNS records gerrit-lb.$DC.wikimedia.org (should be done by Netbox semi-automatically)

Acceptance criteria before continuing:

  • on a cache_text host, curl -v https://gerrit.wikimedia.org --connect-to ::localhost
    • this MUST show a HTTP 302 to Location: https://gerrit.wikimedia.org/r/
    • must NOT serve a 5xx error, or show the default Mediawiki page served (HTTP 200 with resp hdr < server: mw-web.xxxx...)
  • on a cache_text host, curl -s https://gerrit.wikimedia.org/r/ --connect-to ::localhost | grep 'Gerrit Code Review'
    • this MUST complete successfully, with a match on the <meta name="description" ...> tag
  • on a cache_text host, ip a show lo output includes the public IPs for gerrit-lb.$DC.wikimedia.org

At this point the new IP (& new data path) are accessible externally. Thus we should proceed to:

  • Opt-in SRE & developer testing
    • Write instructions and/or ship tunnelencabulator feature: modify /etc/hosts to point gerrit.wikimedia.org to the new, CDN-fronted public IP https://gerrit.wikimedia.org/r/c/operations/debs/wmf-laptop/+/1227395
    • One full business day of testing with several volunteers?
      • write a mail to wider-sre list? | not needed, but we are mailing ops and wikitech-l about the switch ---
  • [ ] per @taavi, determine whether or not we want to also include the new Gerrit IPs on the Cloud VPS egress NAT exemption list, as the old ones are on there. (We probably do want to?)
  • Migrate the public gerrit.wikimedia.org DNS record: gerrit 180 IN DYNA geoip!gerrit-addrs https://gerrit.wikimedia.org/r/1215709
  • test and document emergency access when the CDN is down
    • tunneling using tunnelencabulator documented here

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
gerrit: fix failing discovery dns lookup in test specoperations/puppetproduction+6 -0
gerrit: remove CDN lookups from sshkeyoperations/puppetproduction+0 -4
gerrit: limit access to http/https/ssh in firewalloperations/puppetproduction+14 -24
gerrit tcp haproxy: rationalize timeoutsoperations/puppetproduction+5 -3
wikimedia: revert gerrit behind the CDNoperations/dnsmaster+4 -1
gerrit: update switchover related cookbooksoperations/cookbooksmaster+23 -23
gerrit::sshkey: add gerrit-lb IPs to host_aliases ssh keyoperations/puppetproduction+14 -0
switch gerrit service IP to CDNoperations/dnsmaster+1 -3
Cloud-vrf-in: remove exception to allow Cloud VPS private IPs reach gerritoperations/homer/publicmaster+0 -5
cloudgw: add gerrit-lb IPs to Cloud VPS egress NAT exemption listoperations/puppetproduction+14 -0
tunnelencabulator: simple IPv6 supportoperations/debs/wmf-laptopmaster+47 -15
services: gerrit* --> monitoring_setupoperations/puppetproduction+2 -2
tunnelencabulator: Gerrit/CDN 🚀operations/debs/wmf-laptopmaster+19 -5
LVS/gerrit: codfwoperations/puppetproduction+1 -0
LVS/gerrit: eqiadoperations/puppetproduction+1 -0
Liberica/gerrit: 🌍‼️ 🎊operations/puppetproduction+12 -2
gerrit/Liberica: eqsinoperations/puppetproduction+5 -0
gerrit/Liberica: expand to drmrsoperations/puppetproduction+5 -0
tcp-proxy: allow lb healthchecksoperations/puppetproduction+1 -1
lvs7001: add gerrit servicesoperations/puppetproduction+2 -0
gerrit services: lvs_setup! but only in magru.operations/puppetproduction+5 -16
lvs7003: add gerrit-ssh and gerrit-httpsoperations/puppetproduction+2 -0
cache_text: add gerrit-https to realserversoperations/puppetproduction+4 -0
ats: gerrit: use LetsEncrypt CA for gerritoperations/puppetproduction+3 -0
add gerrit-ssh and gerrit-https to liberica services on lvs7003operations/puppetproduction+2 -0
Show related patches Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedDzahnT411895 gerrit behind CDN
 ResolvedNoneT411904 ATS/Gerrit: validate TLS hosts for gerrit (revert workaround that skips validation)
 ResolvedCDanisT414719 Opt-in testing of Gerrit-via-CDN
 ResolvedABran-WMFT414940 Handle httpd log surplus coming from Liberica
 ResolvedJeltoT416189 Add monitoring and alerting for gerrits tcp-proxy
 ResolvedDzahnT408532 Deploy a TCP proxy across all DCs
 ResolvedDzahnT408064 Site: 14 VMs request for tcp-proxy (gerrit-ssh-proxy)
 ResolvedJeltoT417156 Pushing to gerrit over http is blocked by generic rate limiting
 ResolvedVgutierrezT417536 ATS causes git fetches from Gerrit to fail with 502 responses
 DuplicateNoneT417897 Debug - ATS causes git fetches from Gerrit to fail with 502 responses
 ResolvedABran-WMFT418108 gerrit: move gerrit-replica behind CDN
 ResolvedABran-WMFT417998 ATS: align ATS and Gerrit Apache timeouts to reenable connection re-use
 ResolvedABran-WMFT420174 ProbeDown - Service gerrit2003:443 has failed probes (http_gerrit_tls_ip4)
 ResolvedABran-WMFT420189 Gerrit: Debug connection re-use on Gerrit's httpd causing Gerrit interface to be very slow
 ResolvedABran-WMFT420311 SystemdUnitFailed - rsync-lfs_replica_sync.service on gerrit2002:9100
 ResolvedABran-WMFT420432 ProbeDown - Service gerrit2003:443 has failed probes (http_gerrit_tls_ip4
 ResolvedABran-WMFT420909 gerrit: Add Envoy in Gerrit's stack
 ResolvedABran-WMFT421827 gerrit: Adapt timeouts to avoid 502 errors in CI jobs
 OpenNoneT424990 Implement a retry policy for network errors in CI
 ResolvedABran-WMFT418361 gerrit: move gerrit-spare behind CDN
Restricted Task
Restricted Task
 ResolvedABran-WMFT420677 GerritHAProxyBackendUnavailable - Gerrit backend is unavilable for tcp-proxy (HAProxy) gerrit_ssh
Restricted Task
Restricted Task
Restricted Task
Restricted Task
Restricted Task

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
gerritbot added a comment.Jan 14 2026, 9:03 PM

Change #1215389 merged by CDanis:

[operations/puppet@production] gerrit services: lvs_setup! but only in magru.

https://gerrit.wikimedia.org/r/1215389

gerritbot added a comment.Jan 14 2026, 9:14 PM

Change #1215398 merged by CDanis:

[operations/puppet@production] lvs7001: add gerrit services

https://gerrit.wikimedia.org/r/1215398

CDanis added a comment.Jan 14 2026, 9:28 PM

🎉 the ssh port isn't yet working, but https is!

💙cdanis@wmftop ~ 🕟🍵 curl -s https://gerrit.wikimedia.org/r/ --connect-to ::gerrit-lb.magru.wikimedia.org | grep 'Gerrit Code Review'
<meta name="description" content="Gerrit Code Review">

💙cdanis@wmftop ~ 🕟🍵 curl https://gerrit.wikimedia.org --connect-to ::gerrit-lb.magru.wikimedia.org
<!DOCTYPE HTML PUBLIC "-IETFDTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://gerrit.wikimedia.org/r/">here</a>.</p>
</body></html>

gerritbot added a comment.Jan 14 2026, 10:10 PM

Change #1226951 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] tcp-proxy: allow lb healthchecks

https://gerrit.wikimedia.org/r/1226951

gerritbot added a comment.Jan 14 2026, 10:16 PM

Change #1226951 merged by CDanis:

[operations/puppet@production] tcp-proxy: allow lb healthchecks

https://gerrit.wikimedia.org/r/1226951

Dzahn awarded a token.Jan 15 2026, 6:14 AM
ABran-WMF awarded a token.Jan 15 2026, 7:25 AM
gerritbot added a comment.Jan 15 2026, 2:45 PM

Change #1227348 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] gerrit/Liberica: eqsin

https://gerrit.wikimedia.org/r/1227348

gerritbot added a comment.Jan 15 2026, 3:02 PM

Change #1215693 merged by CDanis:

[operations/puppet@production] gerrit/Liberica: expand to drmrs

https://gerrit.wikimedia.org/r/1215693

CDanis added a comment.Jan 15 2026, 3:13 PM

💙cdanis@wmftop ~ 🕙☕ DC=magru ; curl -I -X GET https://gerrit.wikimedia.org --connect-to ::gerrit-lb.${DC}.wikimedia.org ; nc -vW1 gerrit-lb.${DC}.wikimedia.org 29418
HTTP/2 302
date: Thu, 15 Jan 2026 15:10:29 GMT
server: Apache
location: https://gerrit.wikimedia.org/r/
content-length: 215
content-type: text/html; charset=iso-8859-1
age: 1
vary: X-Forwarded-Proto
x-cache: cp7008 miss, cp7008 pass
x-cache-status: pass
server-timing: cache;desc="pass", host;desc="cp7008"
strict-transport-security: max-age=106384710; includeSubDomains; preload
report-to: { "group": "wm_nel", "max_age": 604800, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] }
nel: { "report_to": "wm_nel", "max_age": 604800, "failure_fraction": 0.05, "success_fraction": 0.0}
set-cookie: WMF-Uniq=lduuB793lSeIP6Ao8KGhOQLpAAAAAFvdmXX8iIiZ92DS7Rg0aVcUoUhHLVdOEKDe;Domain=gerrit.wikimedia.org;Path=/;HttpOnly;secure;SameSite=None;Expires=Fri, 15 Jan 2027 00:00:00 GMT
x-request-id: 2f56b390-8ac2-49e6-9794-6de1c5215d95

Connection to gerrit-lb.magru.wikimedia.org (195.200.68.225) 29418 port [tcp/*] succeeded!
SSH-2.0-GerritCodeReview_3.10.6 (APACHE-SSHD-2.12.0)

gerritbot added a comment.Jan 15 2026, 3:28 PM

Change #1227356 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] Liberica/gerrit: 🌍‼️ 🎊

https://gerrit.wikimedia.org/r/1227356

gerritbot added a comment.Jan 15 2026, 3:36 PM

Change #1227348 merged by CDanis:

[operations/puppet@production] gerrit/Liberica: eqsin

https://gerrit.wikimedia.org/r/1227348

gerritbot added a comment.Jan 15 2026, 3:36 PM

Change #1227356 merged by CDanis:

[operations/puppet@production] Liberica/gerrit: 🌍‼️ 🎊

https://gerrit.wikimedia.org/r/1227356

gerritbot added a comment.Jan 15 2026, 3:51 PM

Change #1227363 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] LVS/gerrit: eqiad

https://gerrit.wikimedia.org/r/1227363

Stashbot added a comment.Jan 15 2026, 5:02 PM

Mentioned in SAL (#wikimedia-operations) [2026-01-15T17:02:10Z] <cdanis> 💙cdanis@cumin1003.eqiad.wmnet ~ 🕛☕ sudo cumin 'A:lvs-eqiad' 'disable-puppet T411895'

gerritbot added a comment.Jan 15 2026, 5:02 PM

Change #1227363 merged by CDanis:

[operations/puppet@production] LVS/gerrit: eqiad

https://gerrit.wikimedia.org/r/1227363

gerritbot added a comment.Jan 15 2026, 5:22 PM

Change #1227391 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] LVS/gerrit: codfw

https://gerrit.wikimedia.org/r/1227391

Stashbot added a comment.Jan 15 2026, 5:34 PM

Mentioned in SAL (#wikimedia-operations) [2026-01-15T17:34:38Z] <cdanis> 💙cdanis@cumin1003.eqiad.wmnet ~ 🕧☕ sudo cumin 'A:lvs-codfw' 'disable-puppet T411895'

gerritbot added a comment.Jan 15 2026, 5:34 PM

Change #1227391 merged by CDanis:

[operations/puppet@production] LVS/gerrit: codfw

https://gerrit.wikimedia.org/r/1227391

Stashbot added a comment.Jan 15 2026, 5:45 PM

Mentioned in SAL (#wikimedia-operations) [2026-01-15T17:44:59Z] <cdanis> 💙cdanis@cumin1003.eqiad.wmnet ~ 🕧☕ sudo cumin 'A:lvs-codfw or A:lvs-eqiad' 'enable-puppet T411895'

gerritbot added a comment.Jan 15 2026, 6:00 PM

Change #1227395 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/debs/wmf-laptop@master] tunnelencabulator: Gerrit/CDN 🚀

https://gerrit.wikimedia.org/r/1227395

gerritbot added a comment.Jan 15 2026, 6:55 PM

Change #1227395 merged by CDanis:

[operations/debs/wmf-laptop@master] tunnelencabulator: Gerrit/CDN 🚀

https://gerrit.wikimedia.org/r/1227395

CDanis updated the task description. (Show Details)Jan 15 2026, 6:57 PM
CDanis created subtask T414719: Opt-in testing of Gerrit-via-CDN.Jan 15 2026, 7:14 PM
gerritbot added a comment.Jan 15 2026, 8:02 PM

Change #1227423 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] services: gerrit* --> monitoring_setup

https://gerrit.wikimedia.org/r/1227423

gerritbot added a comment.Jan 16 2026, 4:38 PM

Change #1227846 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/debs/wmf-laptop@master] tunnelencabulator: simple IPv6 support

https://gerrit.wikimedia.org/r/1227846

gerritbot added a comment.Jan 16 2026, 5:21 PM

Change #1227846 merged by CDanis:

[operations/debs/wmf-laptop@master] tunnelencabulator: simple IPv6 support

https://gerrit.wikimedia.org/r/1227846

ABran-WMF created subtask T414940: Handle httpd log surplus coming from Liberica.Jan 19 2026, 10:14 AM
ABran-WMF closed subtask T414940: Handle httpd log surplus coming from Liberica as Resolved.Jan 19 2026, 4:12 PM
LSobanski reopened subtask T414940: Handle httpd log surplus coming from Liberica as Open.Jan 19 2026, 4:12 PM
ABran-WMF closed subtask T414940: Handle httpd log surplus coming from Liberica as Resolved.Jan 19 2026, 4:13 PM
Jelto created subtask T416189: Add monitoring and alerting for gerrits tcp-proxy.Feb 2 2026, 3:48 PM
Jelto mentioned this in T416189: Add monitoring and alerting for gerrits tcp-proxy.
Dzahn updated the task description. (Show Details)Feb 3 2026, 11:38 PM
Dzahn mentioned this in T394271: Separate Gerrit https and ssh/git hostnames.Feb 3 2026, 11:41 PM
Dzahn mentioned this in T414719: Opt-in testing of Gerrit-via-CDN.Feb 3 2026, 11:44 PM
Dzahn added a comment.Feb 3 2026, 11:46 PM

At this point I think we can say that T394271 Separate Gerrit https and ssh/git hostnames was not needed after all and can be closed as declined.

T394271#11581341

Dzahn mentioned this in T412779: Gerrit failover process.Feb 3 2026, 11:59 PM
Jelto closed subtask T416189: Add monitoring and alerting for gerrits tcp-proxy as Resolved.Feb 6 2026, 1:00 PM
gerritbot added a comment.Feb 9 2026, 12:23 PM

Change #1237887 had a related patch set uploaded (by Jelto; author: Jelto):

[operations/puppet@production] gerrit::sshkey: add gerrit-lb IPs to host_aliases ssh key

https://gerrit.wikimedia.org/r/1237887

gerritbot added a comment.Feb 9 2026, 5:15 PM

Change #1237887 merged by Dzahn:

[operations/puppet@production] gerrit::sshkey: add gerrit-lb IPs to host_aliases ssh key

https://gerrit.wikimedia.org/r/1237887

Dzahn closed subtask T414719: Opt-in testing of Gerrit-via-CDN as Resolved.Feb 9 2026, 6:27 PM
Dzahn changed the status of subtask T411904: ATS/Gerrit: validate TLS hosts for gerrit (revert workaround that skips validation) from Stalled to Open.Feb 9 2026, 8:15 PM
Dzahn added a subtask: T408532: Deploy a TCP proxy across all DCs.Feb 9 2026, 8:17 PM
Dzahn updated the task description. (Show Details)Feb 9 2026, 8:21 PM
gerritbot added a comment.Feb 9 2026, 8:36 PM

Change #1238021 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] cloudgw: add gerrit-lb IPs to Cloud VPS egress NAT exemption list

https://gerrit.wikimedia.org/r/1238021

Dzahn updated the task description. (Show Details)Feb 9 2026, 9:00 PM
cmooney subscribed.Feb 9 2026, 9:04 PM

@taavi what is the rationale for having these on the NAT exemption list? I would have thought cloud vps instances could just access gerrit like anything else on the internet and go through the NAT?

Andrew updated the task description. (Show Details)Feb 9 2026, 9:42 PM
gerritbot added a comment.Feb 9 2026, 10:01 PM

Change #1238042 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/homer/public@master] Cloud-vrf-in: remove exception to allow Cloud VPS private IPs reach gerrit

https://gerrit.wikimedia.org/r/1238042

gerritbot added a comment.Feb 9 2026, 10:19 PM

Change #1238021 abandoned by Dzahn:

[operations/puppet@production] cloudgw: add gerrit-lb IPs to Cloud VPS egress NAT exemption list

https://gerrit.wikimedia.org/r/1238021

Dzahn changed the task status from Open to In Progress.Feb 10 2026, 1:10 AM
Dzahn added a subscriber: Andrew.Feb 10 2026, 1:16 AM

per IRC discussion: The (existing, pre-CDN) Gerrit IPs have been removed from cloudgw "dmz_cidr" list because we think they are not needed and then we don't have to think about them again in the future.

The patch to add the new, post-CDN Gerrit IPs has been abandoned. But if for some reason we needed them after all that could be restored.

Thanks to @Andrew and wmcs-team for taking this on in an ad-hoc manner.

gerritbot added a comment.Feb 10 2026, 12:56 PM

Change #1238042 merged by jenkins-bot:

[operations/homer/public@master] Cloud-vrf-in: remove exception to allow Cloud VPS private IPs reach gerrit

https://gerrit.wikimedia.org/r/1238042

gerritbot added a comment.Feb 10 2026, 3:22 PM

Change #1238376 had a related patch set uploaded (by Arnaudb; author: Arnaudb):

[operations/cookbooks@master] gerrit: update switchover related cookbooks

https://gerrit.wikimedia.org/r/1238376

Stashbot added a comment.Feb 10 2026, 3:55 PM

Mentioned in SAL (#wikimedia-operations) [2026-02-10T15:55:01Z] <topranks> remove ACL entry permitting Cloud VPS private IP addresses direct access to gerrit.wikimedia.org T411895

gerritbot added a comment.Feb 10 2026, 4:05 PM

Change #1215709 merged by Dzahn:

[operations/dns@master] switch gerrit service IP to CDN

https://gerrit.wikimedia.org/r/1215709

Dzahn updated the task description. (Show Details)Feb 10 2026, 4:21 PM
Dzahn closed this task as Resolved.Feb 10 2026, 4:33 PM
Dzahn claimed this task.

This has happened. The DNS switch has been made.

example from US west:

host gerrit.wikimedia.org
gerrit.wikimedia.org has address 198.35.26.97

host 198.35.26.97
97.26.35.198.in-addr.arpa domain name pointer gerrit-lb.ulsfo.wikimedia.org.
Jelto awarded a token.Feb 11 2026, 9:40 AM
Jelto created subtask T417156: Pushing to gerrit over http is blocked by generic rate limiting.Feb 11 2026, 11:58 AM
Jelto mentioned this in T417156: Pushing to gerrit over http is blocked by generic rate limiting.
CDanis closed subtask T417156: Pushing to gerrit over http is blocked by generic rate limiting as Resolved.Feb 11 2026, 6:47 PM
gerritbot added a comment.Feb 12 2026, 1:06 AM

Change #1238400 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] gerrit: limit access to http/https/ssh in firewall

https://gerrit.wikimedia.org/r/1238400

Jelto created subtask Restricted Task.Feb 12 2026, 11:49 AM
gerritbot added a comment.Feb 12 2026, 3:18 PM

Change #1238376 merged by jenkins-bot:

[operations/cookbooks@master] gerrit: update switchover related cookbooks

https://gerrit.wikimedia.org/r/1238376

Jelto created subtask T417536: ATS causes git fetches from Gerrit to fail with 502 responses.Feb 16 2026, 7:47 AM
hashar mentioned this in T417536: ATS causes git fetches from Gerrit to fail with 502 responses.Feb 16 2026, 2:09 PM
hashar mentioned this in T417497: Gerrit events not received by Zuul due to TCP Proxy timeout (CI is not triggered for some patches).Feb 17 2026, 7:13 AM
gerritbot added a comment.Feb 17 2026, 8:03 AM

Change #1239878 had a related patch set uploaded (by Jelto; author: Jelto):

[operations/dns@master] wikimedia: revert gerrit behind the CDN

https://gerrit.wikimedia.org/r/1239878

gerritbot added a comment.Feb 18 2026, 7:54 AM

Change #1239878 abandoned by Jelto:

[operations/dns@master] wikimedia: revert gerrit behind the CDN

Reason:

not needed anymore, temporary workaround was found

https://gerrit.wikimedia.org/r/1239878

hashar subscribed.Feb 19 2026, 2:41 PM

Note this has caused T417536: ATS causes git fetches from Gerrit to fail with 502 responses and T417497: Gerrit events not received by Zuul due to TCP Proxy timeout (CI is not triggered for some patches)

hashar closed subtask T417536: ATS causes git fetches from Gerrit to fail with 502 responses as Resolved.Feb 19 2026, 2:47 PM
gerritbot added a comment.Feb 19 2026, 4:30 PM

Change #1240747 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] gerrit tcp haproxy: rationalize timeouts

https://gerrit.wikimedia.org/r/1240747

gerritbot added a comment.Feb 19 2026, 5:41 PM

Change #1240747 merged by Dzahn:

[operations/puppet@production] gerrit tcp haproxy: rationalize timeouts

https://gerrit.wikimedia.org/r/1240747

hashar added a comment.EditedFeb 20 2026, 3:10 PM
In T411895#11632265, @hashar wrote:

Note this has caused T417536: ATS causes git fetches from Gerrit to fail with 502 responses and T417497: Gerrit events not received by Zuul due to TCP Proxy timeout (CI is not triggered for some patches)

Both issues have no been solved. I have filed follow up actions which are both related to timeouts:

And an extra one:

Jelto changed the status of subtask Restricted Task from Open to Stalled.Feb 27 2026, 10:22 AM
Jelto changed the status of subtask Restricted Task from Stalled to Open.Mar 4 2026, 1:27 PM
hashar mentioned this in T418472: The quibble-with-gated-extensions-vendor-mysql-php83 CI job for WikibaseMediaInfo failed due to a transient network error during the Zuul clone phase. No tests were executed..Mar 5 2026, 8:38 AM
gerritbot added a comment.Mar 5 2026, 10:15 AM

Change #1238400 merged by Jelto:

[operations/puppet@production] gerrit: limit access to http/https/ssh in firewall

https://gerrit.wikimedia.org/r/1238400

ABran-WMF added a comment.Mar 5 2026, 10:37 AM

thanks @Jelto for the merge and puppet-agent runs, both spare and replica are still receiving replication traffic and are reachable by the CDN, but the public traffic has been dropped.

gerritbot added a comment.Mar 5 2026, 2:10 PM

Change #1248484 had a related patch set uploaded (by Jelto; author: Jelto):

[operations/puppet@production] gerrit: remove CDN lookups from sshkey

https://gerrit.wikimedia.org/r/1248484

gerritbot added a comment.Mar 5 2026, 2:16 PM

Change #1248484 merged by Jelto:

[operations/puppet@production] gerrit: remove CDN lookups from sshkey

https://gerrit.wikimedia.org/r/1248484

Jelto closed subtask Restricted Task as Resolved.Mar 10 2026, 10:33 AM
gerritbot added a comment.Mar 11 2026, 2:22 PM

Change #1250601 had a related patch set uploaded (by Jelto; author: Jelto):

[operations/puppet@production] gerrit: fix failing discovery dns lookup in test spec

https://gerrit.wikimedia.org/r/1250601

gerritbot added a comment.Mar 12 2026, 2:29 PM

Change #1250601 merged by Jelto:

[operations/puppet@production] gerrit: fix failing discovery dns lookup in test spec

https://gerrit.wikimedia.org/r/1250601

ABran-WMF added a subtask: Restricted Task.Mar 19 2026, 3:17 PM
ABran-WMF closed subtask Restricted Task as Resolved.Mar 24 2026, 1:29 PM
ABran-WMF closed subtask T411904: ATS/Gerrit: validate TLS hosts for gerrit (revert workaround that skips validation) as Resolved.Apr 2 2026, 12:18 PM
Dzahn mentioned this in T425441: gitlab behind CDN.Tue, May 5, 4:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits