Page MenuHomePhabricator

Create a PKI that can be used by Puppet and for general purpose certificates
Closed, ResolvedPublic

Description

Encrypting elasticsearch traffic requires the creation of SSL certificates / keys / signatures / ... Technically, this is the job of a PKI. We have at least 2 PKIs already in place: Puppet and a specific one built for Cassandra (https://github.com/wikimedia/operations-puppet/blob/production/modules/cassandra/files/cassandra-ca-manager).

It is fairly easy to use the existing Puppet PKI to generate slightly more complex certificates (https://wikitech.wikimedia.org/wiki/Puppet#SANs_for_puppet_certs).

Puppet certs are already used by k8s (https://github.com/wikimedia/operations-puppet/blob/production/modules/k8s/manifests/ssl.pp) and etcd (https://github.com/wikimedia/operations-puppet/blob/production/modules/etcd/manifests/ssl.pp). Some refactoring would be welcomed to not duplicate the same code a 3rd time.

Event Timeline

Gehel created this task.Feb 25 2016, 2:42 PM
Gehel updated the task description. (Show Details)Feb 25 2016, 4:01 PM
Gehel added a subscriber: Volans.

@Volans is working on a similar problematic for mysql traffic encryption.

Gehel added a comment.Mar 11 2016, 3:57 PM

A extremely minimalist PKI is now available in the form of a puppet defined type base::expose_puppet_certs (see change). This is sufficient for both T111654 and T124444. Let's follow YAGNI and close this issue for the moment. We'll reopen it if there is an actual need for a more complex PKI.

Thanks @Gehel for the generalized solution, it works for us to simplify and improve MySQL replica over TLS on T111654
Not a blocker anymore for us.

Gehel added a subscriber: Deskana.Mar 11 2016, 4:03 PM

@Deskana As our PO, I'll let you formally close that task... Let me know if you need anything from me.

Deskana closed this task as Resolved.Mar 12 2016, 1:26 AM

@Deskana As our PO, I'll let you formally close that task... Let me know if you need anything from me.

Thanks! :-)