In order to do enable TLS termination on the appservers, we need to configure tlsproxy to work on the appservers. Since we don't want to expose our own public TLS certs on the appservers, we need to be able to sign a certificate similar to our unified one for each of the backend clusters, which should include the FQDN of the cluster (e.g. appservers.svc.eqiad.wmnet) as common name and all our domains and wildcards as SANs.
Customize query in gerrit
|Resolved||demon||T150465 MW-1.29.0-wmf.4 deployment blockers|
|Resolved||ssastry||T151702 API cluster failure / OOM|
|Resolved||Joe||T152074 Separate clusters for asynchronous processing from the ones for public consumption|
|Resolved||Joe||T153042 Enable TLS termination on the MediaWiki clusters|