Page MenuHomePhabricator
Create Task
Maniphest T235411

Add TLS termination to services running on kubernetes
Closed, ResolvedPublic
Actions

Description

In order to add TLS termination to services running on k8s we need the following:

  • Finish adding the envoy TLS sidecar everywhere in k8s
  • Add Envoy the service-proxy capabilities on services outside of k8s (@Joe )
    • Add profile::services_proxy::envoy to all roles for applications
    • Modify service::configuration and whatever else is needed to make services only go via envoy
  • Add Envoy the service-proxy capabilities on k8s
  • For each service (see subtasks):
    • Add TLS LVS pool
    • Switch the services proxies to use it
    • Remove the non-TLS pool from pybal

The reason to do things in this order - specifically, adding LVS last - is not to put too much pressure on pybal to check too many things at once. We could nonetheless get away with just switching everything to use TLS for MediaWiki and that should be enough.

Details

ProjectBranchLines +/-Subject
operations/deployment-chartsmaster+1 -1admin: Increase maximum Pod memory to 3Gi
operations/deployment-chartsmaster+6 -0zotero: enable TLS with chart defaults
operations/deployment-chartsmaster+6 -0termbox: enable TLS with chart defaults
operations/deployment-chartsmaster+4 -4termbox: switch to common_templates v0.2
operations/deployment-chartsmaster+269 -250tls_helper: fix the envoy config configmap
operations/deployment-chartsmaster+263 -244mathoid: bump version for fixed template
operations/deployment-chartsmaster+6 -0mathoid: enable TLS with chart defaults
operations/deployment-chartsmaster+264 -245mathoid: switch to common_templates v0.2
operations/deployment-chartsmaster+450 -646termbox: fix wrong TLS port
operations/deployment-chartsmaster+4 -4termbox: deploy up to date chart
operations/deployment-chartsmaster+301 -240zotero: Add TLS termination
operations/deployment-chartsmaster+296 -251termbox: add TLS termination
operations/deployment-chartsmaster+305 -235mathoid: add TLS termination
operations/deployment-chartsmaster+287 -233parsoid: Add TLS termination support
operations/deployment-chartsmaster+6 -0wikifeeds: enable TLS with chart defaults
operations/deployment-chartsmaster+12 -47eventgate: convert to use the common tls templates
operations/deployment-chartsmaster+7 -1_tls_helpers: Use defaults provided in docker image
operations/deployment-chartsmaster+288 -229wikifeeds: Add TLS termination support
operations/deployment-chartsmaster+175 -119citoid: add TLS termination
operations/puppetproduction+1 -1trafficserver::backend: switch to https for cxserver
operations/puppetproduction+21 -0lvs::configuration: add cxserver-https
operations/deployment-chartsmaster+18 -0cxserver: enable TLS in production
operations/deployment-chartsmaster+169 -112cxserver: add TLS termination
operations/deployment-chartsmaster+130 -111blubberoid: release new chart version using the common templates directory
operations/deployment-chartsmaster+45 -74Create common template helpers directory
operations/deployment-chartsmaster+133 -88blubberoid: break TLS functionality into a helper
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
gerritbot added a comment.Dec 10 2019, 9:02 AM

Change 556137 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/deployment-charts@master] blubberoid: release new chart version using the common templates directory

https://gerrit.wikimedia.org/r/556137

Joe closed subtask T237234: Collect metrics from envoy where it is enabled on k8s as Resolved.Dec 16 2019, 10:00 AM
gerritbot added a comment.Dec 16 2019, 10:11 AM

