Skip to content

production/scheduler: Allow access from staging-runner0 to scheduler-rpc

Guillaume Samson requested to merge update_scheduler_rpc_ingress into production

The Gitlab runner of the AFN pipeline is in the staging network.
The first configuration in the jobs container used the cls: postgres.
The database login failed...

root@runner0:/etc/swh# nc -zv scheduler.internal.softwareheritage.org 5432
nc: connect to scheduler.internal.softwareheritage.org (192.168.100.139) port 5432 (tcp) failed: Connection refused
root@runner0:/etc/swh# psql -d 'host=db.internal.softwareheritage.org port=5432 user=swhscheduler dbname=softwareheritage-scheduler'
psql: error: FATAL:  login rejected
FATAL:  login rejected

so the first jobs of production_list-origins stage failed:

swh@runner-6au8mawxg-project-474-concurrent-0:~$ swh scheduler -C /etc/swh/scheduler-production.yml add-forge-now --preset production register-lister gitea instance=git.koha-community.org
Usage: swh scheduler add-forge-now [OPTIONS] COMMAND [ARGS]...
Try 'swh scheduler add-forge-now -h' for help.

Error: Scheduler class (local/remote) must be instantiated

I updated the shceduler-production configuration to use the cls: remote but the runner0 IP address is not allowed to access the production scheduler-rpc ingress, see [add-forge-now-requests/-/jobs/19398](https://gitlab.softwareheritage.org/swh/infra/add-forge-now-requests/-/jobs/19398].

With this modification the AFN production jobs should run and complete.

Helm diff 
./swh/helm-diff.sh
[swh] Comparing changes between branches production and update_scheduler_rpc_ingress (per environment)...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/update_scheduler_rpc_ingress'.
[swh] Generate config in update_scheduler_rpc_ingress branch for environment staging...
[swh] Generate config in update_scheduler_rpc_ingress branch for environment staging...
[swh] Generate config in update_scheduler_rpc_ingress branch for environment staging...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/update_scheduler_rpc_ingress'.
[swh] Generate config in update_scheduler_rpc_ingress branch for environment production...
[swh] Generate config in update_scheduler_rpc_ingress branch for environment production...
[swh] Generate config in update_scheduler_rpc_ingress branch for environment production...


------------- diff for environment staging namespace swh -------------

No differences


------------- diff for environment staging namespace swh-cassandra -------------

No differences


------------- diff for environment staging namespace swh-cassandra-next-version -------------

No differences


------------- diff for environment production namespace swh -------------

--- /tmp/swh-chart.swh.XFVRa3qJ/production-swh.before	2023-11-28 16:06:55.203700885 +0100
+++ /tmp/swh-chart.swh.XFVRa3qJ/production-swh.after	2023-11-28 16:06:55.419701533 +0100
@@ -17366,21 +17366,21 @@
                 path: "config.yml.template"
           restartPolicy: OnFailure
 ---
 # Source: swh/templates/graphql/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: graphql-ingress-default
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,127.0.0.0/8,192.168.100.0/24,192.168.101.0/24,192.168.200.0/22
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,127.0.0.0/8,192.168.100.0/24,192.168.101.0/24,192.168.130.221,192.168.200.0/22
   
     nginx.ingress.kubernetes.io/rewrite-target: /
   
 
 spec:
   rules:
   - host: graphql.internal.softwareheritage.org
     http:
       paths:
       - path: /
@@ -17391,21 +17391,21 @@
             port:
               number: 5013
 ---
 # Source: swh/templates/scheduler/rpc-ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: scheduler-rpc-ingress-default
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,127.0.0.0/8,192.168.100.0/24,192.168.200.0/22
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,127.0.0.0/8,192.168.100.0/24,192.168.130.221,192.168.200.0/22
   
     nginx.ingress.kubernetes.io/proxy-body-size: 4G
     nginx.ingress.kubernetes.io/proxy-connect-timeout: "90"
     nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
     nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
     nginx.ingress.kubernetes.io/proxy-send-timeout: "90"
   
 
 spec:
   rules:
@@ -17420,21 +17420,21 @@
             port:
               number: 5008
 ---
 # Source: swh/templates/scheduler/rpc-ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: scheduler-rpc-ingress-read-only
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,127.0.0.0/8,192.168.100.0/24,192.168.101.0/24,192.168.200.0/22
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,127.0.0.0/8,192.168.100.0/24,192.168.101.0/24,192.168.130.221,192.168.200.0/22
   
     nginx.ingress.kubernetes.io/proxy-body-size: 4G
     nginx.ingress.kubernetes.io/proxy-connect-timeout: "90"
     nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
     nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
     nginx.ingress.kubernetes.io/proxy-send-timeout: "90"
   
 
 spec:
   rules:


------------- diff for environment production namespace swh-cassandra -------------

--- /tmp/swh-chart.swh.XFVRa3qJ/production-swh-cassandra.before	2023-11-28 16:06:55.267701077 +0100
+++ /tmp/swh-chart.swh.XFVRa3qJ/production-swh-cassandra.after	2023-11-28 16:06:55.483701726 +0100
@@ -1421,50 +1421,53 @@
       cache_uri: memcached:11211
       scopes:
         swh_api:
           exempted_networks:
           - 10.42.0.0/16
           - 10.43.0.0/16
           - 127.0.0.0/8
           - 128.93.166.14
           - 131.107.174.0/24
           - 192.168.100.0/24
+          - 192.168.130.221
           - 192.168.200.0/22
           - 213.135.60.145
           - 213.135.60.146
           - 37.187.137.47
           - 37.187.96.121
           limiter_rate:
             default: 120/h
         swh_save_origin:
           exempted_networks:
           - 10.42.0.0/16
           - 10.43.0.0/16
           - 127.0.0.0/8
           - 128.93.166.14
           - 131.107.174.0/24
           - 192.168.100.0/24
+          - 192.168.130.221
           - 192.168.200.0/22
           - 213.135.60.145
           - 213.135.60.146
           - 37.187.96.121
           limiter_rate:
             POST: 10/h
             default: 120/h
         swh_vault_cooking:
           exempted_networks:
           - 10.42.0.0/16
           - 10.43.0.0/16
           - 127.0.0.0/8
           - 128.93.166.14
           - 131.107.174.0/24
           - 192.168.100.0/24
+          - 192.168.130.221
           - 192.168.200.0/22
           - 213.135.60.145
           - 213.135.60.146
           - 37.187.96.121
           limiter_rate:
             GET: 60/m
             default: 120/h
         swh_api_origin_search:
           limiter_rate:
             default: 10/m
@@ -4246,21 +4249,21 @@
       app: web
   strategy:
     type: RollingUpdate
     rollingUpdate:
       maxSurge: 1
   template:
     metadata:
       labels:
         app: web
       annotations:
-        checksum/config: 912fc0c4a9bf9748a4321df4ac456ef48971dcb66255c147ffeefe89338a8d27
+        checksum/config: 18f88297bf6488f5c2ed2c37e1d12403ee12bc925ded65496617be90eca82529
     spec:
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
             - matchExpressions:
               - key: swh/web
                 operator: In
                 values:
                 - "true"
@@ -4484,21 +4487,21 @@
         type: Utilization
         averageUtilization: 50
 ---
 # Source: swh/templates/graphql/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
   name: graphql-ingress-default
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,127.0.0.0/8,192.168.100.0/24,192.168.101.0/24,192.168.200.0/22
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,127.0.0.0/8,192.168.100.0/24,192.168.101.0/24,192.168.130.221,192.168.200.0/22
   
     nginx.ingress.kubernetes.io/rewrite-target: /
   
 
 spec:
   rules:
   - host: webapp-cassandra.internal.softwareheritage.org
     http:
       paths:
       - path: /graphql/
@@ -4509,21 +4512,21 @@
             port:
               number: 5013
 ---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
   name: web-ingress-default
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,127.0.0.0/8,192.168.100.0/24,192.168.101.0/24,192.168.200.0/22,192.168.50.0/24
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,127.0.0.0/8,192.168.100.0/24,192.168.101.0/24,192.168.130.221,192.168.200.0/22,192.168.50.0/24
   
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
   
 
 spec:
   rules:
   - host: webapp-cassandra.internal.softwareheritage.org

Merge request reports