The current list of tools relying on this functionality is at P87548. Of those, a couple are simple redirects that can be replaced with https://wikitech.wikimedia.org/wiki/Tool:Containers#Redirect_container, but the ones proxying to external upstream servers will need an another solution.

Mentioned in SAL (#wikimedia-cloud) [2026-01-15T12:49:21Z] <taavi> migrate to tool-containers/redirect T414674

Mentioned in SAL (#wikimedia-cloud) [2026-01-15T12:50:45Z] <taavi> migrate to tool-containers/redirect T414674

Change #1227321 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:toolforge: k8s: haproxy: Handle plain toolforge.org domain

https://gerrit.wikimedia.org/r/1227321

Change #1227321 merged by Majavah:

[operations/puppet@production] P:toolforge: k8s: haproxy: Handle plain toolforge.org domain

https://gerrit.wikimedia.org/r/1227321

In T414674#11524714, @taavi wrote:

The current list of tools relying on this functionality is at P87548. Of those, a couple are simple redirects that can be replaced with https://wikitech.wikimedia.org/wiki/Tool:Containers#Redirect_container, but the ones proxying to external upstream servers will need an another solution.

I will try to make a reverse proxy container in the same spirit as the redirect container. I can borrow from things I learned building https://gitlab.wikimedia.org/toolforge-repos/gitlab-content to make something relatively light weight I think.

In T414674#11529957, @bd808 wrote:

I will try to make a reverse proxy container in the same spirit as the redirect container. I can borrow from things I learned building https://gitlab.wikimedia.org/toolforge-repos/gitlab-content to make something relatively light weight I think.

That would be very helpful, thank you!

Do you have thoughs already on how that would deal with tools that currently host a "normal" web service in addition to those reverse proxies? (e.g. tool-moedata has four proxy ingresses in addition to the mail webservice, it seems.)

In T414674#11529972, @taavi wrote:

In T414674#11529957, @bd808 wrote:

I will try to make a reverse proxy container in the same spirit as the redirect container. I can borrow from things I learned building https://gitlab.wikimedia.org/toolforge-repos/gitlab-content to make something relatively light weight I think.

That would be very helpful, thank you!

Do you have thoughs already on how that would deal with tools that currently host a "normal" web service in addition to those reverse proxies? (e.g. tool-moedata has four proxy ingresses in addition to the mail webservice, it seems.)

I was assuming that any Kubernetes Ingress solution should allow routing a path to a service. The jobs service can handle starting a continuous job and exposing a port controlled by that job as a Service object. I think we can then still specify an Ingress that routes a subset of a tool's traffic to that Service based on the request path. There are some Ingress objects like the proxy-scdn Ingress in the bd808-test tool that are using pathType: ImplementationSpecific in their routing, but I think this has generally been done to simplify configuration by specifying a regex like /scdn(/|$)(.*) for the handled path rather than adding two Ingress objects where one handles the /scdn exact path and another handles the /scdn/ prefix path. If we find an instance that has some more complicated need than the exact + prefix combo the easiest answer might end up being embedding a reverse proxy within the main webservice, but that's just a guess until I see a complicated use case in practice.