Page MenuHomePhabricator
Create Task
Maniphest T127455

Enable HTTPS for Swift traffic
Closed, ResolvedPublic
Actions

Description

We are about to enable writes from the active MediaWiki cluster to Swift clusters in both datacenters. Therefore, it would be ideal to TLS encrypt this traffic, as sometimes sensitive information (such as access tokens and relatively rarely, sensitive files) may be transmitted from/to Swift.

Details

SubjectRepoBranchLines +/-
hieradata: enable https for swift eqiadoperations/puppetproduction+1 -0
hieradata: use 'localhost' vhost for icinga checksoperations/puppetproduction+2 -2
hieradata: use 'uri' for swift icinga configurationoperations/puppetproduction+2 -2
conftool-data: add nginx service to swiftoperations/puppetproduction+12 -12
lvs: add swift https serviceoperations/puppetproduction+35 -0
hieradata: use_tls for swift proxy in codfwoperations/puppetproduction+1 -0
swift: terminate https with nginxoperations/puppetproduction+75 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

faidon created this task.Feb 19 2016, 3:25 PM
fgiunchedi claimed this task.May 4 2016, 4:35 PM
aaron added a project: Wikimedia-Multiple-active-datacenters.Aug 12 2016, 5:21 AM
aaron added a parent task: T88445: MediaWiki active/active datacenter investigation and work (tracking).
gerritbot subscribed.Sep 14 2016, 2:03 PM

Change 310549 had a related patch set uploaded (by Filippo Giunchedi):
[WIP] swift: terminate https with nginx

https://gerrit.wikimedia.org/r/310549

gerritbot added a project: Patch-For-Review.Sep 14 2016, 2:03 PM
aaron moved this task from Backlog to Doing on the Wikimedia-Multiple-active-datacenters board.Sep 15 2016, 4:20 PM
Gilles subscribed.Oct 12 2016, 7:41 AM
gerritbot added a comment.Feb 22 2017, 3:13 PM

Change 310549 merged by Filippo Giunchedi:
swift: terminate https with nginx

https://gerrit.wikimedia.org/r/310549

fgiunchedi renamed this task from Look into enabling HTTPS for Swift traffic to Enable HTTPS for Swift traffic.Feb 22 2017, 3:16 PM
gerritbot added a comment.Feb 22 2017, 3:17 PM

Change 339191 had a related patch set uploaded (by Filippo Giunchedi):
hieradata: use_tls for swift proxy in codfw

https://gerrit.wikimedia.org/r/339191

gerritbot added a comment.Feb 22 2017, 3:24 PM

Change 339191 merged by Filippo Giunchedi:
hieradata: use_tls for swift proxy in codfw

https://gerrit.wikimedia.org/r/339191

gerritbot added a comment.Feb 22 2017, 3:56 PM

Change 339197 had a related patch set uploaded (by Filippo Giunchedi):
lvs: add swift https service

https://gerrit.wikimedia.org/r/339197

gerritbot added a comment.Feb 23 2017, 2:15 PM

Change 339197 merged by Filippo Giunchedi:
lvs: add swift https service

https://gerrit.wikimedia.org/r/339197

gerritbot added a comment.Feb 23 2017, 2:18 PM

Change 339410 had a related patch set uploaded (by Filippo Giunchedi):
conftool-data: add nginx service to swift

https://gerrit.wikimedia.org/r/339410

gerritbot added a comment.Feb 23 2017, 2:46 PM

Change 339413 had a related patch set uploaded (by Filippo Giunchedi):
hieradata: use 'uri' for swift icinga configuration

https://gerrit.wikimedia.org/r/339413

gerritbot added a comment.Feb 23 2017, 2:47 PM

Change 339410 merged by Filippo Giunchedi:
conftool-data: add nginx service to swift

https://gerrit.wikimedia.org/r/339410

gerritbot added a comment.Feb 23 2017, 2:56 PM

Change 339413 merged by Filippo Giunchedi:
hieradata: use 'uri' for swift icinga configuration

https://gerrit.wikimedia.org/r/339413

gerritbot added a comment.Feb 23 2017, 4:25 PM

Change 339430 had a related patch set uploaded (by Filippo Giunchedi):
hieradata: use 'localhost' vhost for icinga checks

https://gerrit.wikimedia.org/r/339430

gerritbot added a comment.Feb 23 2017, 4:51 PM

Change 339430 merged by Filippo Giunchedi:
hieradata: use 'localhost' vhost for icinga checks

https://gerrit.wikimedia.org/r/339430

gerritbot added a comment.Mar 13 2017, 10:33 AM

Change 342438 had a related patch set uploaded (by Filippo Giunchedi):
[operations/puppet] hieradata: enable https for swift eqiad

https://gerrit.wikimedia.org/r/342438

gerritbot added a comment.Mar 13 2017, 10:41 AM

Change 342438 merged by Filippo Giunchedi:
[operations/puppet] hieradata: enable https for swift eqiad

https://gerrit.wikimedia.org/r/342438

fgiunchedi closed this task as Resolved.Mar 13 2017, 1:33 PM

HTTPS for ms-fe.svc is now active in eqiad and codfw

Krinkle edited projects, added Multiple-active-datacenters archived; removed Wikimedia-Multiple-active-datacenters.May 3 2017, 7:46 PM
Krinkle edited projects, added Sustainability (MediaWiki-MultiDC); removed Multiple-active-datacenters archived.May 3 2017, 7:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL