Page MenuHomePhabricator
Create Task
Maniphest T307382

Modernize etcd tlsproxy certificate management
Open, In Progress, MediumPublic
Actions

Description

profile::etcd::tlsproxy do not use cergen certs directly, but both codfw and eqiad have been rotated using cergen-generated certs manually placed in profile/files/ssl/ and keys placed in the private ssl dir.

Is all that needs to be done is set use_cergen => true?

Details

SubjectRepoBranchLines +/-
P:etcd::tlsproxy: move to cfssl pkioperations/puppetproduction+6 -7
delete expired certs etcd.eqiad.wmnet.crt and etcd.codfw.wmnet.crtoperations/puppetproduction+0 -56
etcd::tlsproxy: set use_cergen to trueoperations/puppetproduction+2 -1
add fake certificates and keys for etcd-v3.eqiad and etcd-v3.codfwlabs/privatemaster+4 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedJoeT302153 Renew puppet cert for etcd.codfw.wmnet
 In ProgressNoneT307382 Modernize etcd tlsproxy certificate management

Event Timeline

colewhite created this task.May 2 2022, 5:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 2 2022, 5:35 PM
colewhite added a parent task: T302153: Renew puppet cert for etcd.codfw.wmnet.May 2 2022, 5:35 PM
colewhite mentioned this in T307383: Certificate expiration monitoring.May 2 2022, 5:39 PM
Dzahn added a comment.May 2 2022, 5:50 PM

We have to differentiate between:

profile::etcd::tlsproxy

and

profile::etcd::v3

both have a sslcert::certificate but there is the comment

# TLS certs *for etcd use* in peer-to-peer communications.
# Tlsproxy will use other certificates.
colewhite added a comment.May 2 2022, 5:54 PM
In T307382#7897011, @Dzahn wrote:

We have to differentiate between:

profile::etcd::tlsproxy

and

profile::etcd::v3

both have a sslcert::certificate but there is the comment

# TLS certs *for etcd use* in peer-to-peer communications.
# Tlsproxy will use other certificates.

Both have cergen-generated certs, but puppet is not configured to use them in-place. It may be worthwhile to transition both if cergen is the expected way of provisioning these certs.

Dzahn added a comment.May 2 2022, 6:13 PM

Things done in reaction to the page on the weekend:

add new certificate for etcd-v3.eqiad.wmnet - https://gerrit.wikimedia.org/r/c/operations/puppet/+/787884
hiera: tlsproxy: use new etcd-v3 certificate - https://gerrit.wikimedia.org/r/c/operations/puppet/+/787885

plus private repo changes to add yaml for cert generation and moving the key in place

Dzahn added a comment.May 2 2022, 10:20 PM

https://wikitech.wikimedia.org/wiki/Incidents/2022-05-01_etcd

gerritbot added a comment.May 2 2022, 10:39 PM

Change 788437 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] etcd::tlsproxy: set use_cergen to true

https://gerrit.wikimedia.org/r/788437

gerritbot added a project: Patch-For-Review.May 2 2022, 10:39 PM
Dzahn added a comment.May 2 2022, 10:46 PM

https://gerrit.wikimedia.org/r/c/labs/private/+/788436/

gerritbot added a comment.May 2 2022, 10:46 PM

Change 788439 had a related patch set uploaded (by Dzahn; author: Dzahn):

[labs/private@master] add fake certificates for etcd-v3.eqiad and etcd-v3.codfw

https://gerrit.wikimedia.org/r/788439

gerritbot added a comment.May 5 2022, 5:01 PM

Change 788439 merged by Dzahn:

[labs/private@master] add fake certificates and keys for etcd-v3.eqiad and etcd-v3.codfw

https://gerrit.wikimedia.org/r/788439

Dzahn mentioned this in rLPRI8e6a6b2e2c02: add fake certificates and keys for etcd-v3.eqiad and etcd-v3.codfw.May 5 2022, 5:03 PM
jbond added a subscriber: jbond.May 9 2022, 4:53 PM
gerritbot added a comment.May 13 2022, 8:01 PM

Change 790657 had a related patch set uploaded (by Dzahn; author: jbond):

[operations/puppet@production] P:etcd::tlsproxy: move to cfssl pki

https://gerrit.wikimedia.org/r/790657

Dzahn changed the task status from Open to In Progress.May 13 2022, 8:05 PM
gerritbot added a comment.May 13 2022, 8:21 PM

Change 791671 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] delete expired certs etcd.eqiad.wmnet.crt and etcd.codfw.wmnet.crt

https://gerrit.wikimedia.org/r/791671

gerritbot added a comment.May 16 2022, 8:16 PM

Change 788437 merged by Dzahn:

[operations/puppet@production] etcd::tlsproxy: set use_cergen to true

https://gerrit.wikimedia.org/r/788437

Marostegui triaged this task as Medium priority.May 17 2022, 8:20 AM
gerritbot added a comment.May 20 2022, 12:15 AM

Change 791671 merged by Dzahn:

[operations/puppet@production] delete expired certs etcd.eqiad.wmnet.crt and etcd.codfw.wmnet.crt

https://gerrit.wikimedia.org/r/791671

Krinkle edited projects, added Sustainability (Incident Followup); removed Wikimedia-Incident.Jul 30 2022, 4:28 AM
akosiaris added a subscriber: akosiaris.Mar 14 2023, 5:07 PM

@Dzahn anything left to do here? Would it be a good sprint week thing?

MoritzMuehlenhoff added a project: serviceops.Mar 15 2023, 8:21 AM
Clement_Goubert moved this task from Incoming 🐫 to 🛎 Services & Oids on the serviceops board.Mar 15 2023, 12:39 PM
Joe added a subscriber: Joe.Mar 20 2023, 8:01 AM

I think there is a larger topic of moving etcd to use the new PKI certs. There has been some work in that direction but I think that work will take some time. Should we just go on and do the minimal fix this week?

Joe edited projects, added SRE-Sprint-Week-Sustainability-March2023; removed SRE.Mar 20 2023, 11:02 AM
jbond added a comment.Mar 21 2023, 9:39 AM
In T307382#8708705, @Joe wrote:

I think there is a larger topic of moving etcd to use the new PKI certs. There has been some work in that direction but I think that work will take some time. Should we just go on and do the minimal fix this week?

might need refreshing/updating but there is this https://gerrit.wikimedia.org/r/c/operations/puppet/+/790657

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL