Page MenuHomePhabricator
Create Task
Maniphest T281369

Additional CFSSL tasks
Closed, ResolvedPublic
Actions

Description

Parent task to track additional work required for cfssl

  • backup private key
  • add certs to /etc/ssl/certs
  • add profile::pki::client to profile::base
  • create check for ocsp and crl
  • update cfssl-cert so it can clean out expired certificates
  • Renew certificates based on the 1/2 time or some other relative value instead of a harcoded minimum
  • investigate switching ganati cluster certificates to cfssl
  • create a real pki.discovery address using active active

Details

SubjectRepoBranchLines +/-
backups: Fix typo on fileset name, resulting on no backups scheduledoperations/puppetproduction+0 -0
P:pki::client: explicitly include P:pki::clinetoperations/puppetproduction+9 -4
P:pki::client: ensure profile is ensureableoperations/puppetproduction+6 -3
P:pki::multirootca: Add timer to clean expired certificatesoperations/puppetproduction+7 -0
cfssl-certs: also clean out ocsp responsesoperations/puppetproduction+4 -2
P:pki::multirootca: create a bool to control where cron jobs runoperations/puppetproduction+41 -42
backups: Fix typo on fileset name, resulting on no backups scheduledoperations/puppetproduction+1 -1
P:pki::root_ca: enable backupsoperations/puppetproduction+51 -43
P:base::certificates: Add pki certs to default trust storeoperations/puppetproduction+22 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

jbond created this task.Apr 28 2021, 2:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 28 2021, 2:22 PM
jbond added a subtask: T281366: Revoke debmonitor.discovery.wmnet.Apr 28 2021, 2:22 PM
jbond triaged this task as Medium priority.Apr 28 2021, 2:25 PM
jbond updated the task description. (Show Details)Apr 28 2021, 3:14 PM
gerritbot added a comment.Apr 29 2021, 11:08 AM

Change 683578 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:pki::root_ca: enable backups

https://gerrit.wikimedia.org/r/683578

gerritbot added a project: Patch-For-Review.Apr 29 2021, 11:08 AM
jbond updated the task description. (Show Details)Apr 29 2021, 11:53 AM
gerritbot added a comment.Apr 29 2021, 11:53 AM

Change 683583 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:base::certificates: Add pki certs to default trust store

https://gerrit.wikimedia.org/r/683583

MoritzMuehlenhoff subscribed.Apr 29 2021, 11:56 AM
gerritbot added a comment.Apr 29 2021, 12:01 PM

Change 683583 merged by Jbond:

[operations/puppet@production] P:base::certificates: Add pki certs to default trust store

https://gerrit.wikimedia.org/r/683583

gerritbot added a comment.Apr 29 2021, 3:43 PM

Change 683578 merged by Jbond:

[operations/puppet@production] P:pki::root_ca: enable backups

https://gerrit.wikimedia.org/r/683578

Maintenance_bot removed a project: Patch-For-Review.Apr 29 2021, 4:11 PM
jbond updated the task description. (Show Details)Apr 30 2021, 2:22 PM
jbond added a subtask: T281371: Request Project (cfssl-pki) for pki tasks.
gerritbot added a comment.May 3 2021, 9:16 AM

Change 684298 had a related patch set uploaded (by Jcrespo; author: Jcrespo):

[operations/puppet@production] backups: Fix typo on fileset name, resulting on no backups scheduled

https://gerrit.wikimedia.org/r/684298

gerritbot added a project: Patch-For-Review.May 3 2021, 9:16 AM
gerritbot added a comment.May 3 2021, 9:19 AM

Change 684300 had a related patch set uploaded (by Jcrespo; author: Jcrespo):

[operations/puppet@production] backups: Fix typo on fileset name, resulting on no backups scheduled

https://gerrit.wikimedia.org/r/684300

gerritbot added a comment.May 3 2021, 9:49 AM

Change 684298 merged by Jcrespo:

