This is similar to T337248, it would be great to have varnishkafka instances on cache nodes to use PKI-based TLS certificates when connecting to Kafka brokers. At the moment we use a cergen certificate, that has CN: varnishkafka, used by Kafka brokers as username when evaluating ACLs (for example, only varnishkafka can produce messages to webrequest topics).
I filed 3 code reviews starting from https://gerrit.wikimedia.org/r/c/operations/puppet/+/924506, to do the following:
- Create a catch-all systemd unit called varnishkafka-all that restarts all the varnishkafka instances present on a cache node.
- Add the possibility to provision a PKI TLS certificate with CN:varnishkafka on cache nodes.
- Apply the settings to cp4037 (depool the node, send some test traffic, check error logs and if msgs are landing to Kafka, etc..).
If the above works we could then apply the setting to all cache nodes incrementally. Lemme know your thoughts!