contint is one of the very few remaining origin servers available only via plain HTTP, see T108580#6488253. We should make it available via HTTPS instead to ensure that traffic between ATS and contint is encrypted.
Description
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
trafficserver: Enable tls on integration.wm.o | operations/puppet | production | +1 -1 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | • ema | T207048 ATS production-ready as a backend cache layer | |||
Resolved | • ema | T210411 Applayer services without TLS | |||
Resolved | • ema | T108580 HTTPS for internal service traffic | |||
Resolved | taavi | T263830 contint.wikimedia.org: add TLS termination |
Event Timeline
This was basically all done:
https://gerrit.wikimedia.org/r/c/operations/puppet/+/591000 tlsproxy::envoy: allow limiting firewall srange
https://gerrit.wikimedia.org/r/c/operations/puppet/+/588973 - ATS: use contint service alias as backend for integration.wm.org
https://gerrit.wikimedia.org/r/c/labs/private/+/589544 add fake contint.wikimedia.org key
https://gerrit.wikimedia.org/r/c/operations/puppet/+/588980 ci::master: add envoy for TLS termination for integration
https://gerrit.wikimedia.org/r/c/operations/puppet/+/589556 add certificate for contint/integration.wikimedia.org
https://gerrit.wikimedia.org/r/c/operations/dns/+/589285 add contint.wikimedia.org service alias for contint machines
https://gerrit.wikimedia.org/r/c/operations/puppet/+/589565 - ATS: switch contint backend to use TLS
except at the end I had to revert
https://gerrit.wikimedia.org/r/c/operations/puppet/+/591325 Revert "ATS: switch contint backend to use TLS"
all that is needed is that last fix
The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!
Change 742240 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] trafficserver: Enable tls on integration.wm.o
Change 742240 merged by Jbond:
[operations/puppet@production] trafficserver: Enable tls on integration.wm.o
Wow @Majavah thanks for closing this! :) Just a bit sad that it was still not triaged in CI infra and people probably won't notice.