Page MenuHomePhabricator
Create Task
Maniphest T240941

Clean up SSL configuration
Open, MediumPublic
Actions

Description

In the process of trying to document a our SSL configuration I have come across a few inconsistencies which would be good to tidy up.

  • logstash uses base::expose_puppet_certs but doesn't seem to use the certificates
  • a number of services using tlsproxy::localssl should be migrated to profile::tlsproxy::envoy
  • Enable ssl validation for conf tool, possibly add client auth
  • abstract stunnel4 used for rsync and migrate services to it
  • possibly enable TLS verify Peer = yes on the backup servers
  • investigate moving the puppet CA out of the helm charts repo
  • migrate cassandra-ca to certgen
  • investigate/normilise puppet_ssldir() vs facts['puppet_config']['ssldir']
  • cloud instances which have there own puppet master have a value of /var/lib/puppet/client/ssl for puppet_ssldir(). used by base::certificates and base::expose_puppet::certs

Note: Audit is ongoing so this list will likely grow

Details

Show related patches Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT294906 Puppet Improvements
 OpenNoneT240941 Clean up SSL configuration
 OpenNoneT237424 stunnel-wrap all rsync::server usage

Event Timeline

jbond triaged this task as Medium priority.Dec 17 2019, 12:29 PM
jbond created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 17 2019, 12:29 PM
jbond added projects: SRE, Puppet.Dec 17 2019, 12:30 PM
jbond updated the task description. (Show Details)
jbond removed subscribers: Puppet, SRE.
gerritbot added a comment.Dec 17 2019, 12:47 PM

Change 558496 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] logstash: remove base::expose_puppet_certs.

https://gerrit.wikimedia.org/r/558496

gerritbot added a project: Patch-For-Review.Dec 17 2019, 12:47 PM
gerritbot added a comment.Dec 17 2019, 1:05 PM

Change 558501 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] nginx::simple_tlsproxy: remove class

https://gerrit.wikimedia.org/r/558501

jbond updated the task description. (Show Details)Dec 17 2019, 1:38 PM
MoritzMuehlenhoff subscribed.Dec 17 2019, 5:00 PM
gerritbot added a comment.Dec 17 2019, 5:00 PM

Change 558501 merged by Jbond:
[operations/puppet@production] nginx::simple_tlsproxy: remove class

https://gerrit.wikimedia.org/r/558501

jbond updated the task description. (Show Details)Dec 17 2019, 5:41 PM
gerritbot added a comment.Dec 17 2019, 5:41 PM

Change 558496 merged by Jbond:
[operations/puppet@production] logstash: remove base::expose_puppet_certs.

https://gerrit.wikimedia.org/r/558496

CDanis added a subtask: T237424: stunnel-wrap all rsync::server usage.Dec 17 2019, 5:48 PM
Maintenance_bot removed a project: Patch-For-Review.Dec 17 2019, 6:10 PM
jbond updated the task description. (Show Details)Dec 18 2019, 1:04 PM
gerritbot added a comment.Jan 3 2020, 10:46 AM

Change 561816 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] etcd: add paramater type checking and clean up

https://gerrit.wikimedia.org/r/561816

gerritbot added a project: Patch-For-Review.Jan 3 2020, 10:46 AM

Change 561817 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] etcd: enable ssl validation

https://gerrit.wikimedia.org/r/561817

gerritbot added a comment.Jan 3 2020, 10:46 AM

Change 561818 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] etcd: add cert parameter to enable client auth

https://gerrit.wikimedia.org/r/561818

gerritbot added a comment.Jan 3 2020, 10:46 AM

Change 561819 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] etcd: remove username/password

https://gerrit.wikimedia.org/r/561819

gerritbot added a comment.Jan 3 2020, 2:27 PM

Change 561850 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::tlsproxy::envoy: add type checking and defaults

https://gerrit.wikimedia.org/r/561850

Dzahn renamed this task from Clean up SSL configueration to Clean up SSL configuration.Jan 8 2020, 11:17 PM
Dzahn updated the task description. (Show Details)
Dzahn subscribed.
gerritbot added a comment.Jan 10 2020, 11:21 AM

Change 561816 merged by Jbond:
[operations/puppet@production] etcd: add parameter type checking and clean up

https://gerrit.wikimedia.org/r/561816

gerritbot added a comment.Jan 20 2020, 11:30 AM

Change 561817 merged by Jbond:
[operations/puppet@production] etcd: enable ssl validation

https://gerrit.wikimedia.org/r/561817

gerritbot added a comment.Jan 20 2020, 11:35 AM

Change 566009 had a related patch set uploaded (by Jbond; owner: Jbond):
[operations/puppet@production] etcd: enable ssl validation

https://gerrit.wikimedia.org/r/566009

gerritbot added a comment.Jan 20 2020, 1:06 PM

Change 566009 merged by Jbond:
[operations/puppet@production] etcd: enable ssl validation

https://gerrit.wikimedia.org/r/566009

jbond updated the task description. (Show Details)Jan 20 2020, 1:46 PM
gerritbot added a comment.Feb 21 2020, 3:23 PM

Change 574009 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::tlsproxy::envoy: refactor parameters

https://gerrit.wikimedia.org/r/574009

gerritbot added a comment.Feb 21 2020, 3:23 PM

Change 574010 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::tlsproxy::envoy: add support for acme certs

https://gerrit.wikimedia.org/r/574010

gerritbot added a comment.Feb 21 2020, 3:23 PM

Change 574011 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::idp: update profile to use tlsproxy::envoy

https://gerrit.wikimedia.org/r/574011

jbond updated the task description. (Show Details)Feb 21 2020, 3:44 PM

SSL validation has been turned on for conftool however client authentication will need to wait untill we migrate to ectd v3 as RBAC is not optimised in v2

gerritbot added a comment.Feb 21 2020, 3:58 PM

Change 574011 abandoned by Jbond:
profile::idp: update profile to use tlsproxy::envoy

Reason:
chain messed up

https://gerrit.wikimedia.org/r/574011

gerritbot added a comment.Feb 26 2020, 3:07 PM

Change 561850 merged by Jbond:
[operations/puppet@production] profile::tlsproxy::envoy: add type checking and defaults

https://gerrit.wikimedia.org/r/561850

gerritbot added a comment.Feb 26 2020, 3:33 PM

Change 574009 merged by Jbond:
[operations/puppet@production] profile::tlsproxy::envoy: add custom SNI type

https://gerrit.wikimedia.org/r/574009

gerritbot added a comment.Feb 26 2020, 4:48 PM

Change 574010 merged by Jbond:
[operations/puppet@production] profile::tlsproxy::envoy: add support for acme certs

https://gerrit.wikimedia.org/r/574010

gerritbot added a comment.Feb 26 2020, 4:51 PM

Change 574020 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::idp: update profile to use tlsproxy::envoy

https://gerrit.wikimedia.org/r/574020

jbond updated the task description. (Show Details)Mar 3 2020, 10:37 AM
gerritbot added a comment.Mar 20 2020, 11:07 AM

Change 574020 merged by Jbond:
[operations/puppet@production] profile::idp: update profile to use tlsproxy::envoy

https://gerrit.wikimedia.org/r/574020

gerritbot added a comment.Mar 20 2020, 11:30 AM

Change 581996 had a related patch set uploaded (by Jbond; owner: Jbond):
[operations/puppet@production] profile::idp: update profile to use tlsproxy::envoy

https://gerrit.wikimedia.org/r/581996

gerritbot added a comment.Mar 23 2020, 10:37 AM

Change 581996 merged by Jbond:
[operations/puppet@production] profile::idp: update profile to use tlsproxy::envoy

https://gerrit.wikimedia.org/r/581996

gerritbot added a comment.Mar 23 2020, 11:10 AM

Change 582786 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/dns@master] idp: failover IDP to eqiad

https://gerrit.wikimedia.org/r/582786

gerritbot added a comment.Mar 23 2020, 11:29 AM

Change 582786 merged by Jbond:
[operations/dns@master] idp: failover IDP to eqiad

https://gerrit.wikimedia.org/r/582786

jbond moved this task from Active 🚁 to Friday tasks on the User-jbond board.May 27 2021, 4:27 PM
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
jbond added a parent task: T294906: Puppet Improvements.Nov 3 2021, 11:54 AM
jbond edited projects, added Infrastructure Security; removed Puppet.Jun 12 2023, 4:55 PM
gerritbot added a comment.Nov 27 2023, 1:56 PM

Change 561818 abandoned by Jbond:

[operations/puppet@production] etcd: add cert parameter to enable client auth

Reason:

not desired

https://gerrit.wikimedia.org/r/561818

gerritbot added a comment.Nov 27 2023, 1:56 PM

Change 561819 abandoned by Jbond:

[operations/puppet@production] etcd: remove username/password

Reason:

not desired

https://gerrit.wikimedia.org/r/561819

Maintenance_bot removed a project: Patch-For-Review.Nov 27 2023, 2:10 PM
Dzahn unsubscribed.Nov 27 2023, 6:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL