Maniphest T119814

Figure out how to deal with SSL cert issues for kubernetes masters
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	yuvipanda
	Nov 29 2015, 1:53 AM

Tags

Referenced Files

None

Subscribers

Description

Problem: Kubernetes master use ssl, with puppet certs. The name it has is the fqdn, so tools-k8s-master-01.tools.eqiad.wmflabs.

Except:

Kubernetes things should use service / DNS names to access this, so it ends up being kubernetes.default.svc rather than tools-k8s-master-01
It requires that we put our CA cert inside all containers, which sucks.
Lots of tools (like kube2sky) won't operate without TLS.

Details

	Subject	Repo	Branch	Lines +/-
	base: Allow adding SANs to puppet CSRs	operations/puppet	production	+6 -2

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
					Restricted Task
		Resolved		• Bstorm	T246122 Upgrade the Toolforge Kubernetes cluster to v1.16
					Restricted Task
		Resolved		bd808	T232536 Toolforge Kubernetes internal API down, causing `webservice` and other tooling to fail
		Resolved		• Bstorm	T236565 "tools" Cloud VPS project jessie deprecation
		Resolved		aborrero	T101651 Set up toolsbeta more fully to help make testing easier
		Resolved		• Bstorm	T166949 Homedir/UID info breaks after a while in Tools Kubernetes (can't read replica.my.cnf)
		Resolved		• Bstorm	T246059 Add admin account creation to maintain-kubeusers
		Resolved		• Bstorm	T154504 Make webservice backend default to kubernetes
		Declined		None	T245230 Investigate cpu/ram requests and limits for DaemonSets pods
		Resolved		• Bstorm	T214513 Deploy and migrate tools to a Kubernetes v1.15 or newer cluster
		Resolved		• Bstorm	T215553 Figure out cert management for Toolforge kubernetes and make it clear in documents, etc. for the upgrade
		Resolved		yuvipanda	T119814 Figure out how to deal with SSL cert issues for kubernetes masters

Event Timeline

yuvipanda created this task.Nov 29 2015, 1:53 AM

yuvipanda claimed this task.

yuvipanda raised the priority of this task from to Needs Triage.

yuvipanda updated the task description. (Show Details)

yuvipanda added a project: Cloud-Services.

yuvipanda added subscribers: yuvipanda, Joe.

Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptNov 29 2015, 1:53 AM

yuvipanda mentioned this in T111914: Setup DNS for kubernetes services.Nov 29 2015, 2:14 AM

yuvipanda added a parent task: T111914: Setup DNS for kubernetes services.

• chasemp triaged this task as Medium priority.Nov 30 2015, 4:50 PM

• chasemp subscribed.

intracer subscribed.Jan 25 2016, 12:34 AM

I should just setup SANs for the kubernetes domains into the certificate used by the k8s master.

Change 267826 had a related patch set uploaded (by Yuvipanda):
base: Allow adding SANs to puppet CSRs

https://gerrit.wikimedia.org/r/267826

gerritbot added a project: Patch-For-Review.Feb 2 2016, 2:41 AM

Change 267826 merged by Yuvipanda:
base: Allow adding SANs to puppet CSRs

https://gerrit.wikimedia.org/r/267826

Docs at https://wikitech.wikimedia.org/wiki/Puppet#SANs_for_puppet_certs

Done \o/

• Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:46 PM

• Bstorm mentioned this in T214513: Deploy and migrate tools to a Kubernetes v1.15 or newer cluster.Feb 7 2019, 12:39 AM

• Bstorm added a parent task: T215553: Figure out cert management for Toolforge kubernetes and make it clear in documents, etc. for the upgrade.Feb 7 2019, 9:05 PM

• Bstorm removed a parent task: T111914: Setup DNS for kubernetes services.Feb 7 2019, 9:08 PM