Page MenuHomePhabricator

Puppetize ATS TLS configuration for incoming traffic
Closed, ResolvedPublic

Description

Our current ATS puppetization lacks support for incoming TLS traffic

Details

Related Gerrit Patches:
operations/puppet : productionATS: Provide websocket support
operations/puppet : productionhiera: Move nginx from port 443 to 4443 on cp5001
operations/puppet : productionATS: Fix port definition on trafficserver::monitoring
operations/puppet : productionATS: Set origin TTFB timeout to 180 secs for TLS instance
operations/puppet : productionATS: Allow specifying timeouts to TTFB in connections to origin servers
operations/puppet : productioncache: Add use_trafficserver_tls parameter to unified profile
operations/puppet : productioncache: Add missing tls_port parameter
operations/puppet : productioncache: Allow setting an arbitrary port for incoming TLS connections
operations/puppet : productionprometheus: Consider the new layer label for ATS aggregation rules
operations/puppet : productionATS: Enable TCP Fast Open for the TLS instance
operations/puppet : productionATS: Disable config status check for TLS instance
operations/puppet : productionATS: Only monitor OCSP Stapling freshness for acme_chief if it's being used
operations/puppet : productionATS: Only allow writing on /etc/acmecerts if acme_chief is being used
operations/puppet : productionATS: Fix non-default instance traffic_server path in check_procs check
operations/puppet : productionATS: Fix traffic_server --run-root parameter value in check_procs check
operations/puppet : productionATS: Allow ATS unit to write on sysconfdir if OCSP is enabled
operations/puppet : productionATS: include /var/cache/ocsp in the list of ReadWritePaths
operations/puppet : productionATS: Include TLS instance in cache upload role
operations/puppet : productionATS: Allow writing OCSP responses in /etc/acmecerts
operations/puppet : productionATS: Fix OCSP stapling configuration
operations/puppet : productionATS: Propagate config_prefix to trafficserver::lua_infra
operations/puppet : productionATS: Toggle X-Forwarded-For header
operations/puppet : productionATS: Provide a TLS terminator profile
operations/puppet : productionATS: Provide parent proxies support
operations/puppet : productionATS: Fix trafficserver-exporter nrpe check
operations/puppet : productionATS: Fix typo in ssl_multicert template
operations/puppet : productionATS: Toggle use of elevated privileges to load TLS material
operations/puppet : productionATS: Ensure that server's cipher suites preference is being honored
operations/puppet : productionATS: Provide support for TLS certificates with different SNI
operations/puppet : productionnagios_common: Provide check_https_hostheader_port_url check
operations/puppet : productiontrafficserver: Allow disabling caching requests
operations/puppet : productiontrafficserver: Provide support for inbound TLS traffic
operations/puppet : productiontrafficserver: wrap TLS settings using a type alias

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Vgutierrez triaged this task as Normal priority.Apr 23 2019, 8:33 AM
Vgutierrez moved this task from Triage to TLS on the Traffic board.

Change 505780 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] trafficserver: wrap TLS settings using a type alias

https://gerrit.wikimedia.org/r/505780

Change 505780 merged by Vgutierrez:
[operations/puppet@production] trafficserver: wrap TLS settings using a type alias

https://gerrit.wikimedia.org/r/505780

Change 506159 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] trafficserver: Provide support for incoming TLS traffic

https://gerrit.wikimedia.org/r/506159

Change 506390 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] trafficserver: Allow disabling caching requests

https://gerrit.wikimedia.org/r/506390

Change 506398 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] trafficserver: Provide a TLS terminator profile

https://gerrit.wikimedia.org/r/506398

Change 507006 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] nagios_common: Provide check_https_hostheader_port_url check

https://gerrit.wikimedia.org/r/507006

Change 506159 merged by Vgutierrez:
[operations/puppet@production] trafficserver: Provide support for inbound TLS traffic

https://gerrit.wikimedia.org/r/506159

Change 506390 merged by Vgutierrez:
[operations/puppet@production] trafficserver: Allow disabling caching requests

https://gerrit.wikimedia.org/r/506390

Change 507006 merged by Vgutierrez:
[operations/puppet@production] nagios_common: Provide check_https_hostheader_port_url check

https://gerrit.wikimedia.org/r/507006

Change 509771 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] trafficserver: Ensure that server's cipher suites preference is being honored

https://gerrit.wikimedia.org/r/509771

Change 510093 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Provide support for TLS certificates with different SNI

https://gerrit.wikimedia.org/r/510093

Change 510093 merged by Vgutierrez:
[operations/puppet@production] ATS: Provide support for TLS certificates with different SNI

https://gerrit.wikimedia.org/r/510093

Change 509771 merged by Vgutierrez:
[operations/puppet@production] ATS: Ensure that server's cipher suites preference is being honored

https://gerrit.wikimedia.org/r/509771

Change 511716 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Toggle use of elevated privileges to load TLS material

https://gerrit.wikimedia.org/r/511716

Change 511716 merged by Vgutierrez:
[operations/puppet@production] ATS: Toggle use of elevated privileges to load TLS material

https://gerrit.wikimedia.org/r/511716

Change 511869 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Provide parent proxies support

https://gerrit.wikimedia.org/r/511869

Change 511890 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix typo in ssl_multicert template

https://gerrit.wikimedia.org/r/511890

Change 511890 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix typo in ssl_multicert template

https://gerrit.wikimedia.org/r/511890

Change 513970 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Include ATS tls instance in upload_ats role

https://gerrit.wikimedia.org/r/513970

Change 514231 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix trafficserver-exporter nrpe check

https://gerrit.wikimedia.org/r/514231

Change 514231 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix trafficserver-exporter nrpe check

https://gerrit.wikimedia.org/r/514231

Change 511869 merged by Vgutierrez:
[operations/puppet@production] ATS: Provide parent proxies support

https://gerrit.wikimedia.org/r/511869

ayounsi removed a subscriber: ayounsi.Jun 4 2019, 3:44 PM

Change 506398 merged by Vgutierrez:
[operations/puppet@production] ATS: Provide a TLS terminator profile

https://gerrit.wikimedia.org/r/506398

Change 529040 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Toggle X-Forwarded-For header

https://gerrit.wikimedia.org/r/529040

Change 529052 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Propagate config_prefix to trafficserver::lua_infra

https://gerrit.wikimedia.org/r/529052

Change 529040 merged by Vgutierrez:
[operations/puppet@production] ATS: Toggle X-Forwarded-For header

https://gerrit.wikimedia.org/r/529040

Change 529052 merged by Vgutierrez:
[operations/puppet@production] ATS: Propagate config_prefix to trafficserver::lua_infra

https://gerrit.wikimedia.org/r/529052

Change 529332 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix OCSP stapling configuration

https://gerrit.wikimedia.org/r/529332

Change 529335 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Allow writing OCSP responses in /etc/acmecerts

https://gerrit.wikimedia.org/r/529335

Change 529332 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix OCSP stapling configuration

https://gerrit.wikimedia.org/r/529332

Change 529335 merged by Vgutierrez:
[operations/puppet@production] ATS: Allow writing OCSP responses in /etc/acmecerts

https://gerrit.wikimedia.org/r/529335

Mentioned in SAL (#wikimedia-operations) [2019-08-12T10:07:57Z] <vgutierrez> Upgrade trafficserver to 8.0.3-1wm3 in cp5001 - T221594

Mentioned in SAL (#wikimedia-operations) [2019-08-12T10:47:43Z] <vgutierrez> Upgrade trafficserver to 8.0.3-1wm3 in cp5002 - T221594

Mentioned in SAL (#wikimedia-operations) [2019-08-13T06:11:15Z] <vgutierrez> Upgrading ATS to 8.0.3-1wm3 in cp2002, cp1076, cp3034 and cp4021 - T221594

Mentioned in SAL (#wikimedia-operations) [2019-08-13T09:58:24Z] <vgutierrez> upgrading the rest of cache@upload to 8.0.3-1wm3 - T221594

Change 513970 merged by Vgutierrez:
[operations/puppet@production] ATS: Include TLS instance in cache upload role

https://gerrit.wikimedia.org/r/513970

Change 530848 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: include /var/cache/ocsp in the list of ReadWritePaths

https://gerrit.wikimedia.org/r/530848

Change 530848 merged by Vgutierrez:
[operations/puppet@production] ATS: include /var/cache/ocsp in the list of ReadWritePaths

https://gerrit.wikimedia.org/r/530848

Change 530849 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Allow ATS unit to write on sysconfdir if OCSP is enabled

https://gerrit.wikimedia.org/r/530849

Change 530849 merged by Vgutierrez:
[operations/puppet@production] ATS: Allow ATS unit to write on sysconfdir if OCSP is enabled

https://gerrit.wikimedia.org/r/530849

Change 530853 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix traffic_server --run-root parameter value

https://gerrit.wikimedia.org/r/530853

Change 530853 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix traffic_server --run-root parameter value in check_procs check

https://gerrit.wikimedia.org/r/530853

Change 530855 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix non-default instance traffic_server path in check_procs check

https://gerrit.wikimedia.org/r/530855

Change 530855 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix non-default instance traffic_server path in check_procs check

https://gerrit.wikimedia.org/r/530855

Change 530886 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Only allow writing on /etc/acmecerts if acme_chief is being used

https://gerrit.wikimedia.org/r/530886

Change 530887 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Only monitor OCSP Stapling freshness for acme_chief if it's being used

https://gerrit.wikimedia.org/r/530887

Change 530886 merged by Vgutierrez:
[operations/puppet@production] ATS: Only allow writing on /etc/acmecerts if acme_chief is being used

https://gerrit.wikimedia.org/r/530886

Change 530887 merged by Vgutierrez:
[operations/puppet@production] ATS: Only monitor OCSP Stapling freshness for acme_chief if it's being used

https://gerrit.wikimedia.org/r/530887

Change 531018 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable config status check for TLS instance

https://gerrit.wikimedia.org/r/531018

Change 531027 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable TCP Fast Open for the TLS instance

https://gerrit.wikimedia.org/r/531027

Mentioned in SAL (#wikimedia-operations) [2019-08-20T05:55:50Z] <marostegui> Stop MySQL on db2044 for decommissioning - T221594

Change 531018 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable config status check for TLS instance

https://gerrit.wikimedia.org/r/531018

Change 531027 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable TCP Fast Open for the TLS instance

https://gerrit.wikimedia.org/r/531027

Change 531334 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] prometheus: Consider the new layer label for ATS aggregation rules

https://gerrit.wikimedia.org/r/531334

Change 531334 merged by Vgutierrez:
[operations/puppet@production] prometheus: Consider the new layer label for ATS aggregation rules

https://gerrit.wikimedia.org/r/531334

Change 531824 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] cache: Allow set an arbitrary port for incoming TLS connections

https://gerrit.wikimedia.org/r/531824

Change 531872 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Allow specifying timeouts to TTFB in connections to origin servers

https://gerrit.wikimedia.org/r/531872

Change 531875 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Set origin TTFB timeout to 180 secs for TLS instance

https://gerrit.wikimedia.org/r/531875

Change 531885 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Provide websocket support

https://gerrit.wikimedia.org/r/531885

Change 531824 merged by Vgutierrez:
[operations/puppet@production] cache: Allow setting an arbitrary port for incoming TLS connections

https://gerrit.wikimedia.org/r/531824

Change 532297 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] cache: Add missing tls_port parameter

https://gerrit.wikimedia.org/r/532297

Change 532298 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] cache: Allow setting an arbitrary redir_port

https://gerrit.wikimedia.org/r/532298

Change 532297 merged by Vgutierrez:
[operations/puppet@production] cache: Add missing tls_port parameter

https://gerrit.wikimedia.org/r/532297

Change 532333 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix port definition on trafficserver::monitoring

https://gerrit.wikimedia.org/r/532333

Change 532298 merged by Vgutierrez:
[operations/puppet@production] cache: Add use_trafficserver_tls parameter to unified profile

https://gerrit.wikimedia.org/r/532298

Change 531872 merged by Vgutierrez:
[operations/puppet@production] ATS: Allow specifying timeouts to TTFB in connections to origin servers

https://gerrit.wikimedia.org/r/531872

Change 531875 merged by Vgutierrez:
[operations/puppet@production] ATS: Set origin TTFB timeout to 180 secs for TLS instance

https://gerrit.wikimedia.org/r/531875

Change 532333 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix port definition on trafficserver::monitoring

https://gerrit.wikimedia.org/r/532333

Mentioned in SAL (#wikimedia-operations) [2019-08-26T10:26:04Z] <vgutierrez> uploaded trafficserver-8.0.5-1wm2 to apt.wikimedia.org (stretch) - T221594

Change 532355 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] hiera: Move nginx from port 443 to 4443 on cp5001

https://gerrit.wikimedia.org/r/532355

Mentioned in SAL (#wikimedia-operations) [2019-08-26T13:28:32Z] <vgutierrez> Replacing nginx with ats-tls in cp5001 - T221594

Change 532355 merged by Vgutierrez:
[operations/puppet@production] hiera: Move nginx from port 443 to 4443 on cp5001

https://gerrit.wikimedia.org/r/532355

Mentioned in SAL (#wikimedia-operations) [2019-08-26T14:05:14Z] <vgutierrez> repooling cp5001 using trafficserver as TLS termination layer - T221594

Mentioned in SAL (#wikimedia-operations) [2019-08-27T09:20:26Z] <vgutierrez> uploaded trafficserver-8.0.5-1wm3 to apt.wikimedia.org (stretch) - T221594

Mentioned in SAL (#wikimedia-operations) [2019-08-27T09:21:15Z] <vgutierrez> upgrading trafficserver to version 8.0.5-1wm3 on cp5001 - T221594

Vgutierrez closed this task as Resolved.Aug 28 2019, 11:36 AM

Change 531885 merged by Vgutierrez:
[operations/puppet@production] ATS: Provide websocket support

https://gerrit.wikimedia.org/r/531885