Page MenuHomePhabricator
Create Task
Maniphest T319372

Move Kafka main to the new intermediate PKI CA
Closed, ResolvedPublic
Actions

Description

Hi folks!

In the parent task we worked on a strategy to move Kafka brokers from Puppet-based TLS certs to PKI-based certs (new intermediate Kafka CA created for the use case). In T300130 kafka logging was moved to the new CA successfully, and it would be great to do the same to Kafka main as well.

I am going to list what is the rollout plan that I have used for Kafka logging:

Find Kafka clients and upgrade their trusted CA settings

The first step is to find Kafka clients and upgrade their settings to trust both the Puppet CA and the Root PKI CA certificates. Thanks to John we have a bundle in various formats on all hosts created by the wmf-certificates package and puppet:

elukey@kafka-logging1001:~$ file /etc/ssl/certs/wmf-ca-certificates.crt
/etc/ssl/certs/wmf-ca-certificates.crt: PEM certificate

# This one needs a hiera setting:
# profile::base::certificates::include_bundle_jks: true
elukey@kafka-logging1001:~$ file /etc/ssl/localcerts/wmf-java-cacerts 
/etc/ssl/localcerts/wmf-java-cacerts: Java KeyStore
Update Kafka settings on all brokers to allow both PKI and Puppet TLS certs at the same time

The only thing needed is the following:

profile::kafka::broker:use_pki_migration_settings: true
profile::base::certificates::include_bundle_jks: true

The settings will update Kafka's super.users setting (basically the TLS CN that are trusted between brokers) and /etc/ssl/localcerts/wmf-java-cacerts will be deployed by puppet (JKS truststore with the PKI and Puppet CA certificates).

Roll restart of all brokers is needed.

Update TLS settings one broker at the time

A hiera host-specific setting should suffice:

profile::kafka::broker::ssl_generate_certificates: true

The above will request a new PKI TLS certificate, deploy it to the node via puppet and update the Kafka settings.

A restart of the affected Kafka broker is needed.

Clean up

Remove the hiera setting used to allow both PKI and Puppet CA certs:

- profile::kafka::broker:use_pki_migration_settings: true

Roll restart of all brokers is needed.

Then finally clean up old TLS certificates from puppet private (revoking them too).

What is it going to change after the move to PKI ?

The only annoyance is that every 6 months we'll need to run the kafka roll restart cookbook to pick up the new TLS certificates, since the PKI ones last 6 months for the moment. This is due to the current version of Kafka that doesn't allow hot reload of keystores: https://wikitech.wikimedia.org/wiki/Kafka/Administration#Renew_TLS_certificate

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Upgrade kafka-main to use PKI TLS certificates for brokersoperations/puppetproduction+2 -2
Switch kafka-main1001 broker's TLS cert to PKIoperations/puppetproduction+2 -0
role::kafka::main: deploy PKI migration settingsoperations/puppetproduction+1 -0
profile::kafka::mirror: default to use pki migration settingsoperations/puppetproduction+5 -5
profile::cache::purge: move purged to a new CA bundleoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

elukey created this task.Oct 5 2022, 7:09 AM
elukey mentioned this in T296064: Move Kafka Jumbo's TLS clients to the new bundle.
BTullis subscribed.Oct 5 2022, 7:32 AM
jijiki moved this task from Incoming 🐫 to Backlog FY24-25 🚜 on the serviceops-deprecated board.Oct 17 2022, 3:58 PM
elukey mentioned this in T332013: Migrate kafka-main to bullseye.Mar 17 2023, 3:01 PM
gerritbot added a comment.Mar 20 2023, 8:41 AM

Change 901118 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] profile::cache::purge: move purged to a new CA bundle

https://gerrit.wikimedia.org/r/901118

gerritbot added a project: Patch-For-Review.Mar 20 2023, 8:41 AM
gerritbot added a comment.Mar 21 2023, 8:28 AM

Change 901118 merged by Elukey:

[operations/puppet@production] profile::cache::purge: move purged to a new CA bundle

https://gerrit.wikimedia.org/r/901118

Maintenance_bot removed a project: Patch-For-Review.Mar 21 2023, 8:30 AM
Stashbot added a comment.Mar 21 2023, 8:31 AM

Mentioned in SAL (#wikimedia-operations) [2023-03-21T08:31:47Z] <elukey> move purged daemons on cp nodes to a new CA bundle (to allow accepting kafka clients using PKI tls certs) - T319372

gerritbot added a comment.Mar 21 2023, 10:21 AM

Change 901547 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] profile::kafka::mirror: default to use pki migration settings

https://gerrit.wikimedia.org/r/901547

gerritbot added a project: Patch-For-Review.Mar 21 2023, 10:21 AM
gerritbot added a comment.Mar 21 2023, 11:00 AM

Change 901551 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] role::kafka::main: deploy PKI migration settings

https://gerrit.wikimedia.org/r/901551

gerritbot added a comment.Mar 21 2023, 12:58 PM

Change 901547 merged by Elukey:

[operations/puppet@production] profile::kafka::mirror: default to use pki migration settings

https://gerrit.wikimedia.org/r/901547

Stashbot added a comment.Mar 21 2023, 1:05 PM

Mentioned in SAL (#wikimedia-operations) [2023-03-21T13:05:47Z] <elukey> move kafka mirror maker instances to PKI migration settings (new truststores) - T319372

gerritbot added a comment.Mar 30 2023, 8:38 AM

Change 901551 merged by Elukey:

[operations/puppet@production] role::kafka::main: deploy PKI migration settings

https://gerrit.wikimedia.org/r/901551

Stashbot added a comment.Mar 30 2023, 8:55 AM

Mentioned in SAL (#wikimedia-operations) [2023-03-30T08:55:36Z] <elukey> move kafka main clusters to new truststore (PKI+Puppet root CA certs) - T319372

Maintenance_bot removed a project: Patch-For-Review.Mar 30 2023, 9:10 AM
gerritbot added a comment.Mar 31 2023, 6:13 AM

Change 904667 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] Switch kafka-main1001 broker's TLS cert to PKI

https://gerrit.wikimedia.org/r/904667

gerritbot added a project: Patch-For-Review.Mar 31 2023, 6:13 AM
elukey added a comment.Mar 31 2023, 6:17 AM

All brokers have the new truststore, so they can validate certs emitted by PKI. Next steps:

  1. Upgrade kafka-main1001 to PKI, and monitor if any client fails to connect.
  2. Rollout the certs everywhere.
JMeybohm subscribed.Mar 31 2023, 7:00 AM
gerritbot added a comment.Apr 3 2023, 8:15 AM

Change 904667 merged by Elukey:

[operations/puppet@production] Switch kafka-main1001 broker's TLS cert to PKI

https://gerrit.wikimedia.org/r/904667

Stashbot added a comment.Apr 3 2023, 8:29 AM

Mentioned in SAL (#wikimedia-operations) [2023-04-03T08:29:04Z] <elukey> move kafka-main1001's kafka broker to PKI - T319372

gerritbot added a comment.Apr 3 2023, 4:02 PM

Change 905251 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] Upgrade kafka-main to use PKI TLS certificates for brokers

https://gerrit.wikimedia.org/r/905251

gerritbot added a comment.Apr 5 2023, 7:57 AM

Change 905251 merged by Elukey:

[operations/puppet@production] Upgrade kafka-main to use PKI TLS certificates for brokers

https://gerrit.wikimedia.org/r/905251

Stashbot added a comment.Apr 5 2023, 8:07 AM

Mentioned in SAL (#wikimedia-operations) [2023-04-05T08:07:11Z] <elukey> restart kafka on kafka-main1002 to pick up the new TLS certificate (PKI based) - T319372

Maintenance_bot removed a project: Patch-For-Review.Apr 5 2023, 8:10 AM
Stashbot added a comment.Apr 5 2023, 9:35 AM

Mentioned in SAL (#wikimedia-operations) [2023-04-05T09:35:31Z] <elukey> restart kafka on kafka-main1003 to pick up the new TLS certificate (PKI based) - T319372

Stashbot added a comment.Apr 5 2023, 1:52 PM

Mentioned in SAL (#wikimedia-operations) [2023-04-05T13:52:10Z] <elukey> restart kafka on kafka-main1004 to pick up the new TLS certificate (PKI based) - T319372

Stashbot added a comment.Apr 5 2023, 2:33 PM

Mentioned in SAL (#wikimedia-operations) [2023-04-05T14:33:37Z] <elukey> restart kafka on kafka-main1005 to pick up the new TLS certificate (PKI based) - T319372

Stashbot added a comment.Apr 6 2023, 9:30 AM

Mentioned in SAL (#wikimedia-operations) [2023-04-06T09:30:33Z] <elukey> kafka main codfw cluster migrated to PKI TLS certs for brokers - T319372

elukey added a comment.Apr 6 2023, 9:31 AM

Last steps:

  • clean up certs in puppet private
  • verify if any change is needed in deployment-prep
Stashbot added a comment.Apr 11 2023, 1:55 PM

Mentioned in SAL (#wikimedia-operations) [2023-04-11T13:54:58Z] <elukey> remove old puppet certificates for kafka main brokers from A:kafka-main - T319372

Stashbot added a comment.Apr 11 2023, 2:00 PM

Mentioned in SAL (#wikimedia-operations) [2023-04-11T14:00:27Z] <claime> Revoking kafka_main-codfw_broker and kafka_main-eqiad_broker puppet CA certs - T319372

elukey added a comment.Apr 11 2023, 4:16 PM

Final step - check if we have to migrate deployment-prep or not. See https://gerrit.wikimedia.org/r/c/operations/puppet/+/905954, some hiera settings may need to be added if we want to keep the old puppet cert format.

elukey closed this task as Resolved.Apr 13 2023, 3:51 PM
elukey claimed this task.

Deployment-prep may be migrated in the future, not in scope for this task. Finally closing!

MoritzMuehlenhoff mentioned this in T360598: kafka-main certificates expiring on 2024-04-04.Mar 21 2024, 9:36 AM
Ladsgroup mentioned this in T360595: beta-scap-sync-world fails: logstash_checker.py: KeyError: 'aggregations'.Mar 27 2024, 1:12 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits