Page MenuHomePhabricator
Create Task
Maniphest T210411

Applayer services without TLS
Closed, ResolvedPublic
Actions

Description

The following application layer services have been defined in ATS as accessible only via plain HTTP. We should figure out whether they currently support TLS. If not, they should, to allow us to perform cross-DC HTTPS requests with ATS.

The list is in the format $origin_server - $websites and was generated with P7842.

Details

SubjectRepoBranchLines +/-
wdqs: envoy TLS termination for internal clusteroperations/puppetproduction+7 -0
ATS: switch ORES to TLS to backendsoperations/puppetproduction+1 -1
add fake key for ORES TLS certlabs/privatemaster+3 -0
ssl: add TLS certificate for ORESoperations/puppetproduction+24 -0
ores: add envoy-proxy for TLS termination behind ATSoperations/puppetproduction+9 -0
ATS: stop caching noc.wm.org responsesoperations/puppetproduction+1 -1
ATS: fix never_cache rule to apply to peopleweb discovery nameoperations/puppetproduction+1 -1
ssl: add integration.mediawiki.org to contint certoperations/puppetproduction+22 -22
Revert "ATS: switch contint backend to use TLS"operations/puppetproduction+1 -1
ATS: switch contint backend to use TLSoperations/puppetproduction+1 -1
ci::master: add envoy for TLS termination for integrationoperations/puppetproduction+10 -0
add certificate for contint/integration.wikimedia.orgoperations/puppetproduction+25 -0
add contint.wikimedia.org service alias for contint machinesoperations/dnsmaster+2 -0
releases: close port 80 for caching servers.operations/puppetproduction+1 -1
ATS: switch doc.wikimedia.org to https to backendoperations/puppetproduction+1 -1
doc: add envoy for TLS termination on doc1001operations/puppetproduction+9 -1
ssl: update cert for doc.discovery.wmnet to include doc.wikimedia.orgoperations/puppetproduction+20 -20
add certificate for envoy TLS termination on doc1001operations/puppetproduction+24 -0
ATS: switch backend URL to https for grafana-labsoperations/puppetproduction+2 -2
ATS: switch backend URL to https/discovery for graphite-labsoperations/puppetproduction+1 -1
ATS: switch grafana-labs backends from http to httpsoperations/puppetproduction+6 -3
ssl: add certificate for grafana-labs.discovery.wmnetoperations/puppetproduction+28 -0
wmcs::monitoring: add envoy for TLS termination for grafana-labsoperations/puppetproduction+9 -0
add fake key for grafana-labs.discovery.wmnet certlabs/privatemaster+3 -0
add graphite-labs.discovery.wmnetoperations/dnsmaster+1 -0
add grafana-labs.discovery.wmnetoperations/dnsmaster+1 -0
add doc.discovery.wmnet for use in envoy configoperations/dnsmaster+1 -0
add fake key for doc.discovery.wmnetlabs/privatemaster+3 -0
ATS: switch OTRS to use TLS and discovery recordoperations/puppetproduction+1 -1
ATS: use TLS to noc.wikimedia.org backendoperations/puppetproduction+1 -2
ssl: add noc.wikimedia.org to mwmaint puppet TLS certoperations/puppetproduction+21 -20
add ticket.discovery.wmnet, point to mendeleviumoperations/dnsmaster+1 -0
otrs: add envoy for TLS termination behind ATSoperations/puppetproduction+10 -0
mediawiki::maintenance: add envoy for TLS termination for noc.wm.orgoperations/puppetproduction+9 -0
rename maintenance.discovery to mwmaint.discoveryoperations/dnsmaster+1 -1
dbtree: add https VirtualHostoperations/puppetproduction+27 -0
acme_chief: add dbtree.wm.org to tendril cert SANoperations/puppetproduction+1 -0
ATS: use port 7443 for debmonitoroperations/puppetproduction+1 -1
debmonitor: expect 302 on successful TLS terminationoperations/puppetproduction+1 -1
