Page MenuHomePhabricator
Create Task
Maniphest T263830

contint.wikimedia.org: add TLS termination
Closed, ResolvedPublic
Actions

Description

contint is one of the very few remaining origin servers available only via plain HTTP, see T108580#6488253. We should make it available via HTTPS instead to ensure that traffic between ATS and contint is encrypted.

Details

SubjectRepoBranchLines +/-
trafficserver: Enable tls on integration.wm.ooperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

ema created this task.Sep 25 2020, 8:12 AM
Restricted Application added a project: SRE. · View Herald TranscriptSep 25 2020, 8:12 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ema added a parent task: T108580: HTTPS for internal service traffic.Sep 25 2020, 8:26 AM
hashar added a parent task: T210411: Applayer services without TLS.Sep 25 2020, 6:08 PM
Dzahn subscribed.Sep 25 2020, 6:43 PM

This was basically all done:

https://gerrit.wikimedia.org/r/c/operations/puppet/+/591000 tlsproxy::envoy: allow limiting firewall srange
https://gerrit.wikimedia.org/r/c/operations/puppet/+/588973 - ATS: use contint service alias as backend for integration.wm.org
https://gerrit.wikimedia.org/r/c/labs/private/+/589544 add fake contint.wikimedia.org key
https://gerrit.wikimedia.org/r/c/operations/puppet/+/588980 ci::master: add envoy for TLS termination for integration
https://gerrit.wikimedia.org/r/c/operations/puppet/+/589556 add certificate for contint/integration.wikimedia.org
https://gerrit.wikimedia.org/r/c/operations/dns/+/589285 add contint.wikimedia.org service alias for contint machines
https://gerrit.wikimedia.org/r/c/operations/puppet/+/589565 - ATS: switch contint backend to use TLS

except at the end I had to revert

https://gerrit.wikimedia.org/r/c/operations/puppet/+/591325 Revert "ATS: switch contint backend to use TLS"

all that is needed is that last fix

ArielGlenn triaged this task as Medium priority.Sep 28 2020, 9:35 AM
Nintendofan885 added a project: HTTPS.Nov 4 2020, 2:22 PM
ema moved this task from Backlog to Feature Requests on the Traffic board.Nov 24 2020, 3:19 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM
BBlack subscribed.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

gerritbot added a comment.Nov 28 2021, 12:59 PM

Change 742240 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] trafficserver: Enable tls on integration.wm.o

https://gerrit.wikimedia.org/r/742240

gerritbot added a project: Patch-For-Review.Nov 28 2021, 12:59 PM
gerritbot added a comment.Nov 30 2021, 5:06 PM

Change 742240 merged by Jbond:

[operations/puppet@production] trafficserver: Enable tls on integration.wm.o

https://gerrit.wikimedia.org/r/742240

Maintenance_bot removed a project: Patch-For-Review.Nov 30 2021, 5:11 PM
taavi closed this task as Resolved.Nov 30 2021, 5:13 PM
taavi claimed this task.
Dzahn added a comment.Nov 30 2021, 8:42 PM

Wow @Majavah thanks for closing this! :) Just a bit sad that it was still not triaged in CI infra and people probably won't notice.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL