Kubernetes/Remove a service
All steps below assume you want to remove a service named service-foo from the clusters of the main (wikikube) group.
The ml-serve and dse-k8s groups are modelled closely on the main clusters, so many of the steps below are also applicable to these groups. Where there are specific differences they may be highlighted in the steps below.
Destroy the service deployments
Destroy the service deployment in staging
helmfile -e staging -i destroy
The command above will show a diff of everything that will be removed, make sure that everything looks fine and then hit Yes to proceed.
Destroy the service deployment in production
- Ensure you have silenced alarms for your service, and removed LVS if necessary.
- On deploy1002:
cd /srv/deployment-charts/helmfile.d/services/service-foo helmfile -e codfw -i destroy # if that went fine helmfile -e eqiad -i destroy
The service deployment is now destroyed.
Private data cleanup
Remove the service's accounts and tokens
User accounts and tokens need to be removed from the puppet private and labs/private repos.
hieradata/common/profile/kubernetes.yaml file in each repository - specifically the
profile::kubernetes::infrastructure_user key, and remove your service's stanza. Example diff
Remove your service's other secrets
profile::kubernetes::deployment_server_secrets::services in the private repository (
hieradata/role/common/deployment_server/kubernetes.yaml) and remove the relevant configuration. Example diff
Remove your service's certificates
Remove your services stanzas from
./modules/secret/secrets/certificates/certificate.manifests.d/kube_services.certs.yaml on the private repository as well as the certificate directory
./modules/secret/secrets/certificates/service-foo.discovery.wmnet and commit.
Remove them from the puppet CA on the puppetmaster:
puppet ca cert clean service-foo.discovery.wmnet
Remove the kubernetes service definitions
Preparing the change
Removing the namespace
In order to remove a namespace, prepare a change to the relevant values file in the the deployment-charts repo.
i.e. for the wikikube clusters this is:
helmfile.d/admin_ng/values/main.yaml but namespaces for the
aux-k8s cluster groups are managed in their own files. Here is an example commit for removing a namespace from the wikikube clusters.
Remove your deployment
git rm -rf helmfile.d/services/service-foo
Review your changes
Commit and create a CR.
At this point, you can safely merge the changes (after somebody from Service Ops validates).
Deploy changes to helmfile.d/admin_ng
The following example shows how to deploy these changes to the wikikube clusters. If you are working with a different cluster group, substitute the relevant environment names.
ssh to deploy1002 and then run the following:
helmfile -e staging-codfw -i apply
# if that went fine
helmfile -e staging-eqiad -i apply
helmfile -e codfw -i apply
helmfile -e eqiad -i apply
The command above should show you a diff in namespaces/quotas/etc.. related to the removal of your service. If you don't see a diff, or something seems off, ping somebody from the Service Ops team! Check that everything is ok:
kube_env admin staging-codfw
kubectl describe ns service-foo
Error from server (NotFound): namespaces "service-foo" not found
Leaving undeployed things will impede further operations by other people.
Tell the deployment server to remove the kubeconfig files.
This is done by modifying the
profile::kubernetes::deployment_server::services hiera key (
hieradata/common/profile/kubernetes/deployment_server.yaml) as in the example below:
- name: mathoid
- name: mathoid-deploy
+ ensure: absent
- name: service-foo
- name: service-foo-deploy
Once commited, merged and applied, this will remove the relevant directory and its files.
Create a second CR that completely removes your service's stanza. Example CR
Remove the certificates (for the services proxy)
Remove the certificates from the private puppet repo and the references in
modules/secret/secrets/certificates/certificate.manifests.d/kube_services.certs.yaml and commit
git rm modules/secret/secrets/certificates/service-foo.discovery.wmnet
Remove the certificates from the puppet CA
puppet cert clean service-foo.discovery.wmnet
Remove the chart (if needed)
If your service was the last deployment of a chart, and it will not need to be reused, you can also remove the chart from the deployment-charts repo