debmonitor: terminate TLS on port 7443operations/puppetproduction+46 -1
debmonitor: update certificateoperations/puppetproduction+22 -24
phabricator: do not rewrite /ws/operations/puppetproduction+2 -0
phabricator: allow websockets via tls terminatoroperations/puppetproduction+1 -0
ATS: fix typo in phabricator wss remap ruleoperations/puppetproduction+1 -1
phabricator: include uri path in ProxyPass directiveoperations/puppetproduction+1 -1
ATS: map phabricator ws to TLS encrypted wssoperations/puppetproduction+1 -2
requesttracker: re-enable envoy if on busteroperations/puppetproduction+6 -3
ATS: fix envoy backend port for RT to 443operations/puppetproduction+0 -1
ATS: use TLS to connect to labweboperations/puppetproduction+3 -3
Add labweb-ssl LVS serviceoperations/puppetproduction+21 -2
blubberoid: Add TLS terminationoperations/deployment-chartsmaster+193 -98
labweb: add TLS termination with envoyoperations/puppetproduction+8 -0
secret: dummy key for labweblabs/privatemaster+3 -0
labweb: add certificateoperations/puppetproduction+28 -0
ATS: use TLS and DNS discovery to connect to puppetboardoperations/puppetproduction+1 -2
puppetboard: add TLS termination with envoyoperations/puppetproduction+7 -0
Add puppetboard.discovery.wmnet pointing to puppetboard1001operations/dnsmaster+2 -0
puppetboard: add certificateoperations/puppetproduction+27 -0
secret: dummy key for puppetboardlabs/privatemaster+3 -0
ATS: use TLS and DNS discovery to connect to graphiteoperations/puppetproduction+1 -2
Add graphite.discovery.wmnet pointing to graphite1004operations/dnsmaster+2 -0
graphite: add TLS termination with envoyoperations/puppetproduction+7 -0
graphite: add certificateoperations/puppetproduction+29 -0
ATS: use TLS and DNS discovery to connect to kibanaoperations/puppetproduction+1 -2
secret: dummy key for graphitelabs/privatemaster+3 -0
Add kibana-ssl LVS serviceoperations/puppetproduction+36 -6
kibana: add TLS termination with envoyoperations/puppetproduction+8 -0
ssl: re-issue cert for performance.discovery.wmnetoperations/puppetproduction+24 -23
ATS: use TLS to connect to WDQSoperations/puppetproduction+2 -2
Add wdqs-ssl LVS serviceoperations/puppetproduction+32 -6
wdqs: TLS termination with envoyoperations/puppetproduction+7 -0
wdqs: add certificateoperations/puppetproduction+25 -0
secret: dummy key for wdqslabs/privatemaster+3 -0
add maintenance.discovery.wmnet and point to mwmaint1002operations/dnsmaster+1 -0
ATS: switch webperf backends to TLS and discovery nameoperations/puppetproduction+2 -2
ATS: switch releases-jenkins to TLSoperations/puppetproduction+1 -1
add certificate for mwmaint serversoperations/puppetproduction+26 -0
peopleweb: add people.wikimedia.org to SubjAltNameoperations/puppetproduction+20 -20
planet: add *.planet.wikimedia.org to SubjAltNameoperations/puppetproduction+23 -22
ATS: use TLS to connect to etherpadoperations/puppetproduction+2 -2
etherpad: set TLS port to 7443operations/puppetproduction+1 -0
etherpad: TLS termination with envoyoperations/puppetproduction+7 -0
etherpad: add certificateoperations/puppetproduction+26 -0
secret: dummy key for etherpadlabs/privatemaster+3 -0
ATS: use TLS with RESTbaseoperations/puppetproduction+1 -1
envoyproxy: accept HTTP/1.0operations/puppetproduction+2 -0
lvs: add restbase-ssloperations/puppetproduction+55 -24
webperf: add envoy for TLS terminationoperations/puppetproduction+7 -0
ATS/varnish: switch backend for releases.wm.org to use TLSoperations/puppetproduction+2 -3
releases: add envoy for TLS terminationoperations/puppetproduction+7 -0
restbase: TLS termination with envoy on port 7443operations/puppetproduction+8 -0
ATS: switch people.wikimedia.org to https backendoperations/puppetproduction+1 -1
peopleweb: add TLS termination with envoyoperations/puppetproduction+34 -2
add peopleweb.discovery.wmnetoperations/dnsmaster+1 -0
ATS/varnish: switch planet to discovery name, disable codfw backendoperations/puppetproduction+2 -3
planet: add Hiera keys and include class vor envoyoperations/puppetproduction+8 -0
ssl: add certificate for planetoperations/puppetproduction+25 -0
planet: include envoy for TLS terminationoperations/puppetproduction+2 -0
ATS/varnish: switch wikimania scholarships to miscweb, use TLSoperations/puppetproduction+3 -3
webserver_misc_apps: only include envoy if on stretchoperations/puppetproduction+3 -1
ATS/varnish: switch iegreview to miscweb backend and use TLSoperations/puppetproduction+3 -3
Add discovery hostname to docker-registry certificateoperations/puppetproduction+24 -24
Add discovery CNAME webserver-misc-apps -> miscweb1001operations/dnsmaster+1 -0
misc_apps::httpd: do not load SSL httpd moduleoperations/puppetproduction+1 -1
Revert "webserver_misc_apps: do not install envoy"operations/puppetproduction+1 -1
webserver_misc_apps: do not install envoyoperations/puppetproduction+1 -1
ATS: use TLS for grafana1001operations/puppetproduction+1 -1
Add TLS termination for grafanaoperations/puppetproduction+7 -0
grafana: add certificateoperations/puppetproduction+28 -0
secret: dummy key for grafanalabs/privatemaster+3 -0
logstash: add TLS support via profile::tlsproxy::serviceoperations/puppetproduction+8 -0
Add TLS termination for webserver_misc_appsoperations/puppetproduction+7 -0
secret: dummy key for webserver-misc-appslabs/privatemaster+3 -0
webserver-misc-apps: add certificateoperations/puppetproduction+28 -0
ATS: use TLS and discovery hostname for phabricatoroperations/puppetproduction+5 -10
restbase: add TLS support via profile::tlsproxy::serviceoperations/puppetproduction+8 -0
Add TLS termination for phabricator.discovery.wmnetoperations/puppetproduction+7 -0
Add discovery CNAME phabricator -> phab1003operations/dnsmaster+1 -0
planet: re-add support for https for traffic serveroperations/puppetproduction+33 -1
phabricator.discovery.wmnet: add certificateoperations/puppetproduction+27 -0
secret: dummy key for phabricatorlabs/privatemaster+3 -0
ATS: use TLS and discovery hostname for bromineoperations/puppetproduction+10 -20
role::webserver_misc_static: add TLS termination with envoyoperations/puppetproduction+13 -0
profile::tlsproxy::envoy: new TLS terminator for servicesoperations/puppetproduction+202 -0
Add discovery CNAME webserver-misc-static -> bromineoperations/dnsmaster+1 -0
secret: dummy key for webserver-misc-staticlabs/privatemaster+3 -0
webserver-misc-static: add certificateoperations/puppetproduction+31 -0
ATS: use TLS for thorium, dbmonitor, netmonoperations/puppetproduction+7 -7
ATS: use TLS to connect to matomooperations/puppetproduction+1 -1
ATS: use TLS to connect to analytics hostsoperations/puppetproduction+6 -6
profile::druid::turnilo::proxy: add Location to httpd Vhostoperations/puppetproduction+5 -0
kibana: add certificateoperations/puppetproduction+25 -0
secret: dummy key for kibanalabs/privatemaster+3 -0
restbase: add certificate for restbase.discovery.wmnetoperations/puppetproduction+40 -0
Add profile::tlsproxy::serviceoperations/puppetproduction+27 -0
secret: dummy key for restbaselabs/privatemaster+3 -0
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Ottomata added a comment.Jan 2 2020, 9:40 PM

Ah hm, I also just realized the public cert is manually committed to public puppet in files/ssl.

Should we maybe just change sslcert::certificate to be smart(er) about where it gets its stuff? Sure the certificate can be public, but it is already in puppet private, so maybe we should just grab it from there instead of duplicating it?

gerritbot added a comment.Feb 15 2020, 2:26 AM

Change 572378 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] doc: add envoy for TLS termination on doc1001

https://gerrit.wikimedia.org/r/572378

gerritbot added a comment.Feb 15 2020, 2:29 AM

Change 572380 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add doc.discovery.wmnet for use in envoy config

https://gerrit.wikimedia.org/r/572380

gerritbot added a comment.Feb 15 2020, 2:41 AM

Change 572381 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] wmcs::monitoring: add envoy for TLS termination for grafana-labs

https://gerrit.wikimedia.org/r/572381

gerritbot added a comment.Feb 15 2020, 2:45 AM

Change 572382 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch backend URL to https for grafana-labs

https://gerrit.wikimedia.org/r/572382

gerritbot added a comment.Feb 15 2020, 2:50 AM

Change 572385 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add grafana-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/572385

gerritbot added a comment.Feb 15 2020, 2:52 AM

Change 572387 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add graphite-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/572387

gerritbot added a comment.Feb 15 2020, 2:55 AM

Change 572391 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch backend URL to https/discovery for graphite-labs

https://gerrit.wikimedia.org/r/572391

Dzahn updated the task description. (Show Details)Feb 15 2020, 3:25 AM

meanwhile there is another one in ATS backend.yaml.

added [ ] cloudweb2001-dev.wikimedia.org - http://labtesthorizon.wikimedia.org , http://labtestwikitech.wikimedia.org

gerritbot added a comment.Feb 18 2020, 6:37 PM

Change 572937 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[labs/private@master] add fake key for doc.discovery.wmnet

https://gerrit.wikimedia.org/r/572937

gerritbot added a comment.Feb 18 2020, 7:16 PM

Change 572937 merged by Dzahn:
[labs/private@master] add fake key for doc.discovery.wmnet

https://gerrit.wikimedia.org/r/572937

Dzahn mentioned this in rLPRIe94285f69740: add fake key for doc.discovery.wmnet.Feb 18 2020, 7:16 PM
gerritbot added a comment.Feb 18 2020, 7:19 PM

Change 572380 merged by Dzahn:
[operations/dns@master] add doc.discovery.wmnet for use in envoy config

https://gerrit.wikimedia.org/r/572380

gerritbot added a comment.Feb 18 2020, 11:50 PM

Change 572353 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] releases: remove port 80 firewall hole

https://gerrit.wikimedia.org/r/572353

Vgutierrez closed subtask T238900: add TLS support for smokeping.wikimedia.org as Resolved.Feb 19 2020, 2:40 PM
Dzahn added a comment.Feb 19 2020, 6:47 PM

In this topic branch i am also switching monitoring of these services from HTTP to HTTPS:

https://gerrit.wikimedia.org/r/q/topic:%22icinga-http-https%22+(status:open%20OR%20status:merged)

gerritbot added a comment.Feb 19 2020, 11:23 PM

Change 572385 merged by Dzahn:
[operations/dns@master] add grafana-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/572385

gerritbot added a comment.Feb 19 2020, 11:26 PM

Change 572387 merged by Dzahn:
[operations/dns@master] add graphite-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/572387

Dzahn updated the task description. (Show Details)Mar 3 2020, 6:33 PM

grafana-labs-admin.wikimedia.org has been removed from DNS in https://gerrit.wikimedia.org/r/c/operations/dns/+/576408 therefore also removed here

Dzahn updated the task description. (Show Details)Mar 3 2020, 6:37 PM

labmon1001 has been replaced by cloudmetrics1002 and is still hosting grafana-labs and graphite-labs.

gerritbot added a comment.Mar 3 2020, 7:05 PM

Change 576417 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[labs/private@master] add fake key for grafana-labs.discovery.wmnet cert

https://gerrit.wikimedia.org/r/576417

gerritbot added a comment.Mar 3 2020, 7:07 PM

Change 576417 merged by Dzahn:
[labs/private@master] add fake key for grafana-labs.discovery.wmnet cert

https://gerrit.wikimedia.org/r/576417

Dzahn mentioned this in rLPRI758ed0f86e2b: add fake key for grafana-labs.discovery.wmnet cert.Mar 3 2020, 7:09 PM
gerritbot added a comment.Mar 3 2020, 7:33 PM

Change 572381 merged by Dzahn:
[operations/puppet@production] wmcs::monitoring: add envoy for TLS termination for grafana-labs

https://gerrit.wikimedia.org/r/572381

gerritbot added a comment.Mar 3 2020, 7:42 PM

Change 576428 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ssl: add certificate for grafana-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/576428

gerritbot added a comment.Mar 3 2020, 7:44 PM

Change 576428 merged by Dzahn:
[operations/puppet@production] ssl: add certificate for grafana-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/576428

gerritbot added a comment.Mar 3 2020, 7:59 PM

Change 576434 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch grafana-labs backends from http to https

https://gerrit.wikimedia.org/r/576434

gerritbot added a comment.Mar 3 2020, 8:35 PM

Change 576434 merged by Dzahn:
[operations/puppet@production] ATS: switch grafana-labs backends from http to https

https://gerrit.wikimedia.org/r/576434

Dzahn updated the task description. (Show Details)Mar 3 2020, 8:56 PM

grafana-labs and graphite-labs have switched to TLS now.

gerritbot added a comment.Mar 3 2020, 9:03 PM

Change 572391 abandoned by Dzahn:
ATS: switch backend URL to https/discovery for graphite-labs

Reason:
duplicate of https://gerrit.wikimedia.org/r/c/operations/puppet/ /576434

https://gerrit.wikimedia.org/r/572391

gerritbot added a comment.Mar 3 2020, 9:03 PM

Change 572382 abandoned by Dzahn:
ATS: switch backend URL to https for grafana-labs

Reason:
grafana-labs-admin does not exist anymore. done in https://gerrit.wikimedia.org/r/c/operations/puppet/ /576434

https://gerrit.wikimedia.org/r/572382

gerritbot added a comment.Mar 12 2020, 6:14 PM

Change 572378 merged by Dzahn:
[operations/puppet@production] doc: add envoy for TLS termination on doc1001

https://gerrit.wikimedia.org/r/572378

gerritbot added a comment.Mar 12 2020, 6:27 PM

Change 579360 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] add certificate for envoy TLS termination on doc1001

https://gerrit.wikimedia.org/r/579360

gerritbot added a comment.Mar 12 2020, 6:45 PM

Change 579360 merged by Dzahn:
[operations/puppet@production] add certificate for envoy TLS termination on doc1001

https://gerrit.wikimedia.org/r/579360

Dzahn updated the task description. (Show Details)Mar 12 2020, 6:51 PM
Dzahn updated the task description. (Show Details)
gerritbot added a comment.Mar 12 2020, 8:16 PM

Change 579390 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ssl: update cert for doc.discovery.wmnet to include doc.wikimedia.org

https://gerrit.wikimedia.org/r/579390

gerritbot added a comment.Mar 12 2020, 9:18 PM

Change 579390 merged by Dzahn:
[operations/puppet@production] ssl: update cert for doc.discovery.wmnet to include doc.wikimedia.org

https://gerrit.wikimedia.org/r/579390

gerritbot added a comment.Mar 12 2020, 9:25 PM

Change 579407 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch doc.wikimedia.org to https to backend

https://gerrit.wikimedia.org/r/579407

Stashbot added a comment.Mar 12 2020, 9:47 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-12T21:47:28Z] <mutante> doc1001 - had to manually run "/usr/local/sbin/build-envoy-config -c /etc/envoy/" to get envoy tls_terminator_443 listener into the config or envoy would not listen on 443 (T210411)

gerritbot added a comment.Mar 12 2020, 9:54 PM

Change 579407 merged by Dzahn:
[operations/puppet@production] ATS: switch doc.wikimedia.org to https to backend

https://gerrit.wikimedia.org/r/579407

Dzahn added a comment.Mar 12 2020, 10:04 PM

https://doc.wikimedia.org has been switched from http://doc1001.eqiad.wmnet to https://doc.discovery.wmnet

Dzahn updated the task description. (Show Details)Mar 12 2020, 10:04 PM
gerritbot added a comment.Mar 19 2020, 5:40 PM

Change 572353 merged by Dzahn:
[operations/puppet@production] releases: close port 80 for caching servers.

https://gerrit.wikimedia.org/r/572353

Stashbot added a comment.Mar 25 2020, 2:46 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T14:46:06Z] <mutante> closed port 80 for caching servers on misc backends https://gerrit.wikimedia.org/r/q/topic:%22applayer-tls%22+(status:open%20OR%20status:merged) as final step per service on T210411

gerritbot added a comment.Apr 15 2020, 10:42 AM

Change 588980 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ci::master: add envoy for TLS termination for integration

https://gerrit.wikimedia.org/r/588980

gerritbot added a comment.Apr 16 2020, 11:23 AM

Change 589285 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add contint.wikimedia.org service alias for contint machines

https://gerrit.wikimedia.org/r/589285

gerritbot added a comment.Apr 17 2020, 7:30 AM

Change 589285 merged by Dzahn:
[operations/dns@master] add contint.wikimedia.org service alias for contint machines

https://gerrit.wikimedia.org/r/589285

gerritbot added a comment.Apr 17 2020, 9:13 AM

Change 588980 merged by Dzahn:
[operations/puppet@production] ci::master: add envoy for TLS termination for integration

https://gerrit.wikimedia.org/r/588980

gerritbot added a comment.Apr 17 2020, 9:33 AM

Change 589556 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] add certificate for contint/integration.wikimedia.org

https://gerrit.wikimedia.org/r/589556

gerritbot added a comment.Apr 17 2020, 9:51 AM

Change 589556 merged by Dzahn:
[operations/puppet@production] add certificate for contint/integration.wikimedia.org

https://gerrit.wikimedia.org/r/589556

gerritbot added a comment.Apr 17 2020, 10:41 AM

Change 589565 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch contint backend to use TLS

https://gerrit.wikimedia.org/r/589565

gerritbot added a comment.Apr 21 2020, 11:03 AM

Change 589565 merged by Dzahn:
[operations/puppet@production] ATS: switch contint backend to use TLS

https://gerrit.wikimedia.org/r/589565

Stashbot added a comment.Apr 21 2020, 11:06 AM

Mentioned in SAL (#wikimedia-operations) [2020-04-21T11:06:12Z] <mutante> https://integration.wikimedia.org now also using TLS between ATS and contint1001 using envoy (T210411)

gerritbot added a comment.Apr 21 2020, 11:20 AM

Change 591321 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ssl: add integration.mediawiki.org to contint cert

https://gerrit.wikimedia.org/r/591321

gerritbot added a comment.Apr 21 2020, 11:21 AM

Change 591321 merged by Dzahn:
[operations/puppet@production] ssl: add integration.mediawiki.org to contint cert

https://gerrit.wikimedia.org/r/591321

Dzahn updated the task description. (Show Details)Apr 21 2020, 11:22 AM
gerritbot added a comment.Apr 21 2020, 12:05 PM

Change 591325 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] Revert "ATS: switch contint backend to use TLS"

https://gerrit.wikimedia.org/r/591325

gerritbot added a comment.Apr 21 2020, 12:06 PM

Change 591325 merged by Dzahn:
[operations/puppet@production] Revert "ATS: switch contint backend to use TLS"

https://gerrit.wikimedia.org/r/591325

Dzahn updated the task description. (Show Details)Apr 21 2020, 12:16 PM

The change for contint (integration.wikimedia.org, integration.mediawiki.org) had to be reverted because https://integration.wikimedia.org/ci/ returned 502s.

gerritbot added a comment.May 21 2020, 10:58 AM

Change 597757 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: fix never_cache rule to apply to peopleweb discovery name

https://gerrit.wikimedia.org/r/597757

gerritbot added a comment.May 21 2020, 11:03 AM

Change 597757 merged by Dzahn:
[operations/puppet@production] ATS: fix never_cache rule to apply to peopleweb discovery name

https://gerrit.wikimedia.org/r/597757

gerritbot added a comment.Jun 15 2020, 12:30 PM

Change 605578 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: stop caching noc.wm.org responses

https://gerrit.wikimedia.org/r/605578

gerritbot added a comment.Jun 15 2020, 12:33 PM

Change 605578 merged by Ema:
[operations/puppet@production] ATS: stop caching noc.wm.org responses

https://gerrit.wikimedia.org/r/605578

ema updated the task description. (Show Details)Jul 22 2020, 2:47 PM
ema changed the task status from Open to Stalled.Jul 22 2020, 2:49 PM
gerritbot added a comment.Jul 22 2020, 9:01 PM

