⚓ T300033 Use cert-manager for service-proxy certificate creation

Subject	Repo	Branch	Lines +/-
function-orchestrator: Update to ingress.istio:1.1	operations/deployment-charts	master	+8 -47
ingress.istio: Remove trust for every SAN but the default	operations/deployment-charts	master	+28 -68
Add new istio module version	operations/deployment-charts	master	+229 -0
kubernetes: Remove cergen certs from kubernetes secrets	labs/private	master	+0 -40
ml-staging: Enable certmanager for mesh certs by default	operations/puppet	production	+1 -0
function-orchestrator: Update to latest mesh and ingress module	operations/deployment-charts	master	+161 -88
Remove cergen certificate support from mesh module	operations/deployment-charts	master	+50 -108
Add new mesh module versions	operations/deployment-charts	master	+753 -0
Update changeprop to use certmanager certs	operations/deployment-charts	master	+237 -104
Revert "Revert "api-gateway,rest-gateway: Switch to cert-manager certificates""	operations/deployment-charts	master	+85 -2
api-gateway: Add env variables required for envoy SDS	operations/deployment-charts	master	+5 -3
api-gateway,rest-gateway: Switch to cert-manager certificates	operations/deployment-charts	master	+85 -2
Update api-gateway for cert-manager support	operations/deployment-charts	master	+899 -15
api-gateway: use enovy.yaml in place of config.yaml	operations/deployment-charts	master	+7 -8
envoy: use ENTRYPOINT instead of CMD	operations/docker-images/production-images	master	+9 -3
envoy: Allow additional arguments to envoy	operations/docker-images/production-images	master	+8 -1
Update datahub to use certmanager certs	operations/deployment-charts	master	+733 -1 K
Update zotero to use certmanager certs	operations/deployment-charts	master	+336 -132
Update wikifeeds to use certmanager certs	operations/deployment-charts	master	+336 -132
Update eventstreams to use certmanager certs	operations/deployment-charts	master	+342 -132
eventgate: Update mesh module	operations/deployment-charts	master	+339 -133
Update termbox to use certmanager certs	operations/deployment-charts	master	+336 -132
Update benthos to use certmanager certs	operations/deployment-charts	master	+341 -77
Update flink-session-cluster to use certmanager certs	operations/deployment-charts	master	+360 -153
Update developer-portal to use certmanager certs	operations/deployment-charts	master	+337 -137
Update mobileapps to use certmanager certs	operations/deployment-charts	master	+336 -132
tegola-vector-tiles: Re-enable the envoy admin listener on tcp port	operations/deployment-charts	master	+5 -1
Update similar-users to use certmanager certs	operations/deployment-charts	master	+336 -132
Update calculator-service to use certmanager certs	operations/deployment-charts	master	+336 -132
Update shellbox to use certmanager certs	operations/deployment-charts	master	+337 -133
Update recommendation-api to use certmanager certs	operations/deployment-charts	master	+336 -132
mw-on-k8s: Globally enable certmanager certs	operations/deployment-charts	master	+2 -13
mw-api-int: Switch to certmanager certificates	operations/deployment-charts	master	+2 -0
mw-api-ext: Switch to certmanager certificates	operations/deployment-charts	master	+2 -0
mw-jobrunner: Switch to certmanager certificates	operations/deployment-charts	master	+2 -0
mw-web: Switch to certmanager certificates	operations/deployment-charts	master	+2 -0
mw-debug: Switch to certmanager certificates	operations/deployment-charts	master	+77 -1
mw: Move extraFQDNs definition into a separate file	operations/deployment-charts	master	+79 -70
CI: Properly detect changes to link targets in helmfile.d/*services	operations/deployment-charts	master	+20 -2
Add appserver, api and jobrunner SANs to mw deployments	operations/deployment-charts	master	+72 -4
Update tegola-vector-tiles to use certmanager certs	operations/deployment-charts	master	+333 -133
Update push-notifications to use certmanager certs	operations/deployment-charts	master	+334 -134
Update machinetranslation to use certmanager certs	operations/deployment-charts	master	+319 -119
Update chromium-render to use certmanager certs	operations/deployment-charts	master	+334 -134
Update mathoid to use certmanager certs	operations/deployment-charts	master	+244 -64
Update changeprop to use certmanager certs	operations/deployment-charts	master	+332 -132
mesh.certificate: Don't create certificates if mesh is not enabled	operations/deployment-charts	master	+2 -2
Copy mesh.certificate_1.0.0 to 1.0.1	operations/deployment-charts	master	+24 -0
Update miscweb to use certmanager certs	operations/deployment-charts	master	+335 -135
thumbor: Update dependencies to be ready for cert manager	operations/deployment-charts	master	+257 -108
cassandra-http-gateway: use certmanager certs	operations/deployment-charts	master	+329 -126
Update cxserver to use certmanager certs (modules)	operations/deployment-charts	master	+240 -106
Update cxserver to use certmanager certs	operations/deployment-charts	master	+3 -0
Update cxserver to use certmanager certs	operations/deployment-charts	master	+249 -109
Update citoid to use certmanager certs	operations/deployment-charts	master	+235 -105
Update citoid to use certmanager certs	operations/deployment-charts	master	+234 -104
Update blubberoid to use certmanager certs	operations/deployment-charts	master	+238 -105
Don't enable mesh.certmanager for mw deployments	operations/deployment-charts	master	+2 -0
Don't enable mesh.certmanager for mw deployments	operations/deployment-charts	master	+2 -0
Update apertium to use certmanager certs	operations/deployment-charts	master	+237 -107
deployment_server::general: Globally enable mesh.certmanager	operations/puppet	production	+3 -0
CI: Generate deployment fixtures from actual hiera data	operations/deployment-charts	master	+112 -23
mesh.certificate: Ensure the commonName is at most 64 bytes long	operations/deployment-charts	master	+23 -7
deployment_server::global_config: Use symlinks for cluster aliases	operations/puppet	production	+12 -2
Update ipoid to certmanager	operations/deployment-charts	master	+236 -103
deployment_server: Fix structure for certmanager defaults	operations/puppet	production	+48 -39
Testing hack: Override envoy entrypoint	operations/deployment-charts	master	+22 -0
Use cert-manager certificates instead of cergen for tls termination	operations/deployment-charts	master	+155 -14
deployment_server: Bump default envoy image version to 1.23.10-2	operations/puppet	production	+1 -1
deployment_server: Add certmanager defaults	operations/puppet	production	+49 -0
Prepare for new helm module versions	operations/deployment-charts	master	+609 -0
envoy: Add -service-node argument to envoy	operations/docker-images/production-images	master	+27 -1
CI: Run envoy validation with service-node and service-cluster set	operations/deployment-charts	master	+5 -2
Allow deploy users to create ingress and certificate objects	operations/deployment-charts	master	+12 -0

Change 967864 merged by jenkins-bot:

[operations/deployment-charts@master] mw-debug: Switch to certmanager certificates

https://gerrit.wikimedia.org/r/967864

Mentioned in SAL (#wikimedia-operations) [2023-10-23T10:41:12Z] <jayme> switched mw-debug (mw-on-k8s) to certmanager certificates - T300033

Change 967865 merged by jenkins-bot:

[operations/deployment-charts@master] mw-web: Switch to certmanager certificates

https://gerrit.wikimedia.org/r/967865

Mentioned in SAL (#wikimedia-operations) [2023-10-23T12:40:38Z] <jayme> switched mw-web (mw-on-k8s) to certmanager certificates - T300033

Change 967866 merged by jenkins-bot:

[operations/deployment-charts@master] mw-jobrunner: Switch to certmanager certificates

https://gerrit.wikimedia.org/r/967866

Mentioned in SAL (#wikimedia-operations) [2023-10-23T14:05:58Z] <jayme> switched mw-jobrunner (mw-on-k8s) to certmanager certificates - T300033

Change 967867 merged by jenkins-bot:

[operations/deployment-charts@master] mw-api-ext: Switch to certmanager certificates

https://gerrit.wikimedia.org/r/967867

Mentioned in SAL (#wikimedia-operations) [2023-10-23T14:13:58Z] <jayme> switched mw-api-ext (mw-on-k8s) to certmanager certificates - T300033

Change 967868 merged by jenkins-bot:

[operations/deployment-charts@master] mw-api-int: Switch to certmanager certificates

https://gerrit.wikimedia.org/r/967868

Mentioned in SAL (#wikimedia-operations) [2023-10-23T14:26:25Z] <jayme> switched mw-api-int (mw-on-k8s) to certmanager certificates - T300033

Change 967940 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] mw-on-k8s: Globally enable certmanager certs

https://gerrit.wikimedia.org/r/967940

JMeybohm updated the task description. (Show Details)Oct 23 2023, 3:18 PM

Change 967940 merged by jenkins-bot:

[operations/deployment-charts@master] mw-on-k8s: Globally enable certmanager certs

https://gerrit.wikimedia.org/r/967940

Change 967406 merged by jenkins-bot:

[operations/deployment-charts@master] Update recommendation-api to use certmanager certs

https://gerrit.wikimedia.org/r/967406

Change 967410 merged by jenkins-bot:

[operations/deployment-charts@master] Update shellbox to use certmanager certs

https://gerrit.wikimedia.org/r/967410

jijiki updated the task description. (Show Details)Oct 24 2023, 11:18 AM

Change 967403 merged by jenkins-bot:

[operations/deployment-charts@master] Update calculator-service to use certmanager certs

https://gerrit.wikimedia.org/r/967403

Change 967473 merged by jenkins-bot:

[operations/deployment-charts@master] Update similar-users to use certmanager certs

https://gerrit.wikimedia.org/r/967473

JMeybohm updated the task description. (Show Details)Oct 26 2023, 2:12 PM

Change 969141 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] tegola-vector-tiles: Re-enable the envoy admin listener on tcp port

https://gerrit.wikimedia.org/r/969141

Change 969141 merged by jenkins-bot:

[operations/deployment-charts@master] tegola-vector-tiles: Re-enable the envoy admin listener on tcp port

https://gerrit.wikimedia.org/r/969141

Change 967405 merged by jenkins-bot:

[operations/deployment-charts@master] Update mobileapps to use certmanager certs

https://gerrit.wikimedia.org/r/967405

JMeybohm updated the task description. (Show Details)Oct 27 2023, 11:29 AM

JMeybohm updated the task description. (Show Details)

Change 958479 merged by jenkins-bot:

[operations/deployment-charts@master] Update developer-portal to use certmanager certs

https://gerrit.wikimedia.org/r/958479

JMeybohm updated the task description. (Show Details)Oct 27 2023, 2:08 PM

Change 969343 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Update flink-session-cluster to use certmanager certs

https://gerrit.wikimedia.org/r/969343

JMeybohm updated the task description. (Show Details)Oct 27 2023, 2:28 PM

Change 969345 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Update datahub to use certmanager certs

https://gerrit.wikimedia.org/r/969345

Change 969366 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Update benthos to use certmanager certs

https://gerrit.wikimedia.org/r/969366

JMeybohm updated the task description. (Show Details)Oct 27 2023, 2:52 PM

Change 969343 merged by Bking:

[operations/deployment-charts@master] Update flink-session-cluster to use certmanager certs

https://gerrit.wikimedia.org/r/969343

JMeybohm updated the task description. (Show Details)Nov 1 2023, 3:25 PM

Change 969366 merged by jenkins-bot:

[operations/deployment-charts@master] Update benthos to use certmanager certs

https://gerrit.wikimedia.org/r/969366

Change 967412 merged by jenkins-bot:

[operations/deployment-charts@master] Update termbox to use certmanager certs

https://gerrit.wikimedia.org/r/967412

JMeybohm updated the task description. (Show Details)Nov 6 2023, 3:24 PM

Change 959181 merged by jenkins-bot:

[operations/deployment-charts@master] eventgate: Update mesh module

https://gerrit.wikimedia.org/r/959181

Mentioned in SAL (#wikimedia-operations) [2023-11-06T16:41:11Z] <ottomata> beginning deployments of eventgate clusters: mesh and cert chart updates, as well as sleep timeout values for graceful envoy+eventgate container termination - T349823 T300033 T346638

Stashbot mentioned this in T349823: [Event Platform] Gracefully handle pod termination in eventgate Helm chart.Nov 6 2023, 4:41 PM

Stashbot mentioned this in T346638: Rename the envoy's uses_ingress option to sets_sni .

JMeybohm updated the task description. (Show Details)Nov 7 2023, 9:37 AM

Change 967402 merged by jenkins-bot:

[operations/deployment-charts@master] Update eventstreams to use certmanager certs

https://gerrit.wikimedia.org/r/967402

JMeybohm updated the task description. (Show Details)Nov 7 2023, 10:56 AM

Change 967414 merged by jenkins-bot:

[operations/deployment-charts@master] Update wikifeeds to use certmanager certs

https://gerrit.wikimedia.org/r/967414

wikifeeds deployment is blocked by a config change (https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/961696) that was merged but not deployed to production. @Jgiannelos is it safe to deploy to prod?

Change 967415 merged by jenkins-bot:

[operations/deployment-charts@master] Update zotero to use certmanager certs

https://gerrit.wikimedia.org/r/967415

JMeybohm updated the task description. (Show Details)Nov 7 2023, 11:28 AM

Change 969345 merged by jenkins-bot:

[operations/deployment-charts@master] Update datahub to use certmanager certs

https://gerrit.wikimedia.org/r/969345

JMeybohm updated the task description. (Show Details)Nov 7 2023, 11:42 AM

JMeybohm updated the task description. (Show Details)Nov 7 2023, 11:52 AM

JMeybohm updated the task description. (Show Details)Nov 7 2023, 12:17 PM

Change 972404 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Update api-gateway to use certmanager certs

https://gerrit.wikimedia.org/r/972404

JMeybohm updated the task description. (Show Details)Nov 7 2023, 4:36 PM

JMeybohm updated the task description. (Show Details)Nov 8 2023, 2:25 PM

Change 972844 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] api-gateway,rest-gateway: Switch to cert-manager certificates

https://gerrit.wikimedia.org/r/972844

Change 973721 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/docker-images/production-images@master] envoy: Allow additional arguments to envoy

https://gerrit.wikimedia.org/r/973721

JMeybohm changed the task status from Open to Stalled.Nov 13 2023, 9:05 AM

JMeybohm updated the task description. (Show Details)

Change 973721 merged by JMeybohm:

[operations/docker-images/production-images@master] envoy: Allow additional arguments to envoy

https://gerrit.wikimedia.org/r/973721

Change 974662 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/docker-images/production-images@master] envoy: use ENTRYPOINT instead of CMD

https://gerrit.wikimedia.org/r/974662

Change 974662 merged by Hnowlan:

[operations/docker-images/production-images@master] envoy: use ENTRYPOINT instead of CMD

https://gerrit.wikimedia.org/r/974662

Change 976757 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/deployment-charts@master] api-gateway: use enovy.yaml in place of config.yaml

https://gerrit.wikimedia.org/r/976757

Change 976757 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: use enovy.yaml in place of config.yaml

https://gerrit.wikimedia.org/r/976757

JMeybohm changed the task status from Stalled to In Progress.Nov 23 2023, 10:12 AM

JMeybohm updated the task description. (Show Details)

Change 972404 merged by jenkins-bot:

[operations/deployment-charts@master] Update api-gateway for cert-manager support

https://gerrit.wikimedia.org/r/972404

Change 972844 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway,rest-gateway: Switch to cert-manager certificates

https://gerrit.wikimedia.org/r/972844

Change 977195 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Revert "Revert "api-gateway,rest-gateway: Switch to cert-manager certificates""

https://gerrit.wikimedia.org/r/977195

Change 977207 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] api-gateway: Add env variables required for envoy SDS

https://gerrit.wikimedia.org/r/977207

Change 977207 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: Add env variables required for envoy SDS

https://gerrit.wikimedia.org/r/977207

Change 977195 merged by jenkins-bot:

[operations/deployment-charts@master] Revert "Revert "api-gateway,rest-gateway: Switch to cert-manager certificates""

https://gerrit.wikimedia.org/r/977195

JMeybohm updated the task description. (Show Details)Nov 27 2023, 12:53 PM

Change 979094 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Add new mesh module versions: certificate, configuration, deployment

https://gerrit.wikimedia.org/r/979094

Change 979095 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Remove cergen certificate support from mesh module

https://gerrit.wikimedia.org/r/979095

Change 980425 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] function-orchestrator: Update to latest mesh and ingress module

https://gerrit.wikimedia.org/r/980425

Change 947802 abandoned by Effie Mouzeli:

[operations/deployment-charts@master] Update changeprop to use certmanager certs

Reason:

marged in I9a6ba71d0894ec49e4ede1d3cac06c5a4bd3b65f

https://gerrit.wikimedia.org/r/947802

Change 979094 merged by jenkins-bot:

[operations/deployment-charts@master] Add new mesh module versions

https://gerrit.wikimedia.org/r/979094

Change 979095 merged by jenkins-bot:

[operations/deployment-charts@master] Remove cergen certificate support from mesh module

https://gerrit.wikimedia.org/r/979095

JMeybohm updated the task description. (Show Details)Dec 6 2023, 1:05 PM

Change 980425 merged by jenkins-bot:

[operations/deployment-charts@master] function-orchestrator: Update to latest mesh and ingress module

https://gerrit.wikimedia.org/r/980425

Change 980891 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[labs/private@master] kubernetes: Remove cergen certs from kubernetes secrets

https://gerrit.wikimedia.org/r/980891

Change 981325 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] ml-staging: Enable certmanager for mesh certs by default

https://gerrit.wikimedia.org/r/981325

Change 981325 merged by Elukey:

[operations/puppet@production] ml-staging: Enable certmanager for mesh certs by default

https://gerrit.wikimedia.org/r/981325

Change 981332 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Add new istio module version

https://gerrit.wikimedia.org/r/981332

Change 981333 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] ingress.istio: Remove trust for every SAN but the default

https://gerrit.wikimedia.org/r/981333

Change 981336 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] function-orchestrator: Update to ingress.istio:1.1

https://gerrit.wikimedia.org/r/981336

Change 980891 merged by JMeybohm:

[labs/private@master] kubernetes: Remove cergen certs from kubernetes secrets

https://gerrit.wikimedia.org/r/980891

JMeybohm mentioned this in rLPRI99e1562863b7: kubernetes: Remove cergen certs from kubernetes secrets.Dec 11 2023, 9:08 AM

Mentioned in SAL (#wikimedia-operations) [2023-12-11T10:03:12Z] <jayme> removed cergen certs of all k8s servies from private puppet in commit d36a97aa23e21824f95d22264d06e2c3bf3c6ac3 - T300033

JMeybohm updated the task description. (Show Details)Dec 11 2023, 10:18 AM

Jdforrester-WMF updated the task description. (Show Details)Dec 11 2023, 2:01 PM

Change 981332 merged by jenkins-bot:

[operations/deployment-charts@master] Add new istio module version

https://gerrit.wikimedia.org/r/981332

Change 981333 merged by jenkins-bot:

[operations/deployment-charts@master] ingress.istio: Remove trust for every SAN but the default

https://gerrit.wikimedia.org/r/981333

Change 981336 merged by jenkins-bot:

[operations/deployment-charts@master] function-orchestrator: Update to ingress.istio:1.1

https://gerrit.wikimedia.org/r/981336

JMeybohm closed this task as Resolved.Dec 11 2023, 5:39 PM

JMeybohm updated the task description. (Show Details)

JMeybohm mentioned this in T363996: Sessionstore's discovery TLS cert will expire before end of May 2024.May 2 2024, 1:52 PM

Use cert-manager for service-proxy certificate creation
Closed, ResolvedPublic
Actions

Description

Details

Related Objects

Event Timeline

	JMeybohm
	Jan 25 2022, 12:36 PM

Use cert-manager for service-proxy certificate creationClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Use cert-manager for service-proxy certificate creation
Closed, ResolvedPublic
Actions