We have received a warning that the puppet certificate for varnishkafka is soon to expire.
This is confirmed by checking the certificate file that is present on all caching proxy servers, e.g. cp1075.
btullis@cp1075:/etc/varnishkafka/ssl$ cat varnishkafka.crt.pem | openssl x509 -noout -dates notBefore=Dec 13 15:55:06 2017 GMT notAfter=Dec 13 15:55:06 2022 GMT
This certificate will need to be renewed, redeployed, and the varnishkafka service restarted on all cp* hosts.
Failure to do so before the expiry date will result in data loss in the webrequest stream.
The renewal process is similar to that described here: https://wikitech.wikimedia.org/wiki/Kafka/Administration#Kafka_Certificates
However, since it is a *client* certificate (where that client is varnishkafka) the process to make it live is somewhat different.