Change 615569 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ores: add envoy-proxy for TLS termination behind ATS

https://gerrit.wikimedia.org/r/615569

gerritbot added a comment.Aug 4 2020, 6:19 PM

Change 615569 merged by Dzahn:
[operations/puppet@production] ores: add envoy-proxy for TLS termination behind ATS

https://gerrit.wikimedia.org/r/615569

gerritbot added a comment.Aug 4 2020, 6:37 PM

Change 618367 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ssl: add TLS certificate for ORES

https://gerrit.wikimedia.org/r/618367

gerritbot added a comment.Aug 4 2020, 6:40 PM

Change 618368 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[labs/private@master] add fake key for ORES TLS cert

https://gerrit.wikimedia.org/r/618368

gerritbot added a comment.Aug 4 2020, 6:41 PM

Change 618367 merged by Dzahn:
[operations/puppet@production] ssl: add TLS certificate for ORES

https://gerrit.wikimedia.org/r/618367

gerritbot added a comment.Aug 4 2020, 6:42 PM

Change 618368 merged by Dzahn:
[labs/private@master] add fake key for ORES TLS cert

https://gerrit.wikimedia.org/r/618368

Dzahn mentioned this in rLPRI23725e5d06e5: add fake key for ORES TLS cert.Aug 4 2020, 6:43 PM
gerritbot added a comment.Aug 4 2020, 7:21 PM

Change 618379 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch ORES to TLS to backends

https://gerrit.wikimedia.org/r/618379

jijiki moved this task from Incoming 🐫 to 🔦Unused2 on the serviceops board.Aug 17 2020, 11:48 PM
Dzahn mentioned this in T263506: Convert Collab services with multiple backends to active-active where possible.Sep 21 2020, 11:22 PM
hashar added a subtask: T263830: contint.wikimedia.org: add TLS termination.Sep 25 2020, 6:08 PM
Dzahn mentioned this in T108580: HTTPS for internal service traffic.Dec 17 2020, 5:02 PM
Dzahn added a comment.Dec 17 2020, 5:04 PM

also see T108580

Dzahn mentioned this in T263831: puppetmaster[12]001: add TLS termination.Dec 17 2020, 5:04 PM
Nintendofan885 subscribed.Jan 6 2021, 11:00 AM
gerritbot added a comment.Jan 7 2021, 8:35 PM

Change 618379 abandoned by Dzahn:
[operations/puppet@production] ATS: switch ORES to TLS to backends

Reason:
would need new LVS and ORES seems on the way out

https://gerrit.wikimedia.org/r/618379

Dzahn mentioned this in T276144: open firewall ports on gitlab1001.wikimedia.org (was: Port map of how Gitlab is accessed).Mar 1 2021, 11:13 PM
BBlack moved this task from Caching to Icebox-Temp on the Traffic board.Oct 8 2021, 5:21 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Oct 8 2021, 8:04 PM

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all tickets that aren't are neither part of our current planned work nor clearly a recent, higher-priority emergent issue. This is simply one step in a larger task cleanup effort. Further triage of these tickets (and especially, organizing future potential project ideas from them into a new medium) will occur afterwards! For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

taavi closed subtask T263830: contint.wikimedia.org: add TLS termination as Resolved.Nov 30 2021, 5:13 PM
ema updated the task description. (Show Details)Dec 8 2021, 8:19 AM
ema closed this task as Resolved.Dec 8 2021, 8:22 AM
ema updated the task description. (Show Details)
ema updated the task description. (Show Details)
Dzahn added a comment.Dec 8 2021, 3:50 PM

wow, what an epic task this was with many subtasks. quite the journey. congrats and thanks to all

Dzahn awarded a token.Dec 8 2021, 3:50 PM
gerritbot added a comment.Dec 18 2023, 5:35 PM

Change 544829 abandoned by Bking:

[operations/puppet@production] wdqs: envoy TLS termination for internal cluster

Reason:

Envoy proxy already enabled for internal wdqs

https://gerrit.wikimedia.org/r/544829

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits