[01:12:04] <Krinkle>	 legoktm: thinking about next step for codesearch-frontend. Thoughts about how to handle the transition? Some ideas: 1) Add apache rules in -frontend to start proxying the API paths from its document root directly to the localhost Hound ports and promote -frontend to canonical domain, 2) Keep very light non-frontend proxy as canonical that proxies both the Hound APIs (like today) with the -frontend as else/404 handler. 3) Move APIs to a 
[01:12:04] <Krinkle>	 different subdomain like codesearch-api.wmcs, add compat redirect from -frontend Apache config using its public URLs, update -frontend to use this directly, then switch -frontend to be canonical.
[04:17:02] <legoktm>	 Krinkle: I was thinking of shifting the current proxy over to codesearch-old (already set up), and moving the beta to be just plain "codesearch" but then I realized the beta frontend doesn't support the /_health, /_health.json and /_metrics endpoints, and then got distracted and never filed a bug for it
[04:21:02] <legoktm>	 it would be nice if we had apache proxy the /api/ routes and ditched the custom Python proxy
[10:00:27] <godog>	 FYI I'm upgrading grafana on cloudmetrics, task is T328405
[10:00:27] <stashbot>	 T328405: Grafana: CVE-2022-39324 CVE-2022-23552 - https://phabricator.wikimedia.org/T328405
[10:01:23] <Krinkle>	 legoktm: ack. I'll see what iterative steps we can take toward that. Having just an Apache on the outside (outside the docker container) seems neat.
[10:01:48] <Krinkle>	 So those couple of api reverse proxies would be puppetises I guess
[10:01:57] <Krinkle>	 puppetized
[14:46:47] <ma>	 arturo: you there?
[14:59:38] <arturo>	 ma: yes, having lunch though. Be in front of the laptop in 10m
[14:59:57] <ma>	 arturo: que aproveche, I'll ping you later then
[15:00:37] <dcaro>	 godog: thanks!
[15:15:03] <arturo>	 ma: here now
[16:03:57] <taavi>	 !log tools deployed tools-webservice 0.89
[16:03:59] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL
[17:21:21] <brett>	 Heyo. I'm looking to drop tlsv1.0/tlsv1.1 in ldap-codfw1dev and think that this might be too broad a change: https://gerrit.wikimedia.org/r/c/operations/puppet/+/885844
[17:21:36] <brett>	 Could I get some of your collective wisdom on whether this is a good/bad idea?
[18:08:32] <taavi>	 brett: not sure what that patch has to do with ldap?
[18:14:41] <brett>	 taavi: It seems that it's using tlsproxy, is it not?
[18:17:54] <taavi>	 brett: your patch affects all cloud vps instances running tlsproxy, which is used by various different services to proxy https traffic. meanwhile ldap-codfw1dev is an LDAP (https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) cluster which does not offer an HTTP interface, does not use P:tlsproxy and is not hosted inside a cloud vps
[18:17:54] <taavi>	 VM
[18:18:15] <wm-bot>	 !log tools.mabot <maurelio> Upgraded to 8bc13ac
[18:18:17] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.mabot/SAL
[18:28:21] <brett>	 taavi: Could you please explain why https://gerrit.wikimedia.org/r/c/operations/puppet/+/551413/ altered tlsproxy settings?
[18:28:40] <brett>	 is openldap different from idp?
[18:28:49] <taavi>	 yes
[18:28:57] <brett>	 ...
[18:29:26] <taavi>	 idp is idp.wikimedia.org which provides the single sign-on service, ldap is the service which stores accounts for that and is also used for several other purposes
[18:31:05] <taavi>	 sorry, the terminology about ldap is very confusing and I should've explained better. (for example there are three separate names that an account in the ldap directory might be known as due to historical reasons)
[18:34:19] <brett>	 I've scoured through the ldap configuration files and haven't found anything related to tls - the ticket has ldap checked and I thought that CR was what changed it, which got me going down the tlsproxy setting. I just figured there was some sort of weird tls termination going on
[18:34:44] <brett>	 I've yet to find out *how* ldap protocols/ciphers have been set in the puppet repo
[18:34:50] <taavi>	 well it's certainly non-normal if you consider the normal to be a https service on port 443 :D
[18:35:13] <brett>	 huh? I wasn't saying it was that
[18:36:36] <taavi>	 anyways, the tls config seems to be in https://gerrit.wikimedia.org/g/operations/puppet/+/production/modules/openldap/templates/slapd.erb#56
[18:37:08] <brett>	 Sure, but where are the protocol/cipher settings that made the ldap box get checked?
[18:37:39] <taavi>	 according to slapd.conf(5), it takes a TLSCipherSuite parameter to specify them. but it doesn't tell what the default is
[18:39:04] <brett>	 Right, and a git grep shows nothing there
[18:50:01] <brett>	 Looks like slapd :636 is accepting 1.0 connections on seaborgium, so the checkbox was incorrectly ticked
[18:50:04] <brett>	 Thanks for the help, taavi
[19:02:43] <bd808>	 taavi: I think T328589 is probably caused by T277495.
[19:02:44] <stashbot>	 T328589: Restart of a Python3.7 webservice on Toolforge results in a KeyError - https://phabricator.wikimedia.org/T328589
[19:02:44] <stashbot>	 T277495: webservice restart with k8s backend does not apply CPU or memory arguments - https://phabricator.wikimedia.org/T277495
[21:36:22] <AntiComposite>	 !log stewardbots Restart stewardbot, rc listener died with 429 Client Error: Too Many Requests for url: https://stream.wikimedia.org/v2/stream/recentchange
[21:36:24] <stashbot>	 AntiComposite: Unknown project "stewardbots"
[21:36:24] <stashbot>	 AntiComposite: Did you mean to say "tools.stewardbots" instead?
[21:36:28] <AntiComposite>	 !log tools.stewardbots Restart stewardbot, rc listener died with 429 Client Error: Too Many Requests for url: https://stream.wikimedia.org/v2/stream/recentchange
[21:36:29] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.stewardbots/SAL
[22:02:51] <ma>	 AntiComposite: you may use `dologmsg blurbl...` via the command line for the same :)