Page MenuHomePhabricator
Create Task
Maniphest T248980

Move netflow to TLS encryption/authentication via librdkafka
Closed, ResolvedPublic
Actions

Description

Netflow is currently pushing data from all datacenters to Kafka-Jumbo without TLS. Since pmacct runs in every DC now and is able (via librkafka) to use TLS towards Kafka, I propose the following:

  1. enable TLS encryption to Kafka Jumbo
  2. create a TLS certificate via cergen (puppet CA), like we did for varnishkafka, to authenticate all pmacct to Kafka
  3. Kafka ACLs to allow only pmacct to push data to Kafka Jumbo

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+6 -7Enable TLS encryption to Kafka Jumbo for all pmacct instances
operations/puppetproduction+7 -1profile::pmacct: use kafka TLS connection string when needed
operations/puppetproduction+6 -0Enable TLS encryption to Kafka Jumbo for netflow4001
Customize query in gerrit

Related Objects
Search...

Event Timeline

elukey created this task.Mar 31 2020, 1:36 PM
elukey added a comment.EditedApr 1 2020, 11:50 AM

We could start with TLS encryption only, with:

security.protocol=SSL
ssl.ca.location=/etc/ssl/certs/Puppet_Internal_CA.pem
ssl.cipher.suites=ECDHE-ECDSA-AES256-GCM-SHA384
ssl.curves.list=P-256
ssl.sigalgs.list=ECDSA+SHA256
Stashbot added a comment.Apr 1 2020, 12:17 PM

Mentioned in SAL (#wikimedia-operations) [2020-04-01T12:17:31Z] <XioNoX> restart nfacct on netflow4001 for kafka tls tests - T248980

gerritbot added a comment.Apr 1 2020, 1:31 PM

Change 585223 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] Enable TLS encryption to Kafka Jumbo for netflow4001

https://gerrit.wikimedia.org/r/585223

gerritbot added a project: Patch-For-Review.Apr 1 2020, 1:31 PM
gerritbot added a comment.Apr 1 2020, 1:36 PM

Change 585223 merged by Elukey:
[operations/puppet@production] Enable TLS encryption to Kafka Jumbo for netflow4001

https://gerrit.wikimedia.org/r/585223

gerritbot added a comment.Apr 1 2020, 1:49 PM

Change 585234 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] profile::pmacct: use kafka TLS connection string when needed

https://gerrit.wikimedia.org/r/585234

gerritbot added a comment.Apr 1 2020, 2:14 PM

Change 585234 merged by Elukey:
[operations/puppet@production] profile::pmacct: use kafka TLS connection string when needed

https://gerrit.wikimedia.org/r/585234

Maintenance_bot removed a project: Patch-For-Review.Apr 1 2020, 3:10 PM
gerritbot added a comment.Apr 1 2020, 3:21 PM

Change 585255 had a related patch set uploaded (by Elukey; owner: Elukey):
[operations/puppet@production] Enable TLS encryption to Kafka Jumbo for all pmacct instances

https://gerrit.wikimedia.org/r/585255

gerritbot added a project: Patch-For-Review.Apr 1 2020, 3:21 PM
elukey triaged this task as High priority.Apr 1 2020, 4:24 PM
elukey added a project: Analytics-Kanban.
elukey moved this task from Next Up to In Progress on the Analytics-Kanban board.
gerritbot added a comment.Apr 2 2020, 10:11 AM

Change 585255 merged by Elukey:
[operations/puppet@production] Enable TLS encryption to Kafka Jumbo for all pmacct instances

https://gerrit.wikimedia.org/r/585255

Maintenance_bot removed a project: Patch-For-Review.Apr 2 2020, 11:10 AM
elukey added a comment.Apr 2 2020, 2:26 PM

For the moment I am happy with TLS encryption only, since we'll probably move to kerberos authentication soon and it doesn't make much sense to do TLS client auth first.

elukey set Final Story Points to 5.Apr 2 2020, 2:26 PM
elukey moved this task from In Progress to Done on the Analytics-Kanban board.
Milimetric moved this task from Incoming to Operational Excellence on the Analytics board.Apr 6 2020, 4:15 PM
elukey added a parent task: T250146: Add Authentication/Encryption to Kafka Jumbo's clients.Apr 14 2020, 10:51 AM
Nuria closed this task as Resolved.Apr 27 2020, 8:34 PM
ayounsi mentioned this in T253128: intermittent brief data dropouts for esams netflow data.May 19 2020, 7:28 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL