In order for TLS to be set up in a sensible way, there will be mcrouter <=> mcrouter communication. The puppet profile for wancache should changed/used to have mcrouter run all themc* servers (in addition to the app/maintenance servers).
|operations/puppet : production||[WIP] Enable mcrouter on mediawiki memcached nodes|
|Open||aaron||T88445 MediaWiki active/active datacenter investigation and work (tracking)|
|Resolved||aaron||T97562 WANObjectCache relay daemon or mcrouter support|
|Duplicate||aaron||T194225 Enable mcrouter on the memcached servers themselves|
Please see https://phabricator.wikimedia.org/T192771 which has a lot of considerations about the mcrouter architecture in production.
I actually decided to set up TLS everywhere and to have mcrouter use some "proxies" in each DC to do the ssl-ssl stuff.
A set of (still partial) patches are here:
Closing this ticket as a duplicate.
To explain my reasoning further: mcrouter needs a non-negligible amount of memory to run as it maintains an internal queue of messages whenever you use something like AllFastRoute or any other route handler that does distribution of keys. This means it can use a significant amount of memory from time to time, and I'd prefer to avoid having any process using a variable amount of memory on the memcached nodes.
We could of course limit the maximum amount of memory mcrouter can use, but that could lead to instabilities, crashes, and lost messages, so I prefer to keep mcrouter in any non-trivial config out of those nodes.