[operations/puppet@production] backups: Fix typo on fileset name, resulting on no backups scheduled

https://gerrit.wikimedia.org/r/684298

jbond closed subtask T281376: Add PKI root CA to ca-certificates via puppet as Resolved.May 4 2021, 12:28 PM
jbond updated the task description. (Show Details)May 4 2021, 1:31 PM
jbond updated the task description. (Show Details)May 4 2021, 1:34 PM
jbond updated the task description. (Show Details)May 4 2021, 1:39 PM
jbond closed subtask T281366: Revoke debmonitor.discovery.wmnet as Resolved.May 4 2021, 3:46 PM
gerritbot added a comment.May 4 2021, 3:48 PM

Change 684973 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:pki::multirootca: create a bool to control where cron jobs run

https://gerrit.wikimedia.org/r/684973

gerritbot added a comment.May 4 2021, 4:15 PM

Change 684973 merged by Jbond:

[operations/puppet@production] P:pki::multirootca: create a bool to control where cron jobs run

https://gerrit.wikimedia.org/r/684973

gerritbot added a comment.May 4 2021, 4:25 PM

Change 684985 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] cfssl-certs: also clean out ocsp responses

https://gerrit.wikimedia.org/r/684985

gerritbot added a comment.May 4 2021, 4:27 PM

Change 684985 merged by Jbond:

[operations/puppet@production] cfssl-certs: also clean out ocsp responses

https://gerrit.wikimedia.org/r/684985

jbond closed subtask T281370: Create a discover CA as Resolved.May 4 2021, 4:30 PM
gerritbot added a comment.May 4 2021, 5:54 PM

Change 685026 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:pki::multirootca: Add timer to clean expired certificates

https://gerrit.wikimedia.org/r/685026

gerritbot added a comment.May 5 2021, 10:17 AM

Change 685026 merged by Jbond:

[operations/puppet@production] P:pki::multirootca: Add timer to clean expired certificates

https://gerrit.wikimedia.org/r/685026

Aklapper closed subtask T281371: Request Project (cfssl-pki) for pki tasks as Resolved.May 6 2021, 11:06 AM
gerritbot added a comment.May 6 2021, 11:16 AM

Change 685755 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:pki::client: ensure profile is ensureable

https://gerrit.wikimedia.org/r/685755

gerritbot added a comment.May 6 2021, 11:35 AM

Change 685755 merged by Jbond:

[operations/puppet@production] P:pki::client: ensure profile is ensureable

https://gerrit.wikimedia.org/r/685755

gerritbot added a comment.May 6 2021, 11:41 AM

Change 685756 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:pki::client: explicitly include P:pki::clinet

https://gerrit.wikimedia.org/r/685756

gerritbot added a comment.May 6 2021, 12:45 PM

Change 685756 merged by Jbond:

[operations/puppet@production] P:pki::client: explicitly include P:pki::clinet

https://gerrit.wikimedia.org/r/685756

jbond updated the task description. (Show Details)May 6 2021, 3:29 PM
jbond updated the task description. (Show Details)May 7 2021, 12:57 PM
jbond updated the task description. (Show Details)
jbond added a project: CFSSL-PKI.
jbond closed subtask T281377: debmonitor.discovery.wmnet: Generate server cetificate via cfssl as Resolved.Jun 1 2021, 2:52 PM
jbond added a project: User-jbond.
jbond moved this task from Unsorted 💣 to planned on the User-jbond board.Jun 1 2021, 2:59 PM
jbond updated the task description. (Show Details)Jun 1 2021, 3:41 PM
gerritbot added a comment.Jun 17 2021, 10:47 AM

Change 684300 abandoned by Jcrespo:

[operations/puppet@production] backups: Fix typo on fileset name, resulting on no backups scheduled

Reason:

Done elsewhere, detected after rebase

https://gerrit.wikimedia.org/r/684300

Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
jbond added a comment.Jul 19 2021, 2:35 PM

investigate switching ganati cluster certificates to cfssl

As far as i can tell the only thing that uses RAPI are netbox and the nrpe check. As such this should be a fairly safe service to change. Further as its not providing any client auth i think the discovery CA is fine

Aklapper removed a project: Patch-For-Review.Sep 17 2023, 3:45 PM
jbond updated the task description. (Show Details)Nov 6 2023, 3:41 PM
jbond closed this task as Resolved.Nov 20 2023, 4:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL