Page MenuHomePhabricator

Applayer services without TLS
Open, NormalPublic

Description

The following application layer services have been defined in ATS as accessible only via plain HTTP. We should figure out whether they currently support TLS. If not, they should, to allow us to perform cross-DC HTTPS requests with ATS.

The list is in the format $origin_server - $websites and was generated with P7842.

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Change 530370 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use TLS for grafana1001

https://gerrit.wikimedia.org/r/530370

Change 530370 merged by Ema:
[operations/puppet@production] ATS: use TLS for grafana1001

https://gerrit.wikimedia.org/r/530370

Change 532380 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] Revert "webserver_misc_apps: do not install envoy"

https://gerrit.wikimedia.org/r/532380

Change 532380 merged by Dzahn:
[operations/puppet@production] Revert "webserver_misc_apps: do not install envoy"

https://gerrit.wikimedia.org/r/532380

Change 532948 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] misc_apps::httpd: do not load SSL httpd module

https://gerrit.wikimedia.org/r/532948

Change 532948 merged by Dzahn:
[operations/puppet@production] misc_apps::httpd: do not load SSL httpd module

https://gerrit.wikimedia.org/r/532948

Mentioned in SAL (#wikimedia-operations) [2019-08-28T09:11:13Z] <mutante> miscweb2001 - edit /etc/apache2/ports.conf and replace port 444 with 443 again; a2dismod ssl; systemctl restart apache2; systemctl restart envoyproxy; now also has envoy listening on 443, matches miscweb1001 and manual hack removed (T210411)

Change 532962 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] webserver_misc_apps: only include envoy if on stretch

https://gerrit.wikimedia.org/r/532962

Change 532962 merged by Dzahn:
[operations/puppet@production] webserver_misc_apps: only include envoy if on stretch

https://gerrit.wikimedia.org/r/532962

Change 533014 had a related patch set uploaded (by Ema; owner: Ema):
[operations/dns@master] Add discovery CNAME webserver-misc-apps -> miscweb1001

https://gerrit.wikimedia.org/r/533014

Change 533014 merged by Dzahn:
[operations/dns@master] Add discovery CNAME webserver-misc-apps -> miscweb1001

https://gerrit.wikimedia.org/r/533014

Change 533028 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] restbase: TLS termination with envoy

https://gerrit.wikimedia.org/r/533028

Change 533039 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] Add discovery hostname to docker-registry certificate

https://gerrit.wikimedia.org/r/533039

Change 533039 merged by Ema:
[operations/puppet@production] Add discovery hostname to docker-registry certificate

https://gerrit.wikimedia.org/r/533039

Dzahn updated the task description. (Show Details)Wed, Aug 28, 3:31 PM

Change 533154 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS/varnish: switch iegreview to miscweb backend and use TLS

https://gerrit.wikimedia.org/r/533154

Change 533154 merged by Dzahn:
[operations/puppet@production] ATS/varnish: switch iegreview to miscweb backend and use TLS

https://gerrit.wikimedia.org/r/533154

Dzahn updated the task description. (Show Details)Thu, Aug 29, 9:18 AM

Mentioned in SAL (#wikimedia-operations) [2019-08-29T09:19:36Z] <mutante> iegreview.wikimedia.org switched to new stretch backend and using TLS (T210411)

Change 533175 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS/varnish: switch scholarschips to miscweb and use TLS

https://gerrit.wikimedia.org/r/533175

Change 533175 merged by Dzahn:
[operations/puppet@production] ATS/varnish: switch wikimania scholarships to miscweb, use TLS

https://gerrit.wikimedia.org/r/533175

Mentioned in SAL (#wikimedia-operations) [2019-08-29T11:37:16Z] <mutante> scholarships.wikimedia.org app moving to new backend and using TLS. backend upgraded from jessie to stretch and PHP7 (T210411)

Dzahn updated the task description. (Show Details)Thu, Aug 29, 11:38 AM
Dzahn updated the task description. (Show Details)

Change 533197 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] planet: include envoy for TLS termination

https://gerrit.wikimedia.org/r/533197

Change 533197 merged by Dzahn:
[operations/puppet@production] planet: include envoy for TLS termination

https://gerrit.wikimedia.org/r/533197

Change 533483 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ssl: add certificate for planet

https://gerrit.wikimedia.org/r/533483

Change 533483 merged by Dzahn:
[operations/puppet@production] ssl: add certificate for planet

https://gerrit.wikimedia.org/r/533483

Change 533493 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] planet: add Hiera keys and include class vor envoy

https://gerrit.wikimedia.org/r/533493

Change 533495 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS/varnish: switch planet to discovery name, disable codfw backend

https://gerrit.wikimedia.org/r/533495

Change 533493 merged by Dzahn:
[operations/puppet@production] planet: add Hiera keys and include class vor envoy

https://gerrit.wikimedia.org/r/533493

Change 533495 merged by Dzahn:
[operations/puppet@production] ATS/varnish: switch planet to discovery name, disable codfw backend

https://gerrit.wikimedia.org/r/533495

Dzahn updated the task description. (Show Details)Fri, Aug 30, 1:54 PM

Change 533985 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] peopleweb: include envoy for TLS termination

https://gerrit.wikimedia.org/r/533985

Dzahn updated the task description. (Show Details)Tue, Sep 3, 4:19 AM

Change 533986 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add peopleweb.discovery.wmnet

https://gerrit.wikimedia.org/r/533986

Change 533986 merged by Dzahn:
[operations/dns@master] add peopleweb.discovery.wmnet

https://gerrit.wikimedia.org/r/533986

Change 533985 merged by Dzahn:
[operations/puppet@production] peopleweb: add TLS termination with envoy

https://gerrit.wikimedia.org/r/533985

Change 533995 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch people.wikimedia.org to https backend

https://gerrit.wikimedia.org/r/533995

Change 533995 merged by Dzahn:
[operations/puppet@production] ATS: switch people.wikimedia.org to https backend

https://gerrit.wikimedia.org/r/533995

Dzahn updated the task description. (Show Details)Tue, Sep 3, 6:22 AM
Dzahn updated the task description. (Show Details)

Change 534462 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] lvs: add restbase-ssl

https://gerrit.wikimedia.org/r/534462

Change 534594 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] releases: add envoy for TLS termination

https://gerrit.wikimedia.org/r/534594

Change 534597 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] webperf: add envoy for TLS termination

https://gerrit.wikimedia.org/r/534597

Change 533028 merged by Ema:
[operations/puppet@production] restbase: TLS termination with envoy on port 7443

https://gerrit.wikimedia.org/r/533028

Mentioned in SAL (#wikimedia-operations) [2019-09-05T14:50:50Z] <ema> restbase2009: depool and add TLS termination w/ envoy -- https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/533028/ T210411

Mentioned in SAL (#wikimedia-operations) [2019-09-05T14:54:27Z] <ema> restbase2009: repool after successful envoy deployment T210411

Change 534594 merged by Dzahn:
[operations/puppet@production] releases: add envoy for TLS termination

https://gerrit.wikimedia.org/r/534594

Change 534759 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS/varnish: switch backend for releases.wm.org to use TLS

https://gerrit.wikimedia.org/r/534759

Change 534759 merged by Dzahn:
[operations/puppet@production] ATS/varnish: switch backend for releases.wm.org to use TLS

https://gerrit.wikimedia.org/r/534759

Dzahn updated the task description. (Show Details)Fri, Sep 6, 7:49 AM
Dzahn updated the task description. (Show Details)
Dzahn added a comment.Fri, Sep 6, 7:51 AM
  • releases.wikimedia.org switched to TLS
  • releases-jenkins remains todo
  • parsoid-vd / parsoid-rt tests on ruthenium - directors and DNS records removed - users will SSH tunnel to them if needed

Change 534597 merged by Dzahn:
[operations/puppet@production] webperf: add envoy for TLS termination

https://gerrit.wikimedia.org/r/534597

Mentioned in SAL (#wikimedia-operations) [2019-09-06T08:43:05Z] <mutante> webperf* - /usr/local/sbin/build-envoy-config -c /etc/envoy | rm /etc/envoy/listeners.d/00-tls_terminator_443.yaml | run puppet - envoy now listening on 443 (T210411)

Change 534462 merged by Ema:
[operations/puppet@production] lvs: add restbase-ssl

https://gerrit.wikimedia.org/r/534462

Mentioned in SAL (#wikimedia-operations) [2019-09-09T09:28:30Z] <ema> lvs1016, lvs2006 (secondaries): restart pybal to add service restbase-ssl T210411

Change 535142 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] envoyproxy: accept HTTP/1.0

https://gerrit.wikimedia.org/r/535142

Change 535142 merged by Ema:
[operations/puppet@production] envoyproxy: accept HTTP/1.0

https://gerrit.wikimedia.org/r/535142

Mentioned in SAL (#wikimedia-operations) [2019-09-09T12:36:24Z] <ema> lvs2003 (primary): restart pybal to add service restbase-ssl T210411

Mentioned in SAL (#wikimedia-operations) [2019-09-09T12:41:21Z] <ema> lvs1015 (primary): restart pybal to add service restbase-ssl T210411

Change 535178 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use TLS with RESTbase

https://gerrit.wikimedia.org/r/535178

Change 535178 merged by Ema:
[operations/puppet@production] ATS: use TLS with RESTbase

https://gerrit.wikimedia.org/r/535178

ema updated the task description. (Show Details)Mon, Sep 9, 12:55 PM
ema updated the task description. (Show Details)Mon, Sep 9, 12:59 PM
ema updated the task description. (Show Details)Mon, Sep 9, 1:03 PM

Change 535194 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] etherpad: add certificate

https://gerrit.wikimedia.org/r/535194

Change 535195 had a related patch set uploaded (by Ema; owner: Ema):
[labs/private@master] secret: dummy key for etherpad

https://gerrit.wikimedia.org/r/535195

Change 535201 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] etherpad: TLS termination with envoy

https://gerrit.wikimedia.org/r/535201

Change 535195 merged by Ema:
[labs/private@master] secret: dummy key for etherpad

https://gerrit.wikimedia.org/r/535195

Change 535194 merged by Ema:
[operations/puppet@production] etherpad: add certificate

https://gerrit.wikimedia.org/r/535194

Change 535201 merged by Ema:
[operations/puppet@production] etherpad: TLS termination with envoy

https://gerrit.wikimedia.org/r/535201

Change 535204 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] etherpad: set TLS port to 7443

https://gerrit.wikimedia.org/r/535204

Change 535204 merged by Ema:
[operations/puppet@production] etherpad: set TLS port to 7443

https://gerrit.wikimedia.org/r/535204

Change 535540 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use TLS to connect to etherpad

https://gerrit.wikimedia.org/r/535540

Change 535540 merged by Ema:
[operations/puppet@production] ATS: use TLS to connect to etherpad

https://gerrit.wikimedia.org/r/535540

Change 535813 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] planet: add *.planet.wikimedia.org to SubjAltName

https://gerrit.wikimedia.org/r/535813

ema updated the task description. (Show Details)Wed, Sep 11, 10:14 AM

Change 535813 merged by Ema:
[operations/puppet@production] planet: add *.planet.wikimedia.org to SubjAltName

https://gerrit.wikimedia.org/r/535813

Change 535814 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] peopleweb: add people.wikimedia.org to SubjAltName

https://gerrit.wikimedia.org/r/535814

Change 535814 merged by Ema:
[operations/puppet@production] peopleweb: add people.wikimedia.org to SubjAltName

https://gerrit.wikimedia.org/r/535814

Change 535929 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch webperf backends to TLS and discovery name

https://gerrit.wikimedia.org/r/535929

Change 535936 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch releases-jenkins to TLS

https://gerrit.wikimedia.org/r/535936

Change 535941 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] add certificate for mwmaint servers

https://gerrit.wikimedia.org/r/535941

Change 535941 merged by Dzahn:
[operations/puppet@production] add certificate for mwmaint servers

https://gerrit.wikimedia.org/r/535941

Change 535936 merged by Dzahn:
[operations/puppet@production] ATS: switch releases-jenkins to TLS

https://gerrit.wikimedia.org/r/535936

Dzahn updated the task description. (Show Details)Thu, Sep 12, 5:46 PM

Please note that the docker-registry certificate is missing the public hostname: docker-registry.wikimedia.org