Page MenuHomePhabricator
Create Task
Maniphest T213301

Avoid inter-hosts puppet dependencies on certificate deployment
Closed, ResolvedPublic
Actions

Description

Right now when we deploy a new certificate in a new server the following steps are required:

  1. commit the certificate configuration
  2. run puppet in certcentral master node and get the certificate issued
  3. add the certcentral::cert resource in the nodes that are going to use the certificate
  4. run puppet in those nodes (it will fail with a 403)
  5. run puppet in certcentral master node
  6. run puppet again in the client certificate

while this process currently works is far from ideal and the need of the second puppet run on the certcentral node must be removed

Details

SubjectRepoBranchLines +/-
certcentral: Get rid of authorisedhost exported file resourceoperations/puppetproduction+0 -11
certcentral: Render new authorized_(hosts|regexes) parametersoperations/puppetproduction+11 -1
certcentral: Set authorized_hosts or regexes for every certoperations/puppetproduction+25 -0
debian: Add release 0.8 to changelogoperations/software/certcentraldebian+9 -0
certcentral: Allow specifying authorized hosts and regex in the configoperations/software/certcentraldebian+87 -7
Release 0.8operations/software/certcentraldebian+2 -2
Release 0.8operations/software/certcentralmaster+2 -2
certcentral: Allow specifying authorized hosts and regex in the configoperations/software/certcentralmaster+87 -7
Customize query in gerrit

Related Objects
Search...

Event Timeline

Vgutierrez created this task.Jan 9 2019, 4:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 9 2019, 4:07 PM
Vgutierrez triaged this task as Medium priority.Jan 9 2019, 4:07 PM
gerritbot subscribed.Jan 9 2019, 4:08 PM

Change 483163 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] certcentral: Allow specifying authorized hosts and regex in the config [WIP]

https://gerrit.wikimedia.org/r/483163

gerritbot added a project: Patch-For-Review.Jan 9 2019, 4:08 PM
Vgutierrez mentioned this in rOSCC1c31919d6bc4: certcentral: Allow specifying authorized hosts and regex in the config [WIP].Jan 9 2019, 5:07 PM
Vgutierrez mentioned this in rOSCCfe58651334c7: certcentral: Allow specifying authorized hosts and regex in the config [WIP].
Vgutierrez mentioned this in rOSCCe96358cd307c: certcentral: Allow specifying authorized hosts and regex in the config.Jan 9 2019, 5:13 PM
Vgutierrez mentioned this in rOSCC43fc26fd48f7: certcentral: Allow specifying authorized hosts and regex in the config.Jan 10 2019, 8:12 AM
Vgutierrez mentioned this in rOSCC198fd70ac89e: certcentral: Allow specifying authorized hosts and regex in the config.Jan 10 2019, 2:45 PM
Vgutierrez mentioned this in rOSCC047119d0cb91: certcentral: Allow specifying authorized hosts and regex in the config.Jan 10 2019, 2:51 PM
gerritbot added a comment.Jan 11 2019, 11:26 AM

Change 483728 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Set authorized_hosts or regexes for every cert

https://gerrit.wikimedia.org/r/483728

Vgutierrez added a parent task: T213705: Deploy managed LetsEncrypt certs for all public use-cases.Jan 14 2019, 2:42 PM
Vgutierrez mentioned this in rOSCC922ea6d28422: certcentral: Allow specifying authorized hosts and regex in the config.Jan 15 2019, 8:53 AM
Vgutierrez mentioned this in rOSCC2b70f5ea1c1f: certcentral: Allow specifying authorized hosts and regex in the config.Jan 15 2019, 3:03 PM
Vgutierrez mentioned this in rOSCCa8e98f88082c: certcentral: Allow specifying authorized hosts and regex in the config.Jan 15 2019, 3:20 PM
gerritbot added a comment.Jan 15 2019, 3:23 PM

Change 483163 merged by jenkins-bot:
[operations/software/certcentral@master] certcentral: Allow specifying authorized hosts and regex in the config

https://gerrit.wikimedia.org/r/483163

gerritbot added a comment.Jan 15 2019, 4:55 PM

Change 484511 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] Release 0.8

https://gerrit.wikimedia.org/r/484511

Vgutierrez mentioned this in rOSCCaa6c77b0a421: Release 0.8.Jan 15 2019, 4:56 PM
gerritbot added a comment.Jan 16 2019, 11:10 PM

Change 484511 merged by jenkins-bot:
[operations/software/certcentral@master] Release 0.8

https://gerrit.wikimedia.org/r/484511

gerritbot added a comment.Jan 17 2019, 11:29 AM

Change 485010 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] certcentral: Allow specifying authorized hosts and regex in the config

https://gerrit.wikimedia.org/r/485010

gerritbot added a comment.Jan 17 2019, 11:29 AM

Change 485011 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] Release 0.8

https://gerrit.wikimedia.org/r/485011

Vgutierrez mentioned this in rOSCCef8c96347cdc: certcentral: Allow specifying authorized hosts and regex in the config.Jan 17 2019, 11:32 AM
Vgutierrez mentioned this in rOSCC9a579db63d74: Release 0.8.
gerritbot added a comment.Jan 17 2019, 11:34 AM

Change 485010 merged by Vgutierrez:
[operations/software/certcentral@debian] certcentral: Allow specifying authorized hosts and regex in the config

https://gerrit.wikimedia.org/r/485010

gerritbot added a comment.Jan 17 2019, 11:34 AM

Change 485011 merged by Vgutierrez:
[operations/software/certcentral@debian] Release 0.8

https://gerrit.wikimedia.org/r/485011

gerritbot added a comment.Jan 17 2019, 11:39 AM

Change 485014 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] debian: Add release 0.8 to changelog

https://gerrit.wikimedia.org/r/485014

Vgutierrez mentioned this in rOSCCd08a1028b57f: debian: Add release 0.8 to changelog.Jan 17 2019, 11:43 AM
gerritbot added a comment.Feb 4 2019, 7:52 AM

Change 485014 merged by jenkins-bot:
[operations/software/certcentral@debian] debian: Add release 0.8 to changelog

https://gerrit.wikimedia.org/r/485014

Stashbot mentioned this in T209980: certcentral crashes on network errors.Feb 4 2019, 7:56 AM
Stashbot mentioned this in T213820: certcentral is incompatible with the current python3-acme version shipped in stretch-backports.
Stashbot subscribed.

Mentioned in SAL (#wikimedia-operations) [2019-02-04T07:56:44Z] <vgutierrez> uploaded certcentral 0.8 to apt.wikimedia.org (stretch) - T209980 T213820 T213301

gerritbot added a comment.Feb 4 2019, 11:54 AM

Change 483728 merged by Vgutierrez:
[operations/puppet@production] certcentral: Set authorized_hosts or regexes for every cert

https://gerrit.wikimedia.org/r/483728

gerritbot added a comment.Feb 4 2019, 3:41 PM

Change 487860 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Render new authorized_(hosts|regexes) parameters

https://gerrit.wikimedia.org/r/487860

gerritbot added a comment.Feb 4 2019, 4:01 PM

Change 487860 abandoned by Vgutierrez:
certcentral: Render new authorized_(hosts|regexes) parameters

Reason:
Forget about templating the config yaml, let's get I0cec7c5260d889077e1bab25a17404856c840f0e updated & merged

https://gerrit.wikimedia.org/r/487860

gerritbot added a comment.Feb 5 2019, 8:52 AM

Change 488002 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Get rid of authorisedhost exported file resource

https://gerrit.wikimedia.org/r/488002

gerritbot added a comment.Feb 5 2019, 9:09 AM

Change 488002 merged by Vgutierrez:
[operations/puppet@production] certcentral: Get rid of authorisedhost exported file resource

https://gerrit.wikimedia.org/r/488002

Vgutierrez closed this task as Resolved.Feb 5 2019, 9:21 AM
Vgutierrez removed a project: Patch-For-Review.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits