Page MenuHomePhabricator

Move cxserver to use TLS only
Open, MediumPublic

Description

  • Add TLS support to the deployment chart
  • Enable TLS on k8s in production
  • Add Additional LVS endpoint configuration
  • Switch services to use the TLS LVS
  • Remove non-TLS LVS endpoint configuration
  • Remove the non-TLS k8s service

Event Timeline

@Joe I think cxserver is missing the last two steps as well, correct?

JMeybohm triaged this task as Medium priority.Jul 21 2020, 7:54 AM

Change 625935 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/deployment-charts@master] cxserver: enable the service proxy in staging

https://gerrit.wikimedia.org/r/625935

Change 626110 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/deployment-charts@master] cxserver: enable the service proxy everywhere

https://gerrit.wikimedia.org/r/626110

Change 625935 merged by jenkins-bot:
[operations/deployment-charts@master] cxserver: enable the service proxy in staging

https://gerrit.wikimedia.org/r/625935

Change 626110 merged by jenkins-bot:
[operations/deployment-charts@master] cxserver: enable the service proxy everywhere

https://gerrit.wikimedia.org/r/626110

Change 627431 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] lvs: Rename cxserver-https to cxserver

https://gerrit.wikimedia.org/r/627431

Change 627432 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] lvs: Remove cxserver non-TLS endpoint from LVS 1/3

https://gerrit.wikimedia.org/r/627432

Change 627433 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] lvs: Remove cxserver non-TLS endpoint from LVS 2/3

https://gerrit.wikimedia.org/r/627433

Change 627434 had a related patch set uploaded (by JMeybohm; owner: JMeybohm):
[operations/puppet@production] lvs: Remove cxserver non-TLS endpoint from LVS 3/3

https://gerrit.wikimedia.org/r/627434

Change 627431 merged by JMeybohm:
[operations/puppet@production] lvs: Rename cxserver-https to cxserver

https://gerrit.wikimedia.org/r/627431

Change 627433 abandoned by JMeybohm:
[operations/puppet@production] lvs: Remove cxserver non-TLS endpoint from LVS 2/3

Reason:

https://gerrit.wikimedia.org/r/627433

Change 627432 merged by JMeybohm:
[operations/puppet@production] lvs: Remove cxserver non-TLS endpoint from LVS 1/3

https://gerrit.wikimedia.org/r/627432

Change 627434 merged by JMeybohm:
[operations/puppet@production] lvs: Remove cxserver non-TLS endpoint from LVS 3/3

https://gerrit.wikimedia.org/r/627434

Mentioned in SAL (#wikimedia-operations) [2020-09-22T07:42:29Z] <jayme> restarting pybal on lvs1016.eqiad.wmnet,lvs2010.codfw.wmnet - T255879 T254581

Mentioned in SAL (#wikimedia-operations) [2020-09-22T07:46:29Z] <jayme> restarting pybal on lvs1015.eqiad.wmnet,lvs2009.codfw.wmnet - T255879 T254581

Mentioned in SAL (#wikimedia-operations) [2020-09-22T07:49:48Z] <jayme> running ipvsadm -D -t 10.2.2.18:8080; ipvsadm -D -t 10.2.2.46:3030 on lvs1016.eqiad.wmnet,lvs1015.eqiad.wmnet - T255879 T254581

Mentioned in SAL (#wikimedia-operations) [2020-09-22T07:51:18Z] <jayme> running ipvsadm -D -t 10.2.1.18:8080; ipvsadm -D -t 10.2.1.46:3030 on lvs2010.codfw.wmnet,lvs2009.codfw.wmnet - T255879 T254581