Add the puppet CA to the MediaWiki deployment
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Joe
	Jun 7 2021, 4:54 AM

Description

We need php to be able to fetch content via TLS directly from some specific sources, like e.g. the etcd servers.

Thus we need to add a configmap that adds a ca bundle (possibly just containing the puppet CA for now)

Details

Subject	Repo	Branch	Lines +/-
New image: php7.2-fpm-multiversion-base	operations/docker-images/production-images	master	+23 -0
mediawiki: do not add our CAs artificially	operations/deployment-charts	master	+1 -42
pipeline: install the wmf internal CAs	operations/mediawiki-config	master	+4 -0
Add base debian directory	operations/debs/wmf-certificates	main	+158 -0
mediawiki: force curl to use the puppet CA	operations/deployment-charts	master	+26 -11
Add ca-certificates to the php images	operations/docker-images/production-images	master	+28 -0
mediawiki: add ca-bundle to chart	operations/deployment-charts	master	+24 -1

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Stalled	None	T255792 Quibble runs core:unit tests twice!
Open	None	T328919 Upgrade to PHPUnit 10
Open	None	T338103 Micro-optimize ApiResult::isMetadataKey with str_starts_with once we support PHP8+
Open	None	T328921 Drop PHP 7.4 support from MediaWiki
Stalled	None	T334726 Use return type `never` in Wikibase
Open	None	T328922 Drop PHP 8.0 support from MediaWiki
Stalled	None	T319055 Upgrade to psr/container 2.x
Stalled	Krinkle	T319432 Migrate WMF production from PHP 7.4 to PHP 8.1
Open	None	T291916 Tracking task for Bullseye migrations in production
Stalled	None	T356293 Migrate MW appservers' base images to bullseye
Open	None	T290536 Serve production traffic via Kubernetes
Resolved	Joe	T283056 Create a mwdebug deployment for mediawiki on kubernetes
Resolved	Joe	T284417 Add the puppet CA to the MediaWiki deployment

Event Timeline

Joe created this task.Jun 7 2021, 4:54 AM

Joe triaged this task as High priority.Jun 7 2021, 4:57 AM

Joe claimed this task.Jun 7 2021, 5:13 AM

Change 698456 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/deployment-charts@master] mediawiki: add ca-bundle to chart

https://gerrit.wikimedia.org/r/698456

gerritbot added a project: Patch-For-Review.Jun 7 2021, 7:44 AM

Change 698456 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki: add ca-bundle to chart

https://gerrit.wikimedia.org/r/698456

Maintenance_bot removed a project: Patch-For-Review.Jun 8 2021, 6:10 AM

Change 698758 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/docker-images/production-images@master] Add ca-certificates to the php images

https://gerrit.wikimedia.org/r/698758

Change 698758 merged by Giuseppe Lavagetto:

[operations/docker-images/production-images@master] Add ca-certificates to the php images

https://gerrit.wikimedia.org/r/698758

Maintenance_bot removed a project: Patch-For-Review.Jun 8 2021, 12:10 PM

Change 698801 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/deployment-charts@master] mediawiki: force curl to use the puppet CA

https://gerrit.wikimedia.org/r/698801

gerritbot added a project: Patch-For-Review.Jun 8 2021, 2:55 PM

After further consideration, we came to the conclusion that the best course of action is:

For now, hotpatch the chart to use the puppet ca
Create a "wmf-internal-certificates" package, depending on ca-certificates, that just installs our internal CAs
Install this debian package in final / blubber images that need it.

Change 698801 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki: force curl to use the puppet CA

https://gerrit.wikimedia.org/r/698801

Maintenance_bot removed a project: Patch-For-Review.Jun 8 2021, 4:10 PM

Joe moved this task from Backlog to In Progress on the MW-on-K8s board.Jun 9 2021, 9:31 AM

Change 699155 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/debs/wmf-certificates@main] Add base debian directory

https://gerrit.wikimedia.org/r/699155

gerritbot added a project: Patch-For-Review.Jun 10 2021, 9:50 AM

Change 699155 merged by Giuseppe Lavagetto:

[operations/debs/wmf-certificates@main] Add base debian directory

https://gerrit.wikimedia.org/r/699155

Maintenance_bot removed a project: Patch-For-Review.Jun 22 2021, 6:10 AM

Mentioned in SAL (#wikimedia-operations) [2021-06-22T07:53:36Z] <joe> uploaded wmf-certificates package to buster-wikimedia/main, T284417

Change 700843 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/mediawiki-config@master] pipeline: install the wmf internal CAs

https://gerrit.wikimedia.org/r/700843

gerritbot added a project: Patch-For-Review.Jun 22 2021, 7:59 AM

Change 700843 merged by jenkins-bot:

[operations/mediawiki-config@master] pipeline: install the wmf internal CAs

https://gerrit.wikimedia.org/r/700843

Maintenance_bot removed a project: Patch-For-Review.Jun 23 2021, 7:10 AM

Change 701511 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/deployment-charts@master] mediawiki: do not add our CAs artificially

https://gerrit.wikimedia.org/r/701511

gerritbot added a project: Patch-For-Review.Jun 25 2021, 10:31 AM

Change 701511 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki: do not add our CAs artificially

https://gerrit.wikimedia.org/r/701511

Joe closed this task as Resolved.Jun 25 2021, 3:07 PM

Change 710294 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/docker-images/production-images@master] New image: php7.2-fpm-multiversion-base

https://gerrit.wikimedia.org/r/710294

Change 710294 merged by Giuseppe Lavagetto: