In order to add TLS termination to services running on k8s we need the following:
Finish adding the envoy TLS sidecar everywhere in k8s
- Add Envoy the service-proxy capabilities on services outside of k8s (@Joe )
- Add profile::services_proxy::envoy to all roles for applications
- Modify service::configuration and whatever else is needed to make services only go via envoy
- Add Envoy the service-proxy capabilities on k8s
- T244843 Modify and merge https://gerrit.wikimedia.org/r/#/c/operations/deployment-charts/+/582792/
- Modify the services configurations to use the service proxy.
- For each service (see subtasks):
- Add TLS LVS pool
- Switch the services proxies to use it
- Remove the non-TLS pool from pybal
The reason to do things in this order - specifically, adding LVS last - is not to put too much pressure on pybal to check too many things at once. We could nonetheless get away with just switching everything to use TLS for MediaWiki and that should be enough.