Page MenuHomePhabricator
Create Task
Maniphest T288470

Replace cassandra-ca-manager with PKI
Closed, ResolvedPublic
Actions

Description

We use cergen for certificate generation in the private repo in most places. We currently still use cassandra-ca-manager for Cassandra and should migrate to using cergen to keep in step with other projects.

Via T329951: Replace expiring Cassandra TLS certificates (restbase[1019-1027]):

"...we could try to use PKI for Cassandra? It would make the cert renewal process less tedious for sure, puppet would take care of most of the burden..." -- @elukey

"...we have an implementation of cfssl (see more details in https://wikitech.wikimedia.org/wiki/PKI/CA_Operations), I am proposing to add a new intermediate (like we did also for Kafka brokers) and use puppet to request certficates from it when needed (like when they are expiring etc..). We'd need to study a way to migrate the clusters over the new certs (and also clients using TLS, if any) but it should be doable :)" -- @elukey

Details

SubjectRepoBranchLines +/-
role::ml_cache::storage: remove legacy_ssl_storage_port_enabled settingoperations/puppetproduction+1 -2
cassandra::instance: use the instance's fqdn as TLS PKI CNoperations/puppetproduction+3 -2
cassandra::instance::monitoring: move cql check to Prometheus for PKIoperations/puppetproduction+25 -9
cassandra::instance::monitoring: move alerts to prometheusoperations/puppetproduction+25 -16
cassandra::instance::monitoring: remove wrong servernameoperations/puppetproduction+0 -1
cassandra::instance::monitoring: add 'cassandra' as servernameoperations/puppetproduction+16 -8
cassandra::instance: add CN:cassandra to all PKI certsoperations/puppetproduction+1 -1
cassandra::instance::monitoring: fix tcp alertoperations/puppetproduction+2 -0
cassandra: add support for shorter TLS cert expiry checksoperations/puppetproduction+21 -6
cassandra: allow to update the keystore password - part twooperations/puppetproduction+4 -0
profile::cassandra: add hiera option for the TLS keystore passwordoperations/puppetproduction+9 -7
cassandra: allow to set the keystore password for 4.xoperations/puppetproduction+4 -0
role::ml_cache::storage: add fake TLS keystore password for PKIlabs/privatemaster+1 -2
role::ml_cache::storage: enable PKI tls certsoperations/puppetproduction+1 -0
role::ml_cache::storage: use pki truststoreoperations/puppetproduction+15 -0
cassandra: add initial support for PKI TLS certs to 4.xoperations/puppetproduction+127 -71
role::pki::multirootca: add the cassandra intermediateoperations/puppetproduction+7 -0
profile::pki::intermediates: add the cassandra public certificateoperations/puppetproduction+22 -0
profile::pki::root_ca: add intermediate for Cassandraoperations/puppetproduction+1 -0
Show related patches Customize query in gerrit

Related Objects

Event Timeline

hnowlan created this task.Aug 9 2021, 4:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 9 2021, 4:36 PM
Eevans mentioned this in T307798: Enable Cassandra encryption (inter-node & client).May 6 2022, 3:34 PM
BTullis added subscribers: jbond, elukey, BTullis.May 18 2022, 8:41 AM

I thought that cergen was being deprecated now in favour of the new cfssl based PKI module.

We've recently concluded a project to roll out these certificates to Kafka brokers (e.g. T300130), so it would make sense to me if this system were also used for Cassandra as well.

It's just a thought. I think that @jbond knows most about it and @elukey has a lot of experience rolling it out to Kafka recently. I've used it to a smaller extent with Hive.

jbond added a comment.May 18 2022, 8:54 AM

@BTullis thanks and yes i agree any new migrations should go directly to pki.discovery.wmnet. Happy to help

BTullis added a comment.May 18 2022, 1:06 PM

Thanks @jbond - Do you think it would be better to create a new intermediary for Cassandra, similar to the way we did for Kafka?

jbond added a comment.May 18 2022, 1:13 PM
In T288470#7938289, @BTullis wrote:

Thanks @jbond - Do you think it would be better to create a new intermediary for Cassandra, similar to the way we did for Kafka?

Yes exactly, see https://wikitech.wikimedia.org/wiki/PKI/CA_Operations#Adding_a_new_intermediate

elukey added a comment.May 18 2022, 2:55 PM

The tricky bit is making sure that clients support the Root PKI CA, but I agree that it would be a great improvement for Cassandra!

hnowlan removed hnowlan as the assignee of this task.Aug 25 2022, 4:19 PM
hnowlan removed a project: Platform Team Workboards (Platform Engineering Reliability).Oct 4 2022, 4:30 PM
Eevans renamed this task from Replace cassandra-ca-manager with cergen to Replace cassandra-ca-manager with PKI .Feb 23 2023, 4:59 PM
Eevans triaged this task as Medium priority.
Eevans updated the task description. (Show Details)
Eevans mentioned this in T329951: Replace expiring Cassandra TLS certificates (restbase[1019-1027]).Feb 23 2023, 5:04 PM
elukey mentioned this in T339300: Upgrade ml-cache cluster to Cassandra 4.1.1.Jun 19 2023, 12:32 PM
gerritbot added a comment.Jun 19 2023, 12:34 PM

Change 931264 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] profile::pki::root_ca: add intermediate for Cassandra

https://gerrit.wikimedia.org/r/931264

gerritbot added a project: Patch-For-Review.Jun 19 2023, 12:34 PM
gerritbot added a comment.Jun 19 2023, 12:54 PM

Change 931264 merged by Elukey:

[operations/puppet@production] profile::pki::root_ca: add intermediate for Cassandra

https://gerrit.wikimedia.org/r/931264

gerritbot added a comment.Jun 19 2023, 1:00 PM

Change 931267 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] profile::pkie::intermediates: add the cassandra public certificate

https://gerrit.wikimedia.org/r/931267

gerritbot added a comment.Jun 19 2023, 1:10 PM

Change 931267 merged by Elukey:

[operations/puppet@production] profile::pki::intermediates: add the cassandra public certificate

https://gerrit.wikimedia.org/r/931267

Maintenance_bot removed a project: Patch-For-Review.Jun 19 2023, 1:11 PM
gerritbot added a comment.Jun 19 2023, 1:17 PM

Change 931272 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] role::pki::multirootca: add the cassandra intermediate

https://gerrit.wikimedia.org/r/931272

gerritbot added a project: Patch-For-Review.Jun 19 2023, 1:17 PM

Change 931272 merged by Elukey:

[operations/puppet@production] role::pki::multirootca: add the cassandra intermediate

https://gerrit.wikimedia.org/r/931272

Maintenance_bot removed a project: Patch-For-Review.Jun 19 2023, 1:30 PM
elukey added a comment.Jun 19 2023, 1:48 PM

Created the new intermediate certificate CA called cassandra in our PKI infra.

gerritbot added a comment.Jun 19 2023, 1:48 PM

Change 931276 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra: add initial support for PKI TLS certs to 4.x

https://gerrit.wikimedia.org/r/931276

gerritbot added a project: Patch-For-Review.Jun 19 2023, 1:49 PM
gerritbot added a comment.Jun 20 2023, 9:33 AM

Change 931292 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] role::ml_cache::storage: enable PKI tls certs

https://gerrit.wikimedia.org/r/931292

elukey added a comment.Jun 21 2023, 12:12 PM

The idea of https://gerrit.wikimedia.org/r/c/operations/puppet/+/931276 is to allow the usage of PKI-based keystores, to replace the custom ones that we build for cassandra.

In order to support the transition from custom CA to PKI, we need to provide each node with a trust-store that can verify PKI and custom CA certs, so we leverage the profile::base::certificate config to build a custom bundle in a java trust store.

gerritbot added a comment.Jun 21 2023, 12:30 PM

Change 931903 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] role::ml_cache::storage: use pki truststore

https://gerrit.wikimedia.org/r/931903

elukey added a comment.Jun 21 2023, 12:37 PM

Filed all changes. To upgrade a cluster, this is the idea:

  1. A new truststore is rolled out, containing Root PKI cert and Custom CA cert to all nodes of a Cassandra cluster.
  2. We upgrade one node at the time, adding its new PKI-based keystore to verify that everything works correctly.
gerritbot added a comment.Jun 23 2023, 8:25 AM

Change 931276 merged by Elukey:

[operations/puppet@production] cassandra: add initial support for PKI TLS certs to 4.x

https://gerrit.wikimedia.org/r/931276

gerritbot added a comment.Jun 23 2023, 8:25 AM

Change 931903 merged by Elukey:

[operations/puppet@production] role::ml_cache::storage: use pki truststore

https://gerrit.wikimedia.org/r/931903

gerritbot added a comment.Jun 23 2023, 8:41 AM

Change 931292 merged by Elukey:

[operations/puppet@production] role::ml_cache::storage: enable PKI tls certs

https://gerrit.wikimedia.org/r/931292

Maintenance_bot removed a project: Patch-For-Review.Jun 23 2023, 9:10 AM
gerritbot added a comment.Jun 23 2023, 9:13 AM

Change 932378 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] profile::cassandra: add hiera option for the TLS keystore password

https://gerrit.wikimedia.org/r/932378

gerritbot added a project: Patch-For-Review.Jun 23 2023, 9:13 AM
gerritbot added a comment.Jun 23 2023, 9:15 AM

Change 932379 had a related patch set uploaded (by Elukey; author: Elukey):

[labs/private@master] role::ml_cache::storage: add fake TLS keystore password for PKI

https://gerrit.wikimedia.org/r/932379

gerritbot added a comment.Jun 23 2023, 9:15 AM

Change 932379 merged by Elukey:

[labs/private@master] role::ml_cache::storage: add fake TLS keystore password for PKI

https://gerrit.wikimedia.org/r/932379

elukey mentioned this in rLPRIc8bd8ce709b3: role::ml_cache::storage: add fake TLS keystore password for PKI.Jun 23 2023, 9:16 AM
gerritbot added a comment.Jun 23 2023, 9:23 AM

Change 932381 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra: allow to set the keystore password for 4.x

https://gerrit.wikimedia.org/r/932381

gerritbot added a comment.Jun 23 2023, 9:32 AM

Change 932381 merged by Elukey:

[operations/puppet@production] cassandra: allow to set the keystore password for 4.x

https://gerrit.wikimedia.org/r/932381

gerritbot added a comment.Jun 23 2023, 9:32 AM

Change 932378 merged by Elukey:

[operations/puppet@production] profile::cassandra: add hiera option for the TLS keystore password

https://gerrit.wikimedia.org/r/932378

gerritbot added a comment.Jun 23 2023, 9:57 AM

Change 932384 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra: allow to update the keystore password - part two

https://gerrit.wikimedia.org/r/932384

gerritbot added a comment.Jun 23 2023, 10:00 AM

Change 932384 merged by Elukey:

[operations/puppet@production] cassandra: allow to update the keystore password - part two

https://gerrit.wikimedia.org/r/932384

Maintenance_bot removed a project: Patch-For-Review.Jun 23 2023, 10:11 AM
elukey added a comment.Jun 23 2023, 1:04 PM

The ml-cache clusters are running with PKI!

I have updated https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates to reflect the new use case.

Recap of what I've done to upgrade ml-cache:

  • I have rolled out a new Truststore via profile::base::certificates to include the PKI root CA cert and the Custom CA root cert (created by cassandra-ca-manager) in a single bundle. The idea is to allow, at any given time, that a Cassandra node can validate TLS connection using certificates emitted by either one of the CAs. All cassandra nodes have been restarted to pick up the new settings.
  • I enabled PKI for Cassandra, and updated every node one by one. During the migration half of the nodes were using certs emitted by cassandra-ca-manager and the other half certs emitted by PKI (and materialized on the nodes via puppet runs), but the clusters were running fine.

Things left to verify/fix:

  1. The TLS certs emitted by the PKI cassandra intermediate CA have a month of validity, so our alarming complains about certs almost expired. We should figure out a way to fix this. Since Cassandra 4+ can automatically pick up new keystores I would extend their validity to more, but we can definitely do it if needed (for kafka we have 6 months but the version that we have doesn't pick up new keystores without restarts, so it would have been annoying to keep a month).
  2. We should verify in a month that Cassandra 4 indeed picks up new keystores without reloading. We can use the ml-cache use case to verify.
  3. We should think about Cassandra clients encrypting their connections to Cassandra nodes, since they will need to support PKI-based certs too. In theory the only change needed is to force them to use a bundle that contains the PKI root CA certificate (provided on all nodes by profile::base::certificate so easy enough).
gerritbot added a comment.Jun 23 2023, 1:36 PM

Change 932413 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra: add support for shorter TLS cert expiry checks

https://gerrit.wikimedia.org/r/932413

gerritbot added a project: Patch-For-Review.Jun 23 2023, 1:36 PM
gerritbot added a comment.Jun 23 2023, 2:38 PM

Change 932413 merged by Elukey:

[operations/puppet@production] cassandra: add support for shorter TLS cert expiry checks

https://gerrit.wikimedia.org/r/932413

gerritbot added a comment.Jun 23 2023, 2:58 PM

Change 932424 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra::instance::monitoring: fix tcp alert

https://gerrit.wikimedia.org/r/932424

gerritbot added a comment.Jun 23 2023, 3:18 PM

Change 932424 merged by Elukey:

[operations/puppet@production] cassandra::instance::monitoring: fix tcp alert

https://gerrit.wikimedia.org/r/932424

Maintenance_bot removed a project: Patch-For-Review.Jun 23 2023, 3:30 PM
gerritbot added a comment.Jun 23 2023, 3:34 PM

Change 932427 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra::instance::monitoring: move alerts to prometheus

https://gerrit.wikimedia.org/r/932427

gerritbot added a project: Patch-For-Review.Jun 23 2023, 3:34 PM
gerritbot added a comment.Jun 26 2023, 8:03 AM

Change 932795 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra::instance::monitoring: remove wrong servername

https://gerrit.wikimedia.org/r/932795

gerritbot added a comment.Jun 26 2023, 8:05 AM

Change 932795 merged by Elukey:

[operations/puppet@production] cassandra::instance::monitoring: remove wrong servername

https://gerrit.wikimedia.org/r/932795

gerritbot added a comment.Jun 26 2023, 8:41 AM

Change 932799 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra::instance::monitoring: add 'cassandra' as servername

https://gerrit.wikimedia.org/r/932799

gerritbot added a comment.Jun 26 2023, 8:55 AM

Change 932801 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra::instance: add CN:cassandra to all PKI certs

https://gerrit.wikimedia.org/r/932801

gerritbot added a comment.Jun 26 2023, 10:49 AM

Change 932801 merged by Elukey:

[operations/puppet@production] cassandra::instance: add CN:cassandra to all PKI certs

https://gerrit.wikimedia.org/r/932801

gerritbot added a comment.Jun 26 2023, 10:56 AM

Change 932799 merged by Elukey:

[operations/puppet@production] cassandra::instance::monitoring: add 'cassandra' as servername

https://gerrit.wikimedia.org/r/932799

elukey added a subscriber: Eevans.Jun 26 2023, 2:44 PM

Some notes:

  • The hot reloading of the keystore seems working from the logs (namely I see some indication that the new file is recognized and loaded) but if I try to inspect the cert via openssl I see the old one and not the new. Not sure why, I'll keep investigating.
  • The prometheus blackbox tcp probes require only one SNI, so we added a cassandra SAN to allow this use case. The new alerts are working fine.
  • The current CN of everyt TLS certificate is the fqdn of the host, not the Cassandra's instance fqdn. This is problematic since a client may fail if the host verification is enabled, since it will check the CN of the cert for the Cassandra instance fqdn, not the host one. I didn't find any trace of the instance fqdns in Puppet, we may need to add them to do things properly.

@Eevans thoughts about the last one?

gerritbot added a comment.Jun 26 2023, 4:37 PM

Change 932427 abandoned by Elukey:

[operations/puppet@production] cassandra::instance::monitoring: move alerts to prometheus

Reason:

the TLS part needs more work, will file a separate change only for cql

https://gerrit.wikimedia.org/r/932427

gerritbot added a comment.Jun 26 2023, 4:41 PM

Change 933134 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra::instance::monitoring: move cql check to Prometheus for PKI

https://gerrit.wikimedia.org/r/933134

gerritbot added a comment.Jun 27 2023, 6:18 AM

Change 933224 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] cassandra::instance: use the instance's fqdn as TLS PKI CN

https://gerrit.wikimedia.org/r/933224

gerritbot added a comment.Jun 27 2023, 8:51 AM

Change 933134 merged by Elukey:

[operations/puppet@production] cassandra::instance::monitoring: move cql check to Prometheus for PKI

https://gerrit.wikimedia.org/r/933134

elukey added a comment.Jun 27 2023, 9:33 AM
In T288470#8964088, @elukey wrote:

Some notes:

  • The current CN of everyt TLS certificate is the fqdn of the host, not the Cassandra's instance fqdn. This is problematic since a client may fail if the host verification is enabled, since it will check the CN of the cert for the Cassandra instance fqdn, not the host one. I didn't find any trace of the instance fqdns in Puppet, we may need to add them to do things properly.

@Eevans thoughts about the last one?

https://gerrit.wikimedia.org/r/933224

gerritbot added a comment.Jun 27 2023, 10:05 AM

Change 933224 merged by Elukey:

[operations/puppet@production] cassandra::instance: use the instance's fqdn as TLS PKI CN

https://gerrit.wikimedia.org/r/933224

Maintenance_bot removed a project: Patch-For-Review.Jun 27 2023, 10:10 AM
elukey added a comment.Jun 27 2023, 10:28 AM

I rolled out the new certificate to have a different CN (ml-cache1001-a.eqiad.wmnet vs ml-cache1001.eqiad.wmnet) and I see the following on the logs:

INFO  [ScheduledTasks:1] 2023-06-27 10:14:28,302 SSLFactory.java:204 - SSL certificates have been updated for org.apache.cassandra.config.EncryptionOptions$ServerEncryptionOptions. Resetting the ssl contexts for new connections.
INFO  [ScheduledTasks:1] 2023-06-27 10:14:28,334 SSLFactory.java:204 - SSL certificates have been updated for org.apache.cassandra.config.EncryptionOptions. Resetting the ssl contexts for new connections.

That is good, but only the cql cert is updated, not the one used by cassandra instances to talk with themselves:

elukey@ml-cache1002:~$ echo y | openssl s_client -connect ml-cache1002-a.eqiad.wmnet:7001 2>&1 | grep "s:CN"
 0 s:CN = ml-cache1002.eqiad.wmnet
elukey@ml-cache1002:~$ echo y | openssl s_client -connect ml-cache1002-a.eqiad.wmnet:9042 2>&1 | grep "s:CN"
 0 s:CN = ml-cache1002-a.eqiad.wmnet

If I restart the instance the new cert is picked up:

elukey@ml-cache1002:~$ echo y | openssl s_client -connect ml-cache1002-a.eqiad.wmnet:7001 2>&1 | grep "s:CN"
 0 s:CN = ml-cache1002-a.eqiad.wmnet

This is very problematic since we'll need to roll restart cassandra instances, so the hot reload doesn't fully work? @Eevans
am I missing something?

gerritbot added a comment.Jun 27 2023, 1:59 PM

Change 933465 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] role::ml_cache::storage: remove legacy_ssl_storage_port_enabled setting

https://gerrit.wikimedia.org/r/933465

gerritbot added a project: Patch-For-Review.Jun 27 2023, 1:59 PM
gerritbot added a comment.Jun 27 2023, 2:02 PM

Change 933465 merged by Elukey:

[operations/puppet@production] role::ml_cache::storage: remove legacy_ssl_storage_port_enabled setting

https://gerrit.wikimedia.org/r/933465

Maintenance_bot removed a project: Patch-For-Review.Jun 27 2023, 2:10 PM
elukey added a comment.Jun 27 2023, 2:52 PM
In T288470#8966938, @elukey wrote:

I rolled out the new certificate to have a different CN (ml-cache1001-a.eqiad.wmnet vs ml-cache1001.eqiad.wmnet) and I see the following on the logs:

INFO  [ScheduledTasks:1] 2023-06-27 10:14:28,302 SSLFactory.java:204 - SSL certificates have been updated for org.apache.cassandra.config.EncryptionOptions$ServerEncryptionOptions. Resetting the ssl contexts for new connections.
INFO  [ScheduledTasks:1] 2023-06-27 10:14:28,334 SSLFactory.java:204 - SSL certificates have been updated for org.apache.cassandra.config.EncryptionOptions. Resetting the ssl contexts for new connections.

That is good, but only the cql cert is updated, not the one used by cassandra instances to talk with themselves:

elukey@ml-cache1002:~$ echo y | openssl s_client -connect ml-cache1002-a.eqiad.wmnet:7001 2>&1 | grep "s:CN"
 0 s:CN = ml-cache1002.eqiad.wmnet
elukey@ml-cache1002:~$ echo y | openssl s_client -connect ml-cache1002-a.eqiad.wmnet:9042 2>&1 | grep "s:CN"
 0 s:CN = ml-cache1002-a.eqiad.wmnet

If I restart the instance the new cert is picked up:

elukey@ml-cache1002:~$ echo y | openssl s_client -connect ml-cache1002-a.eqiad.wmnet:7001 2>&1 | grep "s:CN"
 0 s:CN = ml-cache1002-a.eqiad.wmnet

This is very problematic since we'll need to roll restart cassandra instances, so the hot reload doesn't fully work? @Eevans
am I missing something?

After setting legacy_ssl_storage_port_enabled to false I've cleaned up tls files on a node, ran puppet and the new cert was picked up by both ports correctly! \o/

elukey closed this task as Resolved.Jun 27 2023, 3:12 PM
elukey claimed this task.

Ok so at this point the support is completed, we just need to figure out if we want to migrate clusters or not.

elukey reopened this task as Open.Jun 27 2023, 3:13 PM

Wrong action, let's figure out if we want to migrate other clusters first :)

Eevans mentioned this in T141541: Certs from cassandra-ca-manager should have the FQDN in cert's CN.Sep 19 2023, 8:03 PM
elukey added a comment.Nov 29 2023, 11:07 AM

@Eevans Do you think that we could migrate AQS and Session store to PKI? If so I can open new tasks and propose a plan :)

Eevans added a comment.Nov 29 2023, 2:43 PM
In T288470#9366377, @elukey wrote:

@Eevans Do you think that we could migrate AQS and Session store to PKI? If so I can open new tasks and propose a plan :)

That would be great; Please do!

elukey closed this task as Resolved.Dec 4 2023, 10:16 AM
elukey mentioned this in T352647: Move Cassandra clusters to PKI.Dec 4 2023, 10:41 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL