Reaching mw-api-int.discovery.wmnet from envoy service proxy fails, we are missing the correct SANs for all mw-on-k8s deployments.
- Add "mw-api-ext.discovery.wmnet", "mw-api-ext-ro.discovery.wmnet", "mw-api-ext.svc.eqiad.wmnet", "mw-api-ext.svc.codfw.wmnet", "mw-api-int.discovery.wmnet","mw-api-int-ro.discovery.wmnet", "mw-api-int.svc.eqiad.wmnet", "mw-api-int.svc.codfw.wmnet" to appservers-rw.discovery.wmnet stanza in mediawiki.certs.yaml
- Add "mw-api-ext.discovery.wmnet", "mw-api-ext-ro.discovery.wmnet", "mw-api-ext.svc.eqiad.wmnet", "mw-api-ext.svc.codfw.wmnet", "mw-api-int.discovery.wmnet","mw-api-int-ro.discovery.wmnet", "mw-api-int.svc.eqiad.wmnet", "mw-api-int.svc.codfw.wmnet" to api-rw.discovery.wmnet stanza in mediawiki.certs.yaml
- puppet cert clean appservers-rw.discovery.wmnet
- puppet cert clean api-rw.discovery.wmnet
- rm /srv/private/modules/secret/secrets/certificates/appservers-rw.discovery.wmnet/{appservers-rw.discovery.wmnet.crt.pem,appservers-rw.discovery.wmnet.csr.pem}
- rm /srv/private/modules/secret/secrets/certificates/api-rw.discovery.wmnet/{api-rw.discovery.wmnet.crt.pem,api-rw.discovery.wmnet.csr.pem}
- cergen -c 'appservers-rw.*' --generate --base-path=/srv/private/modules/secret/secrets/certificates /srv/private/modules/secret/secrets/certificates/certificate.manifests.d
- cergen -c 'api-rw.*' --generate --base-path=/srv/private/modules/secret/secrets/certificates /srv/private/modules/secret/secrets/certificates/certificate.manifests.d
- Commit the changes to the private repo
- Copy /srv/private/modules/secret/secrets/certificates/appservers-rw.discovery.wmnet/appservers-rw.discovery.wmnet.crt.pem to puppet ./modules/profile/files/ssl/appservers.svc.{eqiad,codfw}.wmnet.crt
- Copy /srv/private/modules/secret/secrets/certificates/api-rw.discovery.wmnet/api-rw.discovery.wmnet.crt.pem to puppet ./modules/profile/files/ssl/api.svc.{eqiad,codfw}.wmnet.crt
- Commit public puppet changes
- Run puppet on deploy2002 and redeploy mw-on-k8s with scap sync-world --k8s-only "Updating mw-on-k8s certificates"