Page MenuHomePhabricator

Avoid inter-hosts puppet dependencies on certificate deployment
Closed, ResolvedPublic

Description

Right now when we deploy a new certificate in a new server the following steps are required:

  1. commit the certificate configuration
  2. run puppet in certcentral master node and get the certificate issued
  3. add the certcentral::cert resource in the nodes that are going to use the certificate
  4. run puppet in those nodes (it will fail with a 403)
  5. run puppet in certcentral master node
  6. run puppet again in the client certificate

while this process currently works is far from ideal and the need of the second puppet run on the certcentral node must be removed

Related Objects

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 9 2019, 4:07 PM
Vgutierrez triaged this task as Normal priority.Jan 9 2019, 4:07 PM

Change 483163 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] certcentral: Allow specifying authorized hosts and regex in the config [WIP]

https://gerrit.wikimedia.org/r/483163

Change 483728 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Set authorized_hosts or regexes for every cert

https://gerrit.wikimedia.org/r/483728

Change 483163 merged by jenkins-bot:
[operations/software/certcentral@master] certcentral: Allow specifying authorized hosts and regex in the config

https://gerrit.wikimedia.org/r/483163

Change 484511 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] Release 0.8

https://gerrit.wikimedia.org/r/484511

Change 484511 merged by jenkins-bot:
[operations/software/certcentral@master] Release 0.8

https://gerrit.wikimedia.org/r/484511

Change 485010 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] certcentral: Allow specifying authorized hosts and regex in the config

https://gerrit.wikimedia.org/r/485010

Change 485011 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] Release 0.8

https://gerrit.wikimedia.org/r/485011

Change 485010 merged by Vgutierrez:
[operations/software/certcentral@debian] certcentral: Allow specifying authorized hosts and regex in the config

https://gerrit.wikimedia.org/r/485010

Change 485011 merged by Vgutierrez:
[operations/software/certcentral@debian] Release 0.8

https://gerrit.wikimedia.org/r/485011

Change 485014 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] debian: Add release 0.8 to changelog

https://gerrit.wikimedia.org/r/485014

Change 485014 merged by jenkins-bot:
[operations/software/certcentral@debian] debian: Add release 0.8 to changelog

https://gerrit.wikimedia.org/r/485014

Change 483728 merged by Vgutierrez:
[operations/puppet@production] certcentral: Set authorized_hosts or regexes for every cert

https://gerrit.wikimedia.org/r/483728

Change 487860 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Render new authorized_(hosts|regexes) parameters

https://gerrit.wikimedia.org/r/487860

Change 487860 abandoned by Vgutierrez:
certcentral: Render new authorized_(hosts|regexes) parameters

Reason:
Forget about templating the config yaml, let's get I0cec7c5260d889077e1bab25a17404856c840f0e updated & merged

https://gerrit.wikimedia.org/r/487860

Change 488002 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Get rid of authorisedhost exported file resource

https://gerrit.wikimedia.org/r/488002

Change 488002 merged by Vgutierrez:
[operations/puppet@production] certcentral: Get rid of authorisedhost exported file resource

https://gerrit.wikimedia.org/r/488002

Vgutierrez closed this task as Resolved.Tue, Feb 5, 9:21 AM
Vgutierrez removed a project: Patch-For-Review.