Page MenuHomePhabricator
Create Task
Maniphest T415701

Protect Catalyst/PatchDemo from aggressive bots at the ingress layer
Open, Stalled, Needs TriagePublic3 Estimated Story Points
Actions

Description

Our k3s uses Traefik.

In the past, we've mitigated aggressive bots at the apache layer of our projects. We should try to limit them as they enter our k8s to avoid having to update deployments with new apache configs.

Possibilities:

A.C.

  • Migrate the configuration from our https://patchdemo.wmcloud.org/ apache to traefik
  • Make it easy it update with our pipelines so we can respond quickly to new bots causing problems

Details

Other Assignee
EBomani
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
PoC: add Traefik configuration to clusterrepos/test-platform/catalyst/catalyst-tofu!27jnucheT415701-PoCmain
Draft: Update file traefik-config.yamlrepos/test-platform/catalyst/catalyst-tofu!24ebomaniT415701main
Draft: BotWrangler WIPrepos/test-platform/catalyst/patchdemo!246ebomani415701main
Customize query in GitLab

Related Objects
Search...

Event Timeline

thcipriani created this task.Jan 27 2026, 6:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 27 2026, 6:26 PM
thcipriani updated the task description. (Show Details)Jan 27 2026, 6:27 PM
thcipriani assigned this task to jeena.Jan 29 2026, 5:29 PM
thcipriani updated the task description. (Show Details)
thcipriani set the point value for this task to 3.
thcipriani moved this task from Backlog to Ready on the Catalyst (Luka Ijo Pimeja Jan) board.
thcipriani updated Other Assignee, added: EBomani.Jan 29 2026, 5:54 PM
EBomani added a project: Test Platform (Tkaronto Marathon 22).Feb 2 2026, 4:55 PM
CodeReviewBot added a comment.Feb 4 2026, 12:17 AM

tacsipacsi updated https://gitlab.wikimedia.org/repos/test-platform/catalyst/patchdemo/-/merge_requests/246

Draft: BotWrangler WIP

Tacsipacsi subscribed.Feb 4 2026, 12:18 AM
CodeReviewBot added a project: Patch-For-Review.Feb 4 2026, 6:57 PM

ebomani opened https://gitlab.wikimedia.org/repos/test-platform/catalyst/catalyst-tofu/-/merge_requests/24

Draft: Update file traefik-config.yaml

Peter subscribed.Feb 6 2026, 8:39 AM
jnuche subscribed.EditedMon, Feb 9, 5:58 PM

Unfortunately it seems the bot-wrangler-traefik-plugin plugin is not compatible with our current K3s production version v1.28.7+k3s1.

I tried deploying the latest version v0.10.1 and ran into the following error:

time="2026-02-09T16:24:03Z" level=error msg="Plugins are disabled because an error has occurred." error="github.com/holysoles/bot-wrangler-traefik-plugin: failed to import plugin code \"github.com/holysoles/bot-wrangler-traefik-plugin\": 1:21: import \"github.com/holysoles/bot-wrangler-traefik-plugin\" error: plugins-storage/sources/gop-2486277708/src/github.com/holysoles/bot-wrangler-traefik-plugin/wrangler.go:12:2: import \"github.com/holysoles/bot-wrangler-traefik-plugin/pkg/botmanager\" error: plugins-storage/sources/gop-2486277708/src/github.com/holysoles/bot-wrangler-traefik-plugin/pkg/botmanager/botmanager.go:14:2: import \"github.com/holysoles/bot-wrangler-traefik-plugin/pkg/config\" error: plugins-storage/sources/gop-2486277708/src/github.com/holysoles/bot-wrangler-traefik-plugin/pkg/config/config.go:8:2: import \"slices\" error: unable to find source related to: \"slices\""

slices was added in go 1.21. At the same time, traefik uses a go interpreter named yaegi under the hood. At the time K3s v1.28.7+k3s1 was released, yaegi didn't support go 1.21, see: https://github.com/traefik/yaegi/issues/1608#issuecomment-1937084471

I tried using the earliest bot-wrangler-traefik-plugin release in this MR, but that release (v0.1.0) is still too recent and runs into the same issue.

All of the above means we will have to either:

  • Update the K3s cluster version. We already have a ticket for that: T400077
  • Try a different plugin and/or approach
CodeReviewBot added a comment.Mon, Feb 9, 5:59 PM

jnuche updated https://gitlab.wikimedia.org/repos/test-platform/catalyst/catalyst-tofu/-/merge_requests/27

PoC: add Traefik configuration to cluster

AMarkossyan-WMF edited projects, added Test Platform (Črnomerec 24); removed Test Platform (Tkaronto Marathon 22).Tue, Feb 10, 4:06 PM
AMarkossyan-WMF moved this task from Črnomerec 24 to Wernigerode 23 on the Test Platform board.Tue, Feb 10, 4:39 PM
AMarkossyan-WMF edited projects, added Test Platform (Wernigerode 23); removed Test Platform (Črnomerec 24).
AMarkossyan-WMF moved this task from Backlog to In Progress on the Test Platform (Wernigerode 23) board.Tue, Feb 10, 4:43 PM
thcipriani changed the task status from Open to Stalled.Thu, Feb 19, 5:24 PM
thcipriani added a subtask: T400077: Upgrade K3s cluster to most recent stable version.
thcipriani moved this task from Ready to Backlog on the Catalyst (Luka Ijo Pimeja Jan) board.

Plugins require k3s upgrade, stalling until we do that.

AMarkossyan-WMF edited projects, added Test Platform (Črnomerec 24); removed Test Platform (Wernigerode 23).Tue, Mar 10, 3:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits