Page MenuHomePhabricator

Puppetize ATS TLS configuration for incoming traffic
Open, NormalPublic

Description

Our current ATS puppetization lacks support for incoming TLS traffic

Event Timeline

Vgutierrez triaged this task as Normal priority.Apr 23 2019, 8:33 AM
Vgutierrez created this task.
Vgutierrez moved this task from Triage to TLS on the Traffic board.

Change 505780 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] trafficserver: wrap TLS settings using a type alias

https://gerrit.wikimedia.org/r/505780

Change 505780 merged by Vgutierrez:
[operations/puppet@production] trafficserver: wrap TLS settings using a type alias

https://gerrit.wikimedia.org/r/505780

Change 506159 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] trafficserver: Provide support for incoming TLS traffic

https://gerrit.wikimedia.org/r/506159

Change 506390 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] trafficserver: Allow disabling caching requests

https://gerrit.wikimedia.org/r/506390

Change 506398 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] trafficserver: Provide a TLS terminator profile

https://gerrit.wikimedia.org/r/506398

Change 507006 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] nagios_common: Provide check_https_hostheader_port_url check

https://gerrit.wikimedia.org/r/507006

Change 506159 merged by Vgutierrez:
[operations/puppet@production] trafficserver: Provide support for inbound TLS traffic

https://gerrit.wikimedia.org/r/506159

Change 506390 merged by Vgutierrez:
[operations/puppet@production] trafficserver: Allow disabling caching requests

https://gerrit.wikimedia.org/r/506390

Change 507006 merged by Vgutierrez:
[operations/puppet@production] nagios_common: Provide check_https_hostheader_port_url check

https://gerrit.wikimedia.org/r/507006

Change 509771 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] trafficserver: Ensure that server's cipher suites preference is being honored

https://gerrit.wikimedia.org/r/509771

Change 510093 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Provide support for TLS certificates with different SNI

https://gerrit.wikimedia.org/r/510093

Change 510093 merged by Vgutierrez:
[operations/puppet@production] ATS: Provide support for TLS certificates with different SNI

https://gerrit.wikimedia.org/r/510093

Change 509771 merged by Vgutierrez:
[operations/puppet@production] ATS: Ensure that server's cipher suites preference is being honored

https://gerrit.wikimedia.org/r/509771

Change 511716 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Toggle use of elevated privileges to load TLS material

https://gerrit.wikimedia.org/r/511716

Change 511716 merged by Vgutierrez:
[operations/puppet@production] ATS: Toggle use of elevated privileges to load TLS material

https://gerrit.wikimedia.org/r/511716

Change 511869 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Provide parent proxies support

https://gerrit.wikimedia.org/r/511869

Change 511890 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix typo in ssl_multicert template

https://gerrit.wikimedia.org/r/511890

Change 511890 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix typo in ssl_multicert template

https://gerrit.wikimedia.org/r/511890

Change 513970 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Include ATS tls instance in upload_ats role

https://gerrit.wikimedia.org/r/513970

Change 514231 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix trafficserver-exporter nrpe check

https://gerrit.wikimedia.org/r/514231

Change 514231 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix trafficserver-exporter nrpe check

https://gerrit.wikimedia.org/r/514231

Change 511869 merged by Vgutierrez:
[operations/puppet@production] ATS: Provide parent proxies support

https://gerrit.wikimedia.org/r/511869

ayounsi removed a subscriber: ayounsi.Jun 4 2019, 3:44 PM

Change 506398 merged by Vgutierrez:
[operations/puppet@production] ATS: Provide a TLS terminator profile

https://gerrit.wikimedia.org/r/506398

Change 529040 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Toggle X-Forwarded-For header

https://gerrit.wikimedia.org/r/529040

Change 529052 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Propagate config_prefix to trafficserver::lua_infra

https://gerrit.wikimedia.org/r/529052

Change 529040 merged by Vgutierrez:
[operations/puppet@production] ATS: Toggle X-Forwarded-For header

https://gerrit.wikimedia.org/r/529040

Change 529052 merged by Vgutierrez:
[operations/puppet@production] ATS: Propagate config_prefix to trafficserver::lua_infra

https://gerrit.wikimedia.org/r/529052

Change 529332 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix OCSP stapling configuration

https://gerrit.wikimedia.org/r/529332

Change 529335 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Allow writing OCSP responses in /etc/acmecerts

https://gerrit.wikimedia.org/r/529335

Change 529332 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix OCSP stapling configuration

https://gerrit.wikimedia.org/r/529332

Change 529335 merged by Vgutierrez:
[operations/puppet@production] ATS: Allow writing OCSP responses in /etc/acmecerts

https://gerrit.wikimedia.org/r/529335

Mentioned in SAL (#wikimedia-operations) [2019-08-12T10:07:57Z] <vgutierrez> Upgrade trafficserver to 8.0.3-1wm3 in cp5001 - T221594

Mentioned in SAL (#wikimedia-operations) [2019-08-12T10:47:43Z] <vgutierrez> Upgrade trafficserver to 8.0.3-1wm3 in cp5002 - T221594

Mentioned in SAL (#wikimedia-operations) [2019-08-13T06:11:15Z] <vgutierrez> Upgrading ATS to 8.0.3-1wm3 in cp2002, cp1076, cp3034 and cp4021 - T221594

Mentioned in SAL (#wikimedia-operations) [2019-08-13T09:58:24Z] <vgutierrez> upgrading the rest of cache@upload to 8.0.3-1wm3 - T221594

Change 513970 merged by Vgutierrez:
[operations/puppet@production] ATS: Include TLS instance in cache upload role

https://gerrit.wikimedia.org/r/513970

Change 530848 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: include /var/cache/ocsp in the list of ReadWritePaths

https://gerrit.wikimedia.org/r/530848

Change 530848 merged by Vgutierrez:
[operations/puppet@production] ATS: include /var/cache/ocsp in the list of ReadWritePaths

https://gerrit.wikimedia.org/r/530848

Change 530849 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Allow ATS unit to write on sysconfdir if OCSP is enabled

https://gerrit.wikimedia.org/r/530849

Change 530849 merged by Vgutierrez:
[operations/puppet@production] ATS: Allow ATS unit to write on sysconfdir if OCSP is enabled

https://gerrit.wikimedia.org/r/530849

Change 530853 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix traffic_server --run-root parameter value

https://gerrit.wikimedia.org/r/530853

Change 530853 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix traffic_server --run-root parameter value in check_procs check

https://gerrit.wikimedia.org/r/530853

Change 530855 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Fix non-default instance traffic_server path in check_procs check

https://gerrit.wikimedia.org/r/530855

Change 530855 merged by Vgutierrez:
[operations/puppet@production] ATS: Fix non-default instance traffic_server path in check_procs check

https://gerrit.wikimedia.org/r/530855

Change 530886 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Only allow writing on /etc/acmecerts if acme_chief is being used

https://gerrit.wikimedia.org/r/530886

Change 530887 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Only monitor OCSP Stapling freshness for acme_chief if it's being used

https://gerrit.wikimedia.org/r/530887

Change 530886 merged by Vgutierrez:
[operations/puppet@production] ATS: Only allow writing on /etc/acmecerts if acme_chief is being used

https://gerrit.wikimedia.org/r/530886

Change 530887 merged by Vgutierrez:
[operations/puppet@production] ATS: Only monitor OCSP Stapling freshness for acme_chief if it's being used

https://gerrit.wikimedia.org/r/530887

Change 531018 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable config status check for TLS instance

https://gerrit.wikimedia.org/r/531018

Change 531027 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Enable TCP Fast Open for the TLS instance

https://gerrit.wikimedia.org/r/531027

Mentioned in SAL (#wikimedia-operations) [2019-08-20T05:55:50Z] <marostegui> Stop MySQL on db2044 for decommissioning - T221594

Change 531018 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable config status check for TLS instance

https://gerrit.wikimedia.org/r/531018

Change 531027 merged by Vgutierrez:
[operations/puppet@production] ATS: Enable TCP Fast Open for the TLS instance

https://gerrit.wikimedia.org/r/531027

Change 531334 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] prometheus: Consider the new layer label for ATS aggregation rules

https://gerrit.wikimedia.org/r/531334

Change 531334 merged by Vgutierrez:
[operations/puppet@production] prometheus: Consider the new layer label for ATS aggregation rules

https://gerrit.wikimedia.org/r/531334