Page MenuHomePhabricator
Create Task
Maniphest T227860

TLS certificates for Analytics origin servers
Closed, ResolvedPublic13 Estimated Story Points
Actions

Description

As briefly discussed on irc with @elukey and documented in T210411, we need origin servers to be accessible via TLS. When it comes to Analytics, this should mean that analytics-tool100[1-3] (and possibly others that I might have forgotten?) need to be accessible via https. Certificates should include the following in the X509v3 Subject Alternative Name field:

  • hue.wikimedia.org
  • yarn.wikimedia.org
  • pivot.wikimedia.org
  • turnilo.wikimedia.org
  • superset.wikimedia.org
  • analytics.wikimedia.org
  • stats.wikimedia.org
  • piwik.wikimedia.org

Details

Show related patches Customize query in gerrit

Related Objects

Event Timeline

ema created this task.Jul 12 2019, 9:48 AM
Restricted Application added a project: SRE. · View Herald TranscriptJul 12 2019, 9:48 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ema triaged this task as Medium priority.Jul 12 2019, 9:48 AM
elukey added a project: User-Elukey.Jul 12 2019, 9:52 AM
ema moved this task from Backlog to Caching on the Traffic board.Jul 12 2019, 9:53 AM
elukey added a subscriber: Ottomata.EditedJul 16 2019, 1:40 PM

The idea that I have is to re-use what done for the appservers, namely put nginx in front of httpd to terminate TLS. We'll re-use the current standards and most recent puppet code for nginx rather than having to configure httpd.

In theory we could:

  • generate one or more certificates as indicated by Ema via cergen, and then add them to private/public puppet (the .crt should go in ssl/files in puppet public, the private key in the private repo IIUC).
  • use tlsproxy::localssl in all the profiles with httpd

@Ottomata thoughts?

elukey claimed this task.Jul 16 2019, 1:41 PM
elukey updated the task description. (Show Details)
elukey updated the task description. (Show Details)
elukey added a project: Analytics-Kanban.
Ottomata added a comment.Jul 16 2019, 2:00 PM

Hm, all for it! Although, do you think it would be worth exploring the built in TLS support in the services where they support it? I'm pretty sure Hue does. Maybe not though, as then each service would need custom configuration to set that up. Using tlsproxy::localssl would unify the config.

elukey added a comment.Jul 16 2019, 2:01 PM
In T227860#5337057, @Ottomata wrote:

Hm, all for it! Although, do you think it would be worth exploring the built in TLS support in the services where they support it? I'm pretty sure Hue does. Maybe not though, as then each service would need custom configuration to set that up. Using tlsproxy::localssl would unify the config.

Yes exactly, we'd have to configure all the services and make sure that they support the standards provided by nginx..

elukey moved this task from Backlog to In Progress on the User-Elukey board.Jul 16 2019, 2:40 PM
gerritbot added a comment.Jul 18 2019, 9:29 AM

Change 524177 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] tlsproxy::instance: allow overriding ssl compatibility mode

https://gerrit.wikimedia.org/r/524177

gerritbot added a project: Patch-For-Review.Jul 18 2019, 9:29 AM
elukey updated the task description. (Show Details)Jul 18 2019, 10:29 AM
gerritbot added a comment.Jul 18 2019, 10:42 AM

Change 524184 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] Add TLS .crt file for Analytics UIs backend services

https://gerrit.wikimedia.org/r/524184

gerritbot added a comment.Jul 18 2019, 10:47 AM

Change 524184 merged by Elukey:
[operations/puppet@production] Add TLS .crt file for Analytics UIs backend services

https://gerrit.wikimedia.org/r/524184

elukey moved this task from Next Up to In Progress on the Analytics-Kanban board.Jul 18 2019, 11:15 AM
gerritbot added a comment.Jul 18 2019, 11:27 AM

Change 524177 merged by Ema:
[operations/puppet@production] tlsproxy::instance: allow overriding ssl compatibility mode

https://gerrit.wikimedia.org/r/524177

Maintenance_bot removed a project: Patch-For-Review.Jul 18 2019, 12:10 PM
gerritbot added a comment.Jul 18 2019, 2:24 PM

Change 524227 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::analytics_cluster::hadoop::ui: add TLS proxy

https://gerrit.wikimedia.org/r/524227

gerritbot added a project: Patch-For-Review.Jul 18 2019, 2:24 PM
gerritbot added a comment.Jul 18 2019, 2:32 PM

Change 524227 merged by Elukey:
[operations/puppet@production] role::analytics_cluster::hadoop::ui: add TLS proxy

https://gerrit.wikimedia.org/r/524227

Maintenance_bot removed a project: Patch-For-Review.Jul 18 2019, 3:11 PM
gerritbot added a comment.Jul 18 2019, 3:54 PM

Change 524255 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::analytics_cluster::superset: add TLS proxy

https://gerrit.wikimedia.org/r/524255

gerritbot added a project: Patch-For-Review.Jul 18 2019, 3:54 PM
gerritbot added a comment.Jul 18 2019, 4:09 PM

Change 524258 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::analytics_cluster::webserver: add TLS proxy

https://gerrit.wikimedia.org/r/524258

gerritbot added a comment.Jul 18 2019, 4:09 PM

Change 524259 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::analytics_cluster::turnilo: add TLS proxy

https://gerrit.wikimedia.org/r/524259

Milimetric moved this task from Incoming to Operational Excellence on the Analytics board.Jul 18 2019, 4:50 PM
gerritbot added a comment.Jul 19 2019, 9:49 AM

Change 524482 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use TLS to connect to analytics-tool hosts

https://gerrit.wikimedia.org/r/524482

gerritbot added a comment.Jul 19 2019, 10:20 AM

Change 524488 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::analytics_cluster::ui: add health check for Yarn and Hue

https://gerrit.wikimedia.org/r/524488

gerritbot added a comment.Jul 19 2019, 1:35 PM

Change 524488 merged by Elukey:
[operations/puppet@production] role::analytics_cluster::ui: add health check for Yarn and Hue

https://gerrit.wikimedia.org/r/524488

gerritbot added a comment.Jul 19 2019, 1:47 PM

Change 524516 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] profile::tlsproxy::service: allow to modify the Nagios contact_group

https://gerrit.wikimedia.org/r/524516

gerritbot added a comment.Jul 19 2019, 1:55 PM

Change 524516 merged by Elukey:
[operations/puppet@production] profile::tlsproxy::service: allow to modify the Nagios contact_group

https://gerrit.wikimedia.org/r/524516

gerritbot added a comment.Jul 19 2019, 2:18 PM

Change 524524 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] Update yarn.wikimedia.org's crt file

https://gerrit.wikimedia.org/r/524524

gerritbot added a comment.Jul 19 2019, 2:19 PM

Change 524524 merged by Elukey:
[operations/puppet@production] Update yarn.wikimedia.org's crt file

https://gerrit.wikimedia.org/r/524524

gerritbot added a comment.Jul 19 2019, 2:43 PM

Change 524531 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] superset: move httpd proxy config to a profile

https://gerrit.wikimedia.org/r/524531

gerritbot added a comment.Jul 22 2019, 7:36 AM

Change 524531 merged by Elukey:
[operations/puppet@production] superset: move httpd proxy config to a profile

https://gerrit.wikimedia.org/r/524531

gerritbot added a comment.Jul 22 2019, 1:49 PM

Change 524788 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::analytics_cluster::superset: add TLS proxy

https://gerrit.wikimedia.org/r/524788

gerritbot added a comment.Jul 22 2019, 2:01 PM

Change 524788 merged by Elukey:
[operations/puppet@production] role::analytics_cluster::superset: add TLS proxy

https://gerrit.wikimedia.org/r/524788

gerritbot added a comment.Jul 23 2019, 7:53 AM

Change 525039 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] profile::tlsproxy::service: add more granularity in monitoring

https://gerrit.wikimedia.org/r/525039

elukey changed the task status from Open to Stalled.Jul 23 2019, 8:01 AM

Stalled due to https://phabricator.wikimedia.org/T228730

elukey mentioned this in T228730: TLS config issue for nginx on Buster.Jul 23 2019, 1:07 PM
gerritbot added a comment.Jul 23 2019, 1:14 PM

Change 525039 merged by Elukey:
[operations/puppet@production] profile::tlsproxy::service: add more granularity in monitoring

https://gerrit.wikimedia.org/r/525039

elukey changed the task status from Stalled to Open.Jul 30 2019, 1:33 PM
elukey updated the task description. (Show Details)
gerritbot added a comment.Jul 30 2019, 2:00 PM

Change 526428 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::druid::turnilo: add TLS proxy

https://gerrit.wikimedia.org/r/526428

gerritbot added a comment.Jul 30 2019, 2:33 PM

Change 526428 merged by Elukey:
[operations/puppet@production] role::druid::turnilo: add TLS proxy

https://gerrit.wikimedia.org/r/526428

gerritbot added a comment.Jul 30 2019, 2:49 PM

Change 526438 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::analytics_cluster::webserver: add TLS proxy

https://gerrit.wikimedia.org/r/526438

gerritbot added a comment.Jul 30 2019, 2:52 PM

Change 526438 merged by Elukey:
[operations/puppet@production] role::analytics_cluster::webserver: add TLS proxy

https://gerrit.wikimedia.org/r/526438

elukey updated the task description. (Show Details)Jul 30 2019, 3:15 PM
gerritbot added a comment.Jul 31 2019, 6:00 AM

Change 526602 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] profile::druid::turnilo::proxy: add health check

https://gerrit.wikimedia.org/r/526602

gerritbot added a comment.Jul 31 2019, 6:01 AM

Change 526602 merged by Elukey:
[operations/puppet@production] profile::druid::turnilo::proxy: add health check

https://gerrit.wikimedia.org/r/526602

gerritbot added a comment.Aug 6 2019, 11:25 AM

Change 524259 abandoned by Elukey:
role::analytics_cluster::turnilo: add TLS proxy

https://gerrit.wikimedia.org/r/524259

gerritbot added a comment.Aug 6 2019, 11:25 AM

Change 524258 abandoned by Elukey:
role::analytics_cluster::webserver: add TLS proxy

https://gerrit.wikimedia.org/r/524258

gerritbot added a comment.Aug 6 2019, 11:25 AM

Change 524255 abandoned by Elukey:
role::analytics_cluster::superset: add TLS proxy

https://gerrit.wikimedia.org/r/524255

gerritbot added a comment.Aug 6 2019, 2:42 PM

Change 528490 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] role::piwik: add TLS proxy

https://gerrit.wikimedia.org/r/528490

gerritbot added a comment.Aug 6 2019, 2:49 PM

Change 528490 merged by Elukey:
[operations/puppet@production] role::piwik: add TLS proxy

https://gerrit.wikimedia.org/r/528490

elukey updated the task description. (Show Details)Aug 6 2019, 3:05 PM
elukey set the point value for this task to 13.
elukey moved this task from In Progress to Done on the Analytics-Kanban board.
gerritbot added a comment.Aug 7 2019, 7:44 AM

Change 524482 merged by Ema:
[operations/puppet@production] ATS: use TLS to connect to analytics hosts

https://gerrit.wikimedia.org/r/524482

ema closed this task as Resolved.Aug 7 2019, 7:54 AM

Thank you so much @elukey! ATS is now using TLS only for connections to Analytics origins.

gerritbot added a comment.Aug 7 2019, 7:58 AM

Change 528704 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use TLS to connect to matomo

https://gerrit.wikimedia.org/r/528704

gerritbot added a comment.Aug 7 2019, 8:01 AM

Change 528704 merged by Ema:
[operations/puppet@production] ATS: use TLS to connect to matomo

https://gerrit.wikimedia.org/r/528704

Maintenance_bot removed a project: Patch-For-Review.Aug 7 2019, 8:10 AM
elukey mentioned this in T240439: Move https termination from nginx to envoy (if possible).Dec 11 2019, 11:02 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL