Page MenuHomePhabricator
Create Task
Maniphest T325268

Migrate use of infrastructure_users tokens to client certificates
Open, Needs TriagePublic
Actions

Description

After updating all clusters to 1.23 we should get rid of the infrastructure_users tokens in favor of client certificates wherever possible. This will auto-fix T290963: Drop the use of nonexisting groups in kubernetes infrastructure_users.

There might be some more gems here, I already know of:

  • Promehteus 2.24.1 (bullseye) does not support client cert auth for kubernetes_sd, we would need to have 2.33.5 from bullseye-backports

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+35 -15calico/kubernetes: Replace istio_cni_token with client cert
operations/puppetproduction+15 -9calico/kubernetes: Replace calico cni and ctl tokens with client certs
Customize query in gerrit

Related Objects
Search...

Event Timeline

JMeybohm created this task.Dec 15 2022, 9:27 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 15 2022, 9:27 AM
JMeybohm updated the task description. (Show Details)Dec 15 2022, 9:28 AM
JMeybohm moved this task from Incoming 🐫 to ⎈Kubernetes on the serviceops board.
taavi added a subscriber: taavi.Dec 15 2022, 9:36 AM

Promehteus 2.24.1 (bullseye) does not support client cert auth for kubernetes_sd, we would need to have 2.33.5 from bullseye-backports

We build our own Prometheus debs anyway since Debian doesn't ship with kubernetes_sd support. We're using client cert auth on Toolforge and it works fine.

JMeybohm added a comment.Dec 15 2022, 9:38 AM
In T325268#8470122, @taavi wrote:

Promehteus 2.24.1 (bullseye) does not support client cert auth for kubernetes_sd, we would need to have 2.33.5 from bullseye-backports

We build our own Prometheus debs anyway since Debian doesn't ship with kubernetes_sd support. We're using client cert auth on Toolforge and it works fine.

Cool, thanks! I probably misread the docs then.

JMeybohm added a parent task: T328291: Post Kubernetes v1.23 cleanup.Jan 30 2023, 1:14 PM
JMeybohm removed a parent task: T307943: Update Kubernetes clusters to v1.23.
gerritbot added a comment.Mon, Mar 13, 3:57 PM

Change 897365 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] calico/kubernetes: Replace istio_cni_token with client cert

https://gerrit.wikimedia.org/r/897365

gerritbot added a project: Patch-For-Review.Mon, Mar 13, 3:57 PM

Change 897361 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] calico/kubernetes: Replace calico cni and ctl tokens with client certs

https://gerrit.wikimedia.org/r/897361

Stashbot added a comment.Tue, Mar 14, 9:56 AM

Mentioned in SAL (#wikimedia-operations) [2023-03-14T09:56:43Z] <jayme> disabling puppet on P:calico::kubernetes for T325268

gerritbot added a comment.Tue, Mar 14, 9:58 AM

Change 897365 merged by JMeybohm:

[operations/puppet@production] calico/kubernetes: Replace istio_cni_token with client cert

https://gerrit.wikimedia.org/r/897365

gerritbot added a comment.Tue, Mar 14, 9:58 AM

Change 897361 merged by JMeybohm:

[operations/puppet@production] calico/kubernetes: Replace calico cni and ctl tokens with client certs

https://gerrit.wikimedia.org/r/897361

Maintenance_bot removed a project: Patch-For-Review.Tue, Mar 14, 10:10 AM
Stashbot added a comment.Tue, Mar 14, 10:15 AM

Mentioned in SAL (#wikimedia-operations) [2023-03-14T10:15:45Z] <jayme> enabling puppet on P:calico::kubernetes for T325268

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL