In the process of trying to document a our SSL configuration I have come across a few inconsistencies which would be good to tidy up.
- logstash uses base::expose_puppet_certs but doesn't seem to use the certificates
- a number of services using tlsproxy::localssl should be migrated to profile::tlsproxy::envoy
- Enable ssl validation for conf tool, possibly add client auth
- abstract stunnel4 used for rsync and migrate services to it
- possibly enable TLS verify Peer = yes on the backup servers
- investigate moving the puppet CA out of the helm charts repo
- migrate cassandra-ca to certgen
- investigate/normilise puppet_ssldir() vs facts['puppet_config']['ssldir']
- cloud instances which have there own puppet master have a value of /var/lib/puppet/client/ssl for puppet_ssldir(). used by base::certificates and base::expose_puppet::certs
Note: Audit is ongoing so this list will likely grow