There seems to be two different ways of retrieving, on all production hosts, the bundle containing the Puppet CA cert and the Root PKI cert:
- The wmf-certificates package uses update-ca-certificates at install time to generate /etc/ssl/certs/wmf-ca-certificates.crt.
- The profile::base::certificates class uses two crt files provided by wmf-certificates (/usr/share/ca-certificates/wikimedia/Puppet_Internal_CA.crt and /usr/share/ca-certificates/wikimedia/Wikimedia_Internal_Root_CA.crt) to generate /etc/ssl/localcerts/wmf_trusted_root_CAs.pem (basically a concat of the two files).
While working on moving Kafka clients to /etc/ssl/localcerts/wmf_trusted_root_CAs.pem, we realized that in the Kubernetes use case it is better to rely on /etc/ssl/certs/wmf-ca-certificates.crt rather than injecting the bundle to helmfile configs (to make it available to Helm).
The profile::base::certificates does also other important things:
- Creates PKCS12 bundles if needed (using openssl to bundle /etc/ssl/localcerts/wmf_trusted_root_CAs.pem into a .p12 file)
- Creates Java Truststore bundles if needed. Caveat: the Java keytool command, used to generate the truststore, doesn't accept chained cert files, every certificate needs to be added with a specific call to keytool (otherwise it doesn't work).
- We need to support Cloud environments too (like deployment-prep) where test PKI instances are deployed. The profile::base::certificates supports this use case, it is currently configured to use the right Puppet CA and PKI bundle where needed (only deployment-prep for the moment).
It would be nice to use /etc/ssl/certs/wmf-ca-certificates.crt as much as possible in production, to avoid diverging too much from Kube-land. At the same time, both ways of doing things are needed if we want to support Cloud environments.