A tag for anything related to Kubernetes. For the discussion see T147187: Create a tag for #kubernetes.
See also:
Details
Details
Description
Yesterday
Yesterday
CDanis added a comment to T344171: Reverse DNS for k8s pods IPs.
As best I know here's the current state of this task:
JMeybohm updated the task description for T362408: Migration to containerd and away from docker.
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074404 merged by JMeybohm:
[operations/puppet@production] ferm: Use ferm-status to restart ferm on wikikube-staging
https://gerrit.wikimedia.org/r/1074404
JMeybohm added a comment to T374729: Use kafka-main-[eqiad|codfw].external-services.svc.cluster.local to discover kafka brokers in kafka client running in k8s.
As no better ideas surfaced, I'll add the external-services DNS name to the SAN of the kafka broker certificates as it seems the easiest and most automated way of doing this.
gerritbot added a comment to T374729: Use kafka-main-[eqiad|codfw].external-services.svc.cluster.local to discover kafka brokers in kafka client running in k8s.
Change #1074411 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] kafka::broker: Add the external-services DNS name to the certs
https://gerrit.wikimedia.org/r/1074411
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074405 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] ferm: Make reload via ferm-status the default
https://gerrit.wikimedia.org/r/1074405
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074404 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] ferm: Use ferm-status to restart ferm on wikikube-staging
https://gerrit.wikimedia.org/r/1074404
Maintenance_bot removed a project from T374366: Race condition in iptables rules during puppet runs on k8s nodes: Patch-For-Review.
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074371 merged by JMeybohm:
[operations/puppet@production] ferm: Fix systemd override to not append ExecReload
https://gerrit.wikimedia.org/r/1074371
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074371 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] ferm: Fix systemd override to not append ExecReload
https://gerrit.wikimedia.org/r/1074371
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074185 merged by JMeybohm:
[operations/puppet@production] ferm: Use ferm-status to start ferm on diffs
https://gerrit.wikimedia.org/r/1074185
Thu, Sep 19
Thu, Sep 19
gerritbot added a comment to T373195: Migrate Search Platform-owned helm charts to Calico Network Policies.
Change #1072597 abandoned by Bking:
[operations/deployment-charts@master] rdf-streaming-updater: trigger a savepoint before firewall changes
Reason:
Successfully migrated withinout savepoint
https://gerrit.wikimedia.org/r/1072597
bking updated the task description for T373195: Migrate Search Platform-owned helm charts to Calico Network Policies.
JMeybohm added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Fixing ferm_status.py is still not enough. When puppet corrects an on disk ferm config change (which has not been applied to iptables) back to the previous state, it does still reload ferm although ferm-status does return 0. Also the confd related code (requestctl rules) was restarting ferm via systemctl directly, bypassing the puppet service hack completely.
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074185 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] ferm: Use ferm-status to start ferm on diffs
https://gerrit.wikimedia.org/r/1074185
Maintenance_bot removed a project from T374366: Race condition in iptables rules during puppet runs on k8s nodes: Patch-For-Review.
gerritbot added a comment to T373195: Migrate Search Platform-owned helm charts to Calico Network Policies.
Change #1073842 abandoned by Bking:
[operations/deployment-charts@master] rdf-streaming-updater: remove references to old-style network policies
Reason:
we already did this in I6a040e53d9fb21b6d0f6cae6b3c9fa9ef64633c6
https://gerrit.wikimedia.org/r/1073842
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074155 merged by JMeybohm:
[operations/puppet@production] profile::firewall: Absent confd config when it is disabled
https://gerrit.wikimedia.org/r/1074155
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074155 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] profile::firewall: Absent confd config when it is disabled
https://gerrit.wikimedia.org/r/1074155
Maintenance_bot removed a project from T374366: Race condition in iptables rules during puppet runs on k8s nodes: Patch-For-Review.
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074113 merged by JMeybohm:
[operations/puppet@production] ferm: Allow to specify a different ferm-status command to use
https://gerrit.wikimedia.org/r/1074113
gerritbot added a comment to T353464: Migrate wikikube control planes to hardware nodes.
Change #1073857 merged by JMeybohm:
[operations/puppet@production] wikikube: Remove remaining hiera files and role for non stacked masters
https://gerrit.wikimedia.org/r/1073857
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1073859 merged by JMeybohm:
[operations/puppet@production] wikikube: Disable requestctl ferm rules and definitions
https://gerrit.wikimedia.org/r/1073859
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1074113 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] ferm: Allow to specify a different ferm-status command to use
https://gerrit.wikimedia.org/r/1074113
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1073760 merged by JMeybohm:
[operations/puppet@production] Fix ferm_status to actually compare rules
https://gerrit.wikimedia.org/r/1073760
gerritbot added a comment to T373195: Migrate Search Platform-owned helm charts to Calico Network Policies.
Change #1074091 had a related patch set uploaded (by DCausse; author: DCausse):
[operations/deployment-charts@master] cirrus-streaming-updater: disable legacy network policies for kafka
https://gerrit.wikimedia.org/r/1074091
gerritbot added a comment to T373195: Migrate Search Platform-owned helm charts to Calico Network Policies.
Change #1074090 had a related patch set uploaded (by DCausse; author: DCausse):
[operations/deployment-charts@master] cirrus-streaming-update: enable calico network policies
https://gerrit.wikimedia.org/r/1074090
Wed, Sep 18
Wed, Sep 18
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1073859 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] wikikube: Disable requestctl ferm rules and definitions
https://gerrit.wikimedia.org/r/1073859
gerritbot added a comment to T353464: Migrate wikikube control planes to hardware nodes.
Change #1073857 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] wikikube: Remove remaining hiera files and role for non stacked masters
https://gerrit.wikimedia.org/r/1073857
gerritbot added a comment to T373195: Migrate Search Platform-owned helm charts to Calico Network Policies.
Change #1072243 merged by Bking:
[operations/deployment-charts@master] rdf-streaming-updater: switch to calico-based network policies
https://gerrit.wikimedia.org/r/1072243
gerritbot added a comment to T373195: Migrate Search Platform-owned helm charts to Calico Network Policies.
Change #1073842 had a related patch set uploaded (by Bking; author: Bking):
[operations/deployment-charts@master] rdf-streaming-updater: remove references to old-style network policies
https://gerrit.wikimedia.org/r/1073842
gerritbot added a comment to T373195: Migrate Search Platform-owned helm charts to Calico Network Policies.
Change #1072236 merged by jenkins-bot:
[operations/deployment-charts@master] flink-app: customize calico label selector
https://gerrit.wikimedia.org/r/1072236
isarantopoulos moved T369493: Migrate ml-staging/ml-serve clusters off of Pod Security Policies from Unsorted to Backlog/SRE on the Machine-Learning-Team board.
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1073760 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] Fix ferm_status to actually compare rules
https://gerrit.wikimedia.org/r/1073760
Tue, Sep 17
Tue, Sep 17
dcausse added a comment to T374729: Use kafka-main-[eqiad|codfw].external-services.svc.cluster.local to discover kafka brokers in kafka client running in k8s.
In the RFC I read
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
JMeybohm added a comment to T374729: Use kafka-main-[eqiad|codfw].external-services.svc.cluster.local to discover kafka brokers in kafka client running in k8s.
It does not feel right to bake the external-services stuff into the kafka certificates. But if there is no option to make the library use the IPs for validation, that's probably the only way to go.
dcausse reopened T374729: Use kafka-main-[eqiad|codfw].external-services.svc.cluster.local to discover kafka brokers in kafka client running in k8s as "Open".
Thanks for looking into this!
Now failing with javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching kafka-main-eqiad.external-services.svc.cluster.local found use_all_dns_ips and now it seems that it wants to validate the hostname passed via bootstrap.servers...
I'll investigate more to see if there are more options, if we fail to workaround this do you think it'll be acceptable to add kafka-main-eqiad.external-services.svc.cluster.local as a valid alternative in the cert?
JMeybohm closed T374729: Use kafka-main-[eqiad|codfw].external-services.svc.cluster.local to discover kafka brokers in kafka client running in k8s as Resolved.
gerritbot added a comment to T374729: Use kafka-main-[eqiad|codfw].external-services.svc.cluster.local to discover kafka brokers in kafka client running in k8s.
Change #1073402 merged by JMeybohm:
[operations/puppet@production] kafka::broker: Populate cert SAN with hostname and IPs
https://gerrit.wikimedia.org/r/1073402
Maintenance_bot removed a project from T374366: Race condition in iptables rules during puppet runs on k8s nodes: Patch-For-Review.
JMeybohm added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
With 1073233 merged, ferm is correctly reloaded (not stopped/started) on notify:
gerritbot added a comment to T374366: Race condition in iptables rules during puppet runs on k8s nodes.
Change #1073233 merged by JMeybohm:
[operations/puppet@production] Don't restart(stop,start) ferm on puppet notify, use reload instead
https://gerrit.wikimedia.org/r/1073233
gerritbot added a comment to T374729: Use kafka-main-[eqiad|codfw].external-services.svc.cluster.local to discover kafka brokers in kafka client running in k8s.
Change #1073402 had a related patch set uploaded (by JMeybohm; author: JMeybohm):
[operations/puppet@production] kafka::broker: Populate cert SAN with hostname and IPs
https://gerrit.wikimedia.org/r/1073402