Page MenuHomePhabricator
Create Task
Maniphest T309782

toolforge: Refresh certs that are not controlled by kubeadm (mid 2024 edition)
Open, Stalled, HighPublic
Actions

Description

Refresh Toolforge k8s certificates for prometheus and the admission controllers.

For previous work, see T308402. For automating the admission controller certificates, see T292238.

For the admission controller webhooks, rerun the get-cert.sh script similar to the doc, but do not bother the ca-bundle.sh script as that is no longer necessary at all except for local testing. That should inject the secret. To use the secret, delete the appropriate pods in the ingress-admission and registry-admission workspaces to restart them one at a time. Generally the README on the repos for these are the most authoritative docs if in doubt. This is automated now.

For the Prometheus ones, follow the doc on wikitech to recreate the certs.

Details

SubjectRepoBranchLines +/-
toolforge,prometheus: renew certificateoperations/puppetproduction+17 -17
Customize query in gerrit

Related Objects
Search...

Event Timeline

dcaro triaged this task as Medium priority.Jun 2 2022, 12:42 PM
dcaro created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 2 2022, 12:42 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:39 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
taavi updated the task description. (Show Details)Apr 5 2023, 9:04 AM
Aklapper added a comment.Jul 24 2023, 1:49 PM

@dcaro: Hi, the Due Date set for this open task passed a while ago.
Could you please either update or reset the Due Date (by clicking Edit Task), or set the status of this task to resolved in case this task is done? Thanks!

Aklapper removed Due Date.Aug 21 2023, 11:05 AM

@dcaro: No reply; reset Due Date.

taavi subscribed.Sep 27 2023, 7:58 AM

Prometheus got renewed via T338025: [tools] Prometheus k8s cert expired this year, I'll re-use this task for next year's renewal.

taavi renamed this task from toolforge: Refresh certs that are not controlled by kubeadm (mid 2023 edition) to toolforge: Refresh certs that are not controlled by kubeadm (mid 2024 edition).Sep 27 2023, 7:59 AM
taavi set Due Date to Jun 29 2024, 9:00 PM.
taavi changed Due Date from Jun 29 2024, 9:00 PM to May 29 2024, 9:00 PM.May 10 2024, 1:49 PM
taavi moved this task from Backlog to Ready to be worked on on the Toolforge board.

The current certificates expire on June 1st.

taavi raised the priority of this task from Medium to High.May 10 2024, 1:52 PM
taavi moved this task from Ready to be worked on to Toolforge iteration 09 on the Toolforge board.May 22 2024, 1:21 PM
taavi edited projects, added Toolforge (Toolforge iteration 09); removed Toolforge.
dcaro edited projects, added Toolforge (Toolforge iteration 10); removed Toolforge (Toolforge iteration 09).May 22 2024, 4:41 PM
gerritbot added a comment.Jun 1 2024, 1:14 PM

Change #1037888 had a related patch set uploaded (by David Caro; author: David Caro):

[operations/puppet@production] toolforge,prometheus: renew certificate

https://gerrit.wikimedia.org/r/1037888

gerritbot added a project: Patch-For-Review.Jun 1 2024, 1:14 PM
dcaro added a comment.Jun 1 2024, 1:16 PM

For the secrets file, this time with puppet7 I had to disable the pre-commit hook under /srv/git/labs/private/.git/hooks or it would not let me commit saying to use the 'fronted puppetserver', but afaik we only have no e puppetserver :/

gerritbot added a comment.Jun 1 2024, 1:19 PM

Change #1037888 merged by David Caro:

[operations/puppet@production] toolforge,prometheus: renew certificate

https://gerrit.wikimedia.org/r/1037888

dcaro added a comment.Jun 1 2024, 1:27 PM

This is deployed and working, we might want to add an alert warning about certificates "about to expire" to avoid this happening again, but that can be taken care of on monday.

Maintenance_bot removed a project: Patch-For-Review.Jun 1 2024, 1:30 PM
dcaro moved this task from Next Up to In Progress on the Toolforge (Toolforge iteration 10) board.Jun 3 2024, 7:50 AM
dcaro claimed this task.Jun 4 2024, 10:50 AM
dcaro changed the status of subtask T366579: [infra,k8s,monitoring] Add an alert to warn when the prometheus k8s cert is about to expire from Open to In Progress.Jun 4 2024, 1:26 PM
dcaro changed the task status from Open to In Progress.Jun 4 2024, 2:55 PM
dcaro edited projects, added Toolforge (Toolforge iteration 11); removed Toolforge (Toolforge iteration 10).
dcaro moved this task from Next Up to In Progress on the Toolforge (Toolforge iteration 11) board.
dcaro changed the task status from In Progress to Stalled.Jun 12 2024, 2:10 PM
dcaro moved this task from In Progress to Blocked/Paused on the Toolforge (Toolforge iteration 11) board.
dcaro edited projects, added Toolforge (Toolforge iteration 12); removed Toolforge (Toolforge iteration 11).Jul 2 2024, 2:01 PM
dcaro moved this task from Next Up to Blocked/Paused on the Toolforge (Toolforge iteration 12) board.
dcaro edited projects, added Toolforge (Toolforge iteration 13); removed Toolforge (Toolforge iteration 12).Jul 17 2024, 11:22 AM
dcaro moved this task from Next Up to Blocked/Paused on the Toolforge (Toolforge iteration 13) board.
dcaro edited projects, added Toolforge (Toolforge iteration 14); removed Toolforge (Toolforge iteration 13).Aug 5 2024, 7:39 AM
dcaro moved this task from Next Up to Blocked/Paused on the Toolforge (Toolforge iteration 14) board.
Aklapper added a comment.Aug 26 2024, 8:30 AM

@dcaro: Hi, the Due Date set for this open task passed a while ago.
Could you please either update or reset the Due Date (by clicking Edit Task), or set the status of this task to resolved in case this task is done? Thanks!

dcaro removed Due Date.Aug 26 2024, 8:59 AM
dcaro edited projects, added Toolforge (Toolforge iteration 15); removed Toolforge (Toolforge iteration 14).Sep 25 2024, 7:55 AM
dcaro moved this task from Next Up to Blocked/Paused on the Toolforge (Toolforge iteration 15) board.
dcaro edited projects, added Toolforge (Toolforge iteration 16); removed Toolforge (Toolforge iteration 15).Oct 15 2024, 7:32 AM
dcaro moved this task from Next Up to Blocked/Paused on the Toolforge (Toolforge iteration 16) board.
dcaro closed subtask T366579: [infra,k8s,monitoring] Add an alert to warn when the prometheus k8s cert is about to expire as Resolved.Thu, Nov 28, 5:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits