Page MenuHomePhabricator

Create a PKI that can be used by Puppet and for general purpose certificates
Closed, ResolvedPublic

Description

Encrypting elasticsearch traffic requires the creation of SSL certificates / keys / signatures / ... Technically, this is the job of a PKI. We have at least 2 PKIs already in place: Puppet and a specific one built for Cassandra (https://github.com/wikimedia/operations-puppet/blob/production/modules/cassandra/files/cassandra-ca-manager).

It is fairly easy to use the existing Puppet PKI to generate slightly more complex certificates (https://wikitech.wikimedia.org/wiki/Puppet#SANs_for_puppet_certs).

Puppet certs are already used by k8s (https://github.com/wikimedia/operations-puppet/blob/production/modules/k8s/manifests/ssl.pp) and etcd (https://github.com/wikimedia/operations-puppet/blob/production/modules/etcd/manifests/ssl.pp). Some refactoring would be welcomed to not duplicate the same code a 3rd time.

Event Timeline

Gehel added a subscriber: Volans.

@Volans is working on a similar problematic for mysql traffic encryption.

A extremely minimalist PKI is now available in the form of a puppet defined type base::expose_puppet_certs (see change). This is sufficient for both T111654 and T124444. Let's follow YAGNI and close this issue for the moment. We'll reopen it if there is an actual need for a more complex PKI.

Thanks @Gehel for the generalized solution, it works for us to simplify and improve MySQL replica over TLS on T111654
Not a blocker anymore for us.

@Deskana As our PO, I'll let you formally close that task... Let me know if you need anything from me.

@Deskana As our PO, I'll let you formally close that task... Let me know if you need anything from me.

Thanks! :-)