Change 557846 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/deployment-charts@master] cxserver: add TLS termination

https://gerrit.wikimedia.org/r/557846

gerritbot added a comment.Dec 16 2019, 10:11 AM

Change 557847 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/deployment-charts@master] cxserver: enable TLS in production

https://gerrit.wikimedia.org/r/557847

gerritbot added a comment.Dec 16 2019, 2:30 PM

Change 554833 merged by Giuseppe Lavagetto:
[operations/deployment-charts@master] Create common template helpers directory

https://gerrit.wikimedia.org/r/554833

gerritbot added a comment.Dec 16 2019, 2:32 PM

Change 556137 merged by Giuseppe Lavagetto:
[operations/deployment-charts@master] blubberoid: release new chart version using the common templates directory

https://gerrit.wikimedia.org/r/556137

Joe mentioned this in rDEPLOYCHARTS12dc3ee32f47: Create common template helpers directory.Dec 16 2019, 2:37 PM
Joe mentioned this in rDEPLOYCHARTSc0d1a9dce53b: blubberoid: release new chart version using the common templates directory.
gerritbot added a comment.Dec 16 2019, 3:29 PM

Change 558091 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/deployment-charts@master] citoid: add TLS termination

https://gerrit.wikimedia.org/r/558091

gerritbot added a comment.Dec 16 2019, 3:29 PM

Change 558092 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/deployment-charts@master] mathoid: add TLS termination

https://gerrit.wikimedia.org/r/558092

gerritbot added a comment.Dec 16 2019, 3:29 PM

Change 558093 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/deployment-charts@master] termbox: add TLS termination

https://gerrit.wikimedia.org/r/558093

gerritbot added a comment.Dec 16 2019, 3:47 PM

Change 557846 merged by jenkins-bot:
[operations/deployment-charts@master] cxserver: add TLS termination

https://gerrit.wikimedia.org/r/557846

Joe mentioned this in rDEPLOYCHARTSa81c25390d16: cxserver: add TLS termination.Dec 16 2019, 3:48 PM
gerritbot added a comment.Dec 17 2019, 6:54 AM

Change 557847 merged by jenkins-bot:
[operations/deployment-charts@master] cxserver: enable TLS in production

https://gerrit.wikimedia.org/r/557847

Joe mentioned this in rDEPLOYCHARTS9ce4b3c1b152: cxserver: enable TLS in production.Dec 17 2019, 6:56 AM
Joe updated the task description. (Show Details)Dec 19 2019, 2:12 PM
Joe added a comment.Dec 19 2019, 2:15 PM

Port reservations are for now indicated here: https://wikitech.wikimedia.org/wiki/Service_ports

gerritbot added a comment.Dec 19 2019, 2:17 PM

Change 559489 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/puppet@production] lvs::configuration: add cxserver-https

https://gerrit.wikimedia.org/r/559489

gerritbot added a comment.Dec 19 2019, 2:24 PM

Change 559495 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/puppet@production] trafficserver::backend: switch to https for cxserver

https://gerrit.wikimedia.org/r/559495

gerritbot added a comment.Dec 19 2019, 2:32 PM

Change 559489 merged by Giuseppe Lavagetto:
[operations/puppet@production] lvs::configuration: add cxserver-https

https://gerrit.wikimedia.org/r/559489

gerritbot added a comment.Dec 19 2019, 3:03 PM

Change 559495 merged by Giuseppe Lavagetto:
[operations/puppet@production] trafficserver::backend: switch to https for cxserver

https://gerrit.wikimedia.org/r/559495

gerritbot added a comment.Jan 21 2020, 7:01 AM

Change 558091 merged by jenkins-bot:
[operations/deployment-charts@master] citoid: add TLS termination

https://gerrit.wikimedia.org/r/558091

Joe mentioned this in rDEPLOYCHARTS58fac378dcd2: citoid: add TLS termination.Jan 21 2020, 7:07 AM
Joe closed subtask T236008: New Deployment charts should allow exposing services via TLS as Resolved.Apr 9 2020, 3:54 PM
JMeybohm added a subscriber: JMeybohm.May 6 2020, 12:34 PM
gerritbot added a comment.May 7 2020, 10:36 AM

Change 594924 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] wikifeeds: Add TLS termination support

https://gerrit.wikimedia.org/r/594924

JMeybohm claimed this task.May 7 2020, 10:38 AM
gerritbot added a comment.May 7 2020, 2:35 PM

Change 594924 merged by JMeybohm:
[operations/deployment-charts@master] wikifeeds: Add TLS termination support

https://gerrit.wikimedia.org/r/594924

gerritbot added a comment.May 8 2020, 9:26 AM

Change 595144 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] wikifeeds: enable TLS with chart defaults

https://gerrit.wikimedia.org/r/595144

gerritbot added a comment.May 8 2020, 9:31 AM

Change 594922 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] _tls_helpers: Use defaults provided in docker image

https://gerrit.wikimedia.org/r/594922

gerritbot added a comment.May 8 2020, 9:33 AM

Change 594922 merged by jenkins-bot:
[operations/deployment-charts@master] _tls_helpers: Use defaults provided in docker image

https://gerrit.wikimedia.org/r/594922

gerritbot added a comment.May 11 2020, 11:20 AM

Change 595505 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] parsoid: Add TLS termination support

https://gerrit.wikimedia.org/r/595505

gerritbot added a comment.May 11 2020, 11:57 AM

Change 554834 abandoned by JMeybohm:
eventgate: convert to use the common tls templates

Reason:
superseded by I5d9ab4069f1087fa41e0d8a5290789cee1d434d8

https://gerrit.wikimedia.org/r/554834

gerritbot added a comment.May 11 2020, 2:21 PM

Change 595144 merged by jenkins-bot:
[operations/deployment-charts@master] wikifeeds: enable TLS with chart defaults

https://gerrit.wikimedia.org/r/595144

gerritbot added a comment.May 12 2020, 8:28 AM

Change 595505 abandoned by JMeybohm:
parsoid: Add TLS termination support

Reason:
Chart is not deployed but only used in dev environments

https://gerrit.wikimedia.org/r/595505

gerritbot added a comment.May 12 2020, 10:34 AM

Change 595900 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] zotero: Add TLS termination

https://gerrit.wikimedia.org/r/595900

gerritbot added a comment.May 13 2020, 10:13 AM

Change 558092 merged by jenkins-bot:
[operations/deployment-charts@master] mathoid: add TLS termination

https://gerrit.wikimedia.org/r/558092

gerritbot added a comment.May 13 2020, 2:29 PM

Change 558093 merged by JMeybohm:
[operations/deployment-charts@master] termbox: add TLS termination

https://gerrit.wikimedia.org/r/558093

gerritbot added a comment.May 13 2020, 3:06 PM

Change 596227 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] termbox: deploy up to date chart

https://gerrit.wikimedia.org/r/596227

gerritbot added a comment.May 14 2020, 8:06 AM

Change 595900 merged by jenkins-bot:
[operations/deployment-charts@master] zotero: Add TLS termination

https://gerrit.wikimedia.org/r/595900

JMeybohm mentioned this in T245092: Citoid inserts bad information from Indian news sites.May 14 2020, 9:11 AM
gerritbot added a comment.May 18 2020, 8:21 AM

Change 596227 merged by JMeybohm:
[operations/deployment-charts@master] termbox: deploy up to date chart

https://gerrit.wikimedia.org/r/596227

Maintenance_bot removed a project: Patch-For-Review.May 18 2020, 9:10 AM
gerritbot added a comment.May 18 2020, 10:21 AM

Change 597032 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] mathoid: enable TLS with chart defaults

https://gerrit.wikimedia.org/r/597032

gerritbot added a project: Patch-For-Review.May 18 2020, 10:21 AM
gerritbot added a comment.May 18 2020, 10:37 AM

Change 597034 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] termbox: fix wrong TLS port

https://gerrit.wikimedia.org/r/597034

gerritbot added a comment.May 18 2020, 10:37 AM

Change 597035 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] termbox: enable TLS with chart defaults

https://gerrit.wikimedia.org/r/597035

gerritbot added a comment.May 18 2020, 10:46 AM

Change 597036 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] zotero: enable TLS with chart defaults

https://gerrit.wikimedia.org/r/597036

gerritbot added a comment.May 18 2020, 2:46 PM

Change 597034 merged by JMeybohm:
[operations/deployment-charts@master] termbox: fix wrong TLS port

https://gerrit.wikimedia.org/r/597034

gerritbot added a comment.May 19 2020, 9:27 AM

Change 597230 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] mathoid: switch to common_templates v0.2

https://gerrit.wikimedia.org/r/597230

gerritbot added a comment.May 19 2020, 9:52 AM

Change 597230 merged by JMeybohm:
[operations/deployment-charts@master] mathoid: switch to common_templates v0.2

https://gerrit.wikimedia.org/r/597230

gerritbot added a comment.May 19 2020, 10:12 AM

Change 597032 merged by JMeybohm:
[operations/deployment-charts@master] mathoid: enable TLS with chart defaults

https://gerrit.wikimedia.org/r/597032

gerritbot added a comment.May 19 2020, 12:57 PM

Change 597275 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] mathoid: bump version for fixed template

https://gerrit.wikimedia.org/r/597275

gerritbot added a comment.May 19 2020, 1:07 PM

Change 597275 merged by JMeybohm:
[operations/deployment-charts@master] mathoid: bump version for fixed template

https://gerrit.wikimedia.org/r/597275

gerritbot added a comment.May 19 2020, 4:32 PM

Change 597303 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] tls_helper: fix the envoy config configmap

https://gerrit.wikimedia.org/r/597303

gerritbot added a comment.May 20 2020, 8:44 AM

Change 597303 merged by jenkins-bot:
[operations/deployment-charts@master] tls_helper: fix the envoy config configmap

https://gerrit.wikimedia.org/r/597303

JMeybohm added a comment.May 20 2020, 4:49 PM

TLS enabled mathoid is corrently deployed in staging and codfw k8s clusters but not in eqiad. CPU throttling has increased a lot (due to the added envoy throttling * 30 replicas) and I see an significant increase in p99 compared to the last two days (where it was lower than usual, it seems).

JMeybohm added a comment.May 22 2020, 9:28 AM
In T235411#6153075, @JMeybohm wrote:

TLS enabled mathoid is corrently deployed in staging and codfw k8s clusters but not in eqiad. CPU throttling has increased a lot (due to the added envoy throttling * 30 replicas) and I see an significant increase in p99 compared to the last two days (where it was lower than usual, it seems).

p99 looks normal long term, so I've deployed to eqiad as well now.

gerritbot added a comment.May 22 2020, 12:51 PM

Change 598037 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] termbox: switch to common_templates v0.2

https://gerrit.wikimedia.org/r/598037

gerritbot added a comment.May 22 2020, 12:58 PM

Change 598037 merged by jenkins-bot:
[operations/deployment-charts@master] termbox: switch to common_templates v0.2

https://gerrit.wikimedia.org/r/598037

gerritbot added a comment.May 25 2020, 8:03 AM

Change 597035 merged by jenkins-bot:
[operations/deployment-charts@master] termbox: enable TLS with chart defaults

https://gerrit.wikimedia.org/r/597035

gerritbot added a comment.May 25 2020, 8:50 AM

Change 597036 merged by jenkins-bot:
[operations/deployment-charts@master] zotero: enable TLS with chart defaults

https://gerrit.wikimedia.org/r/597036

Maintenance_bot removed a project: Patch-For-Review.May 25 2020, 9:10 AM
gerritbot added a comment.May 25 2020, 10:04 AM

Change 598435 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/deployment-charts@master] admin: Increase maximum Pod memory to 3Gi

https://gerrit.wikimedia.org/r/598435

gerritbot added a project: Patch-For-Review.May 25 2020, 10:04 AM
gerritbot added a comment.May 25 2020, 12:48 PM

Change 598435 merged by jenkins-bot:
[operations/deployment-charts@master] admin: Increase maximum Pod memory to 3Gi

https://gerrit.wikimedia.org/r/598435

Maintenance_bot removed a project: Patch-For-Review.May 25 2020, 1:11 PM
JMeybohm added a project: Prod-Kubernetes.May 26 2020, 7:25 AM
JMeybohm updated the task description. (Show Details)
JMeybohm added a subtask: T253396: Upgrade all TLS enabled charts to v0.2 tls_helper.May 27 2020, 8:03 AM
JMeybohm updated the task description. (Show Details)Jun 22 2020, 7:59 AM
JMeybohm updated the task description. (Show Details)Jun 22 2020, 8:05 AM
JMeybohm closed subtask T253396: Upgrade all TLS enabled charts to v0.2 tls_helper as Resolved.Jun 30 2020, 9:42 AM
JMeybohm reopened subtask T253396: Upgrade all TLS enabled charts to v0.2 tls_helper as Open.Jun 30 2020, 11:32 AM
JMeybohm closed subtask T253396: Upgrade all TLS enabled charts to v0.2 tls_helper as Resolved.Jul 2 2020, 8:18 AM
jijiki moved this task from Incoming 🐫 to 🔦Unused2 on the serviceops board.Aug 17 2020, 11:47 PM
JMeybohm moved this task from 🔦Unused2 to Unused 🥌 on the serviceops board.Aug 18 2020, 10:01 AM
JMeybohm closed subtask T255874: Move eventstreams to use TLS only as Resolved.Sep 3 2020, 9:33 AM
sbassett mentioned this in T246712: Security Readiness Review for push notifications infrastructure.Sep 4 2020, 10:02 PM
Jgiannelos mentioned this in T262651: Ensure that push-notifications requires TLS .Sep 11 2020, 9:35 AM
akosiaris closed subtask T255877: Move proton to use TLS only as Resolved.Oct 1 2020, 12:52 PM
sbassett mentioned this in T264101: Find a way for the push service to authenticate to MediaWiki in beta and production.Oct 22 2020, 9:48 PM
JMeybohm closed subtask T254581: Move termbox to use TLS only as Resolved.Dec 7 2020, 1:07 PM
JMeybohm closed subtask T236017: Move blubberoid to use TLS only. as Resolved.Dec 7 2020, 1:11 PM
JMeybohm reopened subtask T236017: Move blubberoid to use TLS only. as Open.
JMeybohm reopened subtask T254581: Move termbox to use TLS only as Open.
JMeybohm closed subtask T255876: Move mobileapps to use TLS only as Resolved.Aug 30 2021, 7:55 AM
JMeybohm closed subtask T255870: Move eventgate-analytics to use TLS only as Resolved.Aug 30 2021, 8:05 AM
JMeybohm closed subtask T255872: Move eventgate-logging-external to use TLS only as Resolved.
JMeybohm closed subtask T255873: Move eventgate-main to use TLS only as Resolved.
JMeybohm closed subtask T255871: Move eventgate services to use TLS only as Resolved.Sep 1 2021, 8:06 AM
JMeybohm closed subtask T255879: Move cxserver to use TLS only as Resolved.Sep 2 2021, 2:40 PM
JMeybohm closed subtask T255878: Move wikifeeds to use TLS only as Resolved.
JMeybohm closed subtask T255869: Move zotero to use TLS only as Resolved.
JMeybohm closed subtask T255868: Move citoid to use TLS only as Resolved.
JMeybohm closed subtask T254581: Move termbox to use TLS only as Resolved.
JMeybohm closed subtask T236017: Move blubberoid to use TLS only. as Resolved.
JMeybohm closed this task as Resolved.Sep 3 2021, 11:52 AM
JMeybohm closed subtask T255875: Move mathoid to use TLS only as Resolved.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL