Jump to content

Portal:Toolforge/Admin/Maintenance

From Wikitech

This page contains information for common maintenance tasks we administrator do in Toolforge.

Is the Toolforge-specific version of the CloudVPS admin maintenance conterpart wikipage.

Admin scripts

This section contains documentation on several Toolforge-specific admin scripts we have.

wmcs-k8s-get-cert

This script is for the new Toolforge Kubernetes cluster.

It creates a x509 cert for a given User that can be used to auth against the k8s API. It must be executed from a control plane node.

user@tools-k8s-control-3:~$ sudo wmcs-k8s-get-cert -help
INFO: Usage of this script:
      /usr/local/sbin/wmcs-k8s-get-cert -h/--help   	- show help and exit
      /usr/local/sbin/wmcs-k8s-get-cert <svcname>   	- generate a x509 TLS cert from the kubernetes API
      /usr/local/sbin/wmcs-k8s-get-cert <svcname> -v	- same, but in verbose mode

Example usage:

user@tools-k8s-control-3:~ $ sudo -i wmcs-k8s-get-cert prometheus
/tmp/tmp.JYFsVzDnX4/k8s-cert.pem
/tmp/tmp.JYFsVzDnX4/k8s-key.pem

NOTE: x509 certs expire in 1 year usually. See also Portal:Toolforge/Admin/Kubernetes/Certificates

wmcs-k8s-enable-cluster-monitor

This is a script for the Toolforge Kubernetes cluster, deployed to the control plane nodes.

It will give a specified tool account a service account named $tool-obs that will allow a pod running as it to have "view" access to the entire cluster. This is for building tools similar to Openstack Browser for Kubernetes.

user@tools-k8s-control-3:~$ sudo -i  # You'll want full root for k8s credentials
root@tools-k8s-control-3:~# wmcs-enable-cluster-monitor <tool-name>

If that runs successfully, you'll want to run the tool as that service account using a script like k8s_webservice.sh instead of using webservice.

Important point about using a service account: it must use the credentials mounted at /var/secrets/kubernetes.io/serviceaccount in the pod and not $HOME/.kube/config or you'll get the tool permissions instead of the $tool-obs permissions. This is largely because of invoking the pod presets to get the $HOME variable set to /data/project/$tool and the NFS mounted.

Other scripts

Other scripts you may find interesting.

wmcs-package-build

This script is used to build and publish packages into aptly. More information in the packaging page.

You can locate it in the puppet tree: modules/toolforge/files/wmcs-package-build.py. It is intended to run from your laptop.