Page MenuHomePhabricator

Applayer services without TLS
Open, NormalPublic

Description

The following application layer services have been defined in ATS as accessible only via plain HTTP. We should figure out whether they currently support TLS. If not, they should, to allow us to perform cross-DC HTTPS requests with ATS.

The list is in the format $origin_server - $websites and was generated with P7842.

Details

Related Gerrit Patches:
operations/puppet : productionacme_chief: add dbtree.wm.org to tendril cert SAN
operations/puppet : productionATS: use port 7443 for debmonitor
operations/puppet : productiondebmonitor: expect 302 on successful TLS termination
operations/puppet : productiondebmonitor: terminate TLS on port 7443
operations/puppet : productiondebmonitor: update certificate
operations/puppet : productionphabricator: do not rewrite /ws/
operations/puppet : productionphabricator: allow websockets via tls terminator
operations/puppet : productionATS: fix typo in phabricator wss remap rule
operations/puppet : productionphabricator: include uri path in ProxyPass directive
operations/puppet : productionATS: map phabricator ws to TLS encrypted wss
operations/puppet : productionrequesttracker: re-enable envoy if on buster
operations/puppet : productionATS: fix envoy backend port for RT to 443
operations/puppet : productionATS: use TLS to connect to labweb
operations/puppet : productionAdd labweb-ssl LVS service
operations/deployment-charts : masterblubberoid: Add TLS termination
operations/puppet : productionlabweb: add TLS termination with envoy
labs/private : mastersecret: dummy key for labweb
operations/puppet : productionlabweb: add certificate
operations/puppet : productionATS: use TLS and DNS discovery to connect to puppetboard
operations/puppet : productionpuppetboard: add TLS termination with envoy
operations/dns : masterAdd puppetboard.discovery.wmnet pointing to puppetboard1001
operations/puppet : productionpuppetboard: add certificate
labs/private : mastersecret: dummy key for puppetboard
operations/puppet : productionATS: use TLS and DNS discovery to connect to graphite
operations/dns : masterAdd graphite.discovery.wmnet pointing to graphite1004
operations/puppet : productiongraphite: add TLS termination with envoy
operations/puppet : productiongraphite: add certificate
operations/puppet : productionATS: use TLS and DNS discovery to connect to kibana
labs/private : mastersecret: dummy key for graphite
operations/puppet : productionAdd kibana-ssl LVS service
operations/puppet : productionkibana: add TLS termination with envoy
operations/puppet : productionssl: re-issue cert for performance.discovery.wmnet
operations/puppet : productionATS: use TLS to connect to WDQS
operations/puppet : productionAdd wdqs-ssl LVS service
operations/puppet : productionwdqs: TLS termination with envoy
operations/puppet : productionwdqs: envoy TLS termination for internal cluster
operations/puppet : productionwdqs: add certificate
labs/private : mastersecret: dummy key for wdqs
operations/puppet : productionmediawiki::maintenance: add envoy for TLS termination for noc.wm.org
operations/dns : masteradd maintenance.discovery.wmnet and point to mwmaint1002
operations/puppet : productionATS: switch webperf backends to TLS and discovery name
operations/puppet : productionATS: switch releases-jenkins to TLS
operations/puppet : productionadd certificate for mwmaint servers
operations/puppet : productionpeopleweb: add people.wikimedia.org to SubjAltName
operations/puppet : productionplanet: add *.planet.wikimedia.org to SubjAltName
operations/puppet : productionATS: use TLS to connect to etherpad
operations/puppet : productionetherpad: set TLS port to 7443
operations/puppet : productionetherpad: TLS termination with envoy
operations/puppet : productionetherpad: add certificate
labs/private : mastersecret: dummy key for etherpad
operations/puppet : productionATS: use TLS with RESTbase
operations/puppet : productionenvoyproxy: accept HTTP/1.0
operations/puppet : productionlvs: add restbase-ssl
operations/puppet : productionwebperf: add envoy for TLS termination
operations/puppet : productionATS/varnish: switch backend for releases.wm.org to use TLS
operations/puppet : productionreleases: add envoy for TLS termination
operations/puppet : productionrestbase: TLS termination with envoy on port 7443
operations/puppet : productionATS: switch people.wikimedia.org to https backend
operations/puppet : productionpeopleweb: add TLS termination with envoy
operations/dns : masteradd peopleweb.discovery.wmnet
operations/puppet : productionATS/varnish: switch planet to discovery name, disable codfw backend
operations/puppet : productionplanet: add Hiera keys and include class vor envoy
operations/puppet : productionssl: add certificate for planet
operations/puppet : productionplanet: include envoy for TLS termination
operations/puppet : productionATS/varnish: switch wikimania scholarships to miscweb, use TLS
operations/puppet : productionwebserver_misc_apps: only include envoy if on stretch
operations/puppet : productionATS/varnish: switch iegreview to miscweb backend and use TLS
operations/puppet : productionAdd discovery hostname to docker-registry certificate
operations/dns : masterAdd discovery CNAME webserver-misc-apps -> miscweb1001
operations/puppet : productionmisc_apps::httpd: do not load SSL httpd module
operations/puppet : productionRevert "webserver_misc_apps: do not install envoy"
operations/puppet : productionwebserver_misc_apps: do not install envoy
operations/puppet : productionATS: use TLS for grafana1001
operations/puppet : productionAdd TLS termination for grafana
operations/puppet : productiongrafana: add certificate
labs/private : mastersecret: dummy key for grafana
operations/puppet : productionlogstash: add TLS support via profile::tlsproxy::service
operations/puppet : productionAdd TLS termination for webserver_misc_apps
labs/private : mastersecret: dummy key for webserver-misc-apps
operations/puppet : productionwebserver-misc-apps: add certificate
operations/puppet : productionATS: use TLS and discovery hostname for phabricator
operations/puppet : productionrestbase: add TLS support via profile::tlsproxy::service
operations/puppet : productionAdd TLS termination for phabricator.discovery.wmnet
operations/dns : masterAdd discovery CNAME phabricator -> phab1003
operations/puppet : productionplanet: re-add support for https for traffic server
operations/puppet : productionphabricator.discovery.wmnet: add certificate
labs/private : mastersecret: dummy key for phabricator
operations/puppet : productionATS: use TLS and discovery hostname for bromine
operations/puppet : productionrole::webserver_misc_static: add TLS termination with envoy
operations/puppet : productionprofile::tlsproxy::envoy: new TLS terminator for services
operations/dns : masterAdd discovery CNAME webserver-misc-static -> bromine
labs/private : mastersecret: dummy key for webserver-misc-static
operations/puppet : productionwebserver-misc-static: add certificate
operations/puppet : productionATS: use TLS for thorium, dbmonitor, netmon
operations/puppet : productionATS: use TLS to connect to matomo
operations/puppet : productionATS: use TLS to connect to analytics hosts
operations/puppet : productionprofile::druid::turnilo::proxy: add Location to httpd Vhost
operations/puppet : productionkibana: add certificate
labs/private : mastersecret: dummy key for kibana
operations/puppet : productionrestbase: add certificate for restbase.discovery.wmnet
operations/puppet : productionAdd profile::tlsproxy::service
labs/private : mastersecret: dummy key for restbase

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Change 544773 had a related patch set uploaded (by Ema; owner: Ema):
[labs/private@master] secret: dummy key for wdqs

https://gerrit.wikimedia.org/r/544773

Change 544774 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/deployment-charts@master] blubberoid: Add TLS termination

https://gerrit.wikimedia.org/r/544774

Change 544829 had a related patch set uploaded (by Mathew.onipe; owner: Mathew.onipe):
[operations/puppet@production] wdqs: envoy TLS termination for other clusters

https://gerrit.wikimedia.org/r/544829

Change 544773 merged by Ema:
[labs/private@master] secret: dummy key for wdqs

https://gerrit.wikimedia.org/r/544773

Change 544770 merged by Ema:
[operations/puppet@production] wdqs: add certificate

https://gerrit.wikimedia.org/r/544770

Change 544856 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] Add wdqs-ssl LVS service

https://gerrit.wikimedia.org/r/544856

Change 544672 merged by Ema:
[operations/puppet@production] wdqs: TLS termination with envoy

https://gerrit.wikimedia.org/r/544672

Change 544856 merged by Ema:
[operations/puppet@production] Add wdqs-ssl LVS service

https://gerrit.wikimedia.org/r/544856

Mentioned in SAL (#wikimedia-operations) [2019-10-21T12:58:31Z] <ema> lvs2006: restart pybal to add new service wdqs-ssl T210411

Mentioned in SAL (#wikimedia-operations) [2019-10-21T13:02:45Z] <ema> lvs1016: restart pybal to add new service wdqs-ssl T210411

Mentioned in SAL (#wikimedia-operations) [2019-10-21T13:04:04Z] <ema> lvs2003: restart pybal to add new service wdqs-ssl T210411

Mentioned in SAL (#wikimedia-operations) [2019-10-21T13:07:29Z] <ema> lvs1015: restart pybal to add new service wdqs-ssl T210411

Change 544904 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use TLS to connect to WDQS

https://gerrit.wikimedia.org/r/544904

Change 544904 merged by Ema:
[operations/puppet@production] ATS: use TLS to connect to WDQS

https://gerrit.wikimedia.org/r/544904

ema updated the task description. (Show Details)Mon, Oct 21, 1:23 PM

Change 545203 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ssl: re-issue cert for performance.discovery.wmnet

https://gerrit.wikimedia.org/r/545203

Change 545203 merged by Ema:
[operations/puppet@production] ssl: re-issue cert for performance.discovery.wmnet

https://gerrit.wikimedia.org/r/545203

Change 545207 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] kibana: add TLS termination with envoy

https://gerrit.wikimedia.org/r/545207

Change 545209 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] Add kibana-ssl LVS service

https://gerrit.wikimedia.org/r/545209

Change 545207 merged by Ema:
[operations/puppet@production] kibana: add TLS termination with envoy

https://gerrit.wikimedia.org/r/545207

Change 545209 merged by Ema:
[operations/puppet@production] Add kibana-ssl LVS service

https://gerrit.wikimedia.org/r/545209

Mentioned in SAL (#wikimedia-operations) [2019-10-22T09:54:09Z] <ema> lvs1016: restart pybal to add new service kibana-ssl T210411

Mentioned in SAL (#wikimedia-operations) [2019-10-22T09:54:51Z] <ema> lvs2006: restart pybal to add new service kibana-ssl T210411

Mentioned in SAL (#wikimedia-operations) [2019-10-22T10:14:49Z] <ema> puppetmaster1001: rm /var/run/confd-template/.kibana-ssl*.err to make confd icinga check happy T210411

Mentioned in SAL (#wikimedia-operations) [2019-10-22T10:18:37Z] <ema> lvs1015: restart pybal to add new service kibana-ssl T210411

Mentioned in SAL (#wikimedia-operations) [2019-10-22T10:21:21Z] <ema> lvs2003: restart pybal to add new service kibana-ssl T210411

ema updated the task description. (Show Details)Wed, Oct 23, 7:36 AM

Change 545445 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use TLS and DNS discovery to connect to kibana

https://gerrit.wikimedia.org/r/545445

Change 545470 had a related patch set uploaded (by Ema; owner: Ema):
[operations/dns@master] Add graphite.discovery.wmnet pointing to graphite1004

https://gerrit.wikimedia.org/r/545470

Change 545494 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] graphite: add certificate

https://gerrit.wikimedia.org/r/545494

Change 545495 had a related patch set uploaded (by Ema; owner: Ema):
[labs/private@master] secret: dummy key for graphite

https://gerrit.wikimedia.org/r/545495

Change 545496 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] graphite: add TLS termination with envoy

https://gerrit.wikimedia.org/r/545496

Change 545495 merged by Ema:
[labs/private@master] secret: dummy key for graphite

https://gerrit.wikimedia.org/r/545495

Change 545445 merged by Ema:
[operations/puppet@production] ATS: use TLS and DNS discovery to connect to kibana

https://gerrit.wikimedia.org/r/545445

Change 545494 merged by Ema:
[operations/puppet@production] graphite: add certificate

https://gerrit.wikimedia.org/r/545494

Change 545496 merged by Ema:
[operations/puppet@production] graphite: add TLS termination with envoy

https://gerrit.wikimedia.org/r/545496

Change 545470 merged by Ema:
[operations/dns@master] Add graphite.discovery.wmnet pointing to graphite1004

https://gerrit.wikimedia.org/r/545470

Change 545504 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use TLS and DNS discovery to connect to graphite

https://gerrit.wikimedia.org/r/545504

ema updated the task description. (Show Details)Wed, Oct 23, 9:06 AM

Change 545504 merged by Ema:
[operations/puppet@production] ATS: use TLS and DNS discovery to connect to graphite

https://gerrit.wikimedia.org/r/545504

Change 545716 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] puppetboard: add certificate

https://gerrit.wikimedia.org/r/545716

Change 545717 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] puppetboard: add TLS termination with envoy

https://gerrit.wikimedia.org/r/545717

Change 545718 had a related patch set uploaded (by Ema; owner: Ema):
[labs/private@master] secret: dummy key for puppetboard

https://gerrit.wikimedia.org/r/545718

Change 545724 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use TLS and DNS discovery to connect to puppetboard

https://gerrit.wikimedia.org/r/545724

Change 545733 had a related patch set uploaded (by Ema; owner: Ema):
[operations/dns@master] Add puppetboard.discovery.wmnet pointing to puppetboard1001

https://gerrit.wikimedia.org/r/545733

Change 545718 merged by Ema:
[labs/private@master] secret: dummy key for puppetboard

https://gerrit.wikimedia.org/r/545718

Change 545716 merged by Ema:
[operations/puppet@production] puppetboard: add certificate

https://gerrit.wikimedia.org/r/545716

Change 545733 merged by Ema:
[operations/dns@master] Add puppetboard.discovery.wmnet pointing to puppetboard1001

https://gerrit.wikimedia.org/r/545733

Change 545717 merged by Ema:
[operations/puppet@production] puppetboard: add TLS termination with envoy

https://gerrit.wikimedia.org/r/545717

Change 545724 merged by Ema:
[operations/puppet@production] ATS: use TLS and DNS discovery to connect to puppetboard

https://gerrit.wikimedia.org/r/545724

ema updated the task description. (Show Details)Thu, Oct 24, 10:37 AM

Change 545813 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] labweb: add certificate

https://gerrit.wikimedia.org/r/545813

Change 545813 merged by Ema:
[operations/puppet@production] labweb: add certificate

https://gerrit.wikimedia.org/r/545813

Change 546095 had a related patch set uploaded (by Ema; owner: Ema):
[labs/private@master] secret: dummy key for labweb

https://gerrit.wikimedia.org/r/546095

Change 546095 merged by Ema:
[labs/private@master] secret: dummy key for labweb

https://gerrit.wikimedia.org/r/546095

Change 546097 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] labweb: add TLS termination with envoy

https://gerrit.wikimedia.org/r/546097

Change 546098 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] Add labweb-ssl LVS service

https://gerrit.wikimedia.org/r/546098

Change 546099 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use TLS to connect to labweb

https://gerrit.wikimedia.org/r/546099

Change 546097 merged by Ema:
[operations/puppet@production] labweb: add TLS termination with envoy

https://gerrit.wikimedia.org/r/546097

Change 544774 merged by jenkins-bot:
[operations/deployment-charts@master] blubberoid: Add TLS termination

https://gerrit.wikimedia.org/r/544774

Change 546098 merged by Ema:
[operations/puppet@production] Add labweb-ssl LVS service

https://gerrit.wikimedia.org/r/546098

Mentioned in SAL (#wikimedia-operations) [2019-10-25T08:32:31Z] <ema> lvs1016: restart pybal to add labweb-ssl T210411

Mentioned in SAL (#wikimedia-operations) [2019-10-25T08:37:56Z] <ema> lvs1015: restart pybal to add labweb-ssl T210411

Change 546099 merged by Ema:
[operations/puppet@production] ATS: use TLS to connect to labweb

https://gerrit.wikimedia.org/r/546099

ema updated the task description. (Show Details)Fri, Oct 25, 8:44 AM

Change 546280 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] requesttracker: re-enable envoy if on buster

https://gerrit.wikimedia.org/r/546280

Change 546280 merged by Dzahn:
[operations/puppet@production] requesttracker: re-enable envoy if on buster

https://gerrit.wikimedia.org/r/546280

Change 546308 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: fix envoy backend port for RT to 443

https://gerrit.wikimedia.org/r/546308

Change 546308 merged by Dzahn:
[operations/puppet@production] ATS: fix envoy backend port for RT to 443

https://gerrit.wikimedia.org/r/546308

Dzahn updated the task description. (Show Details)Fri, Oct 25, 10:42 PM
Dzahn updated the task description. (Show Details)Wed, Oct 30, 6:37 PM

RT (requesttracker) moved from jessie and public IP (ununpentium) to buster and private IP (moscovium) and https to backend via https://rt.discovery.wmnet

Change 549816 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: map phabricator ws to TLS encrypted wss

https://gerrit.wikimedia.org/r/549816

Change 549817 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] phabricator: include uri path in ProxyPass directive

https://gerrit.wikimedia.org/r/549817

Change 549816 merged by Ema:
[operations/puppet@production] ATS: map phabricator ws to TLS encrypted wss

https://gerrit.wikimedia.org/r/549816

Change 549817 merged by Ema:
[operations/puppet@production] phabricator: include uri path in ProxyPass directive

https://gerrit.wikimedia.org/r/549817

Change 549818 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: fix typo in phabricator wss remap rule

https://gerrit.wikimedia.org/r/549818

Change 549818 merged by Ema:
[operations/puppet@production] ATS: fix typo in phabricator wss remap rule

https://gerrit.wikimedia.org/r/549818

Change 549821 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] phabricator: allow websockets via tls terminator

https://gerrit.wikimedia.org/r/549821

Change 549821 merged by Ema:
[operations/puppet@production] phabricator: allow websockets via tls terminator

https://gerrit.wikimedia.org/r/549821

Change 549832 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] phabricator: do not rewrite /ws/

https://gerrit.wikimedia.org/r/549832

Change 549832 merged by Ema:
[operations/puppet@production] phabricator: do not rewrite /ws/

https://gerrit.wikimedia.org/r/549832

Change 550649 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] debmonitor: update certificate

https://gerrit.wikimedia.org/r/550649

Change 550649 merged by Ema:
[operations/puppet@production] debmonitor: update certificate

https://gerrit.wikimedia.org/r/550649

Change 550670 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] debmonitor: terminate TLS on port 7443

https://gerrit.wikimedia.org/r/550670

Change 550670 merged by Ema:
[operations/puppet@production] debmonitor: terminate TLS on port 7443

https://gerrit.wikimedia.org/r/550670

Change 550696 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] debmonitor: expect 302 on successful TLS termination

https://gerrit.wikimedia.org/r/550696

Change 550696 merged by Ema:
[operations/puppet@production] debmonitor: expect 302 on successful TLS termination

https://gerrit.wikimedia.org/r/550696

Change 550697 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use port 7443 for debmonitor

https://gerrit.wikimedia.org/r/550697

Change 550697 merged by Ema:
[operations/puppet@production] ATS: use port 7443 for debmonitor

https://gerrit.wikimedia.org/r/550697

Change 551184 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] acme_chief: add dbtree.wm.org to tendril cert SAN

https://gerrit.wikimedia.org/r/551184

Change 551184 merged by Ema:
[operations/puppet@production] acme_chief: add dbtree.wm.org to tendril cert SAN

https://gerrit.wikimedia.org/r/551184