While auditing cross-datacenter traffic in T286038 I came across a few plaintext kafka connections, including webperf2001 talking to kafka main/jumbo:
root@webperf2001:~# ps fwwwaux | grep -i 9092 nobody 24456 3.2 0.9 172636 38748 ? Ssl Jul29 1584:59 python3 /srv/deployment/performance/coal/run_coal.py --brokers kafka-jumbo1001.eqiad.wmnet:9092,kafka-jumbo1002.eqiad.wmnet:9092,kafka-jumbo1003.eqiad.wmnet:9092,kafka-jumbo1004.eqiad.wmnet:9092,kafka-jumbo1005.eqiad.wmnet:9092,kafka-jumbo1006.eqiad.wmnet:9092,kafka-jumbo1007.eqiad.wmnet:9092,kafka-jumbo1008.eqiad.wmnet:9092,kafka-jumbo1009.eqiad.wmnet:9092 --consumer-group coal_codfw --schema NavigationTiming --schema SaveTiming --schema PaintTiming --graphite-host graphite-in.eqiad.wmnet --graphite-port 2003 --graphite-prefix coal root 21191 0.0 0.0 12780 980 pts/0 S+ 08:57 0:00 \_ grep -i 9092 nobody 22495 36.1 9.3 451380 377276 ? Ssl Aug19 6609:33 /usr/bin/python3 /srv/deployment/performance/navtiming/run_navtiming.py --brokers kafka-jumbo1001.eqiad.wmnet:9092,kafka-jumbo1002.eqiad.wmnet:9092,kafka-jumbo1003.eqiad.wmnet:9092,kafka-jumbo1004.eqiad.wmnet:9092,kafka-jumbo1005.eqiad.wmnet:9092,kafka-jumbo1006.eqiad.wmnet:9092,kafka-jumbo1007.eqiad.wmnet:9092,kafka-jumbo1008.eqiad.wmnet:9092,kafka-jumbo1009.eqiad.wmnet:9092 --consumer-group navtiming --statsd-host statsd.eqiad.wmnet --statsd-port 8125 nobody 21162 1.1 0.5 153132 23240 ? Ssl 08:57 0:00 /usr/bin/python3 /srv/deployment/statsv/statsv/statsv.py --brokers kafka-main2001.codfw.wmnet:9092,kafka-main2002.codfw.wmnet:9092,kafka-main2003.codfw.wmnet:9092,kafka-main2004.codfw.wmnet:9092,kafka-main2005.codfw.wmnet:9092 --statsd 127.0.0.1:9125 --topics statsv nobody 21163 0.0 0.4 72228 16256 ? S 08:57 0:00 \_ /usr/bin/python3 /srv/deployment/statsv/statsv/statsv.py --brokers kafka-main2001.codfw.wmnet:9092,kafka-main2002.codfw.wmnet:9092,kafka-main2003.codfw.wmnet:9092,kafka-main2004.codfw.wmnet:9092,kafka-main2005.codfw.wmnet:9092 --statsd 127.0.0.1:9125 --topics statsv nobody 21164 0.0 0.4 72228 16700 ? S 08:57 0:00 \_ /usr/bin/python3 /srv/deployment/statsv/statsv/statsv.py --brokers kafka-main2001.codfw.wmnet:9092,kafka-main2002.codfw.wmnet:9092,kafka-main2003.codfw.wmnet:9092,kafka-main2004.codfw.wmnet:9092,kafka-main2005.codfw.wmnet:9092 --statsd 127.0.0.1:9125 --topics statsv
We should be switching these connections to encrypted kafka (and we can then set proper ACLs too)