Page MenuHomePhabricator
Create Task
Maniphest T347565

Switch rsyslog to use the new PKI infrastructure
Open, MediumPublic
Actions

Description

Currently rsyslog uses PKi for both the TLS terminations and for client authentication. Although I'm not sure that later is enforced.

We should update rsyslog so that clients and daemons request there certificates from pki.discovery.wmnet.

Details

SubjectRepoBranchLines +/-
sretest: switch sretest to cfssl for rsyslog mTLSoperations/puppetproduction+1 -0
profile::syslog::remote: Add support for pkioperations/puppetproduction+25 -13
profile::syslog::remote: create variables for cert and keyoperations/puppetproduction+5 -3
profile::rsyslog::syslog: refactor base::remote_syslog to a profileoperations/puppetproduction+163 -167
syslog::centralserver: use mTLS for blackbox checkoperations/puppetproduction+7 -4
syslog::centralserver: switch to cfssloperations/puppetproduction+1 -0
rsyslog: update code to support cfssl and puppetoperations/puppetproduction+33 -14
rsyslog::receiver: drop support for acme_nameoperations/puppetproduction+8 -27
pki: add syslog intermediateoperations/puppetproduction+29 -0
pki::root_ca: add new intermediate for syslogoperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

jbond created this task.Sep 28 2023, 10:30 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 28 2023, 10:30 AM
jbond triaged this task as Medium priority.Sep 28 2023, 10:30 AM
jbond added a project: Observability-Logging.
gerritbot added a comment.Sep 28 2023, 10:32 AM

Change 961703 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] syslog::centralserver: use mTLS for blackbox check

https://gerrit.wikimedia.org/r/961703

gerritbot added a project: Patch-For-Review.Sep 28 2023, 10:32 AM

Change 961735 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] profile::rsyslog::syslog: refactor base::remote_syslog to a profile

https://gerrit.wikimedia.org/r/961735

gerritbot added a comment.Sep 28 2023, 10:32 AM

Change 961740 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] profile::syslog::remote: create variables for cert and key

https://gerrit.wikimedia.org/r/961740

gerritbot added a comment.Sep 28 2023, 10:32 AM

Change 961741 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] profile::syslog::remote: Add support for pki

https://gerrit.wikimedia.org/r/961741

gerritbot added a comment.Sep 28 2023, 10:32 AM

Change 956481 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] rsyslog: switch the endpoints to use the PKI system

https://gerrit.wikimedia.org/r/956481

gerritbot added a comment.Sep 28 2023, 10:38 AM

Change 961745 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] pki::root_ca: add new intermediate for syslog

https://gerrit.wikimedia.org/r/961745

gerritbot added a comment.Sep 28 2023, 10:40 AM

Change 961745 merged by Jbond:

[operations/puppet@production] pki::root_ca: add new intermediate for syslog

https://gerrit.wikimedia.org/r/961745

gerritbot added a comment.Sep 28 2023, 10:48 AM

Change 961749 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] pki: add syslog intermediate

https://gerrit.wikimedia.org/r/961749

gerritbot added a comment.Sep 28 2023, 10:51 AM

Change 961749 merged by Jbond:

[operations/puppet@production] pki: add syslog intermediate

https://gerrit.wikimedia.org/r/961749

gerritbot added a comment.Sep 28 2023, 11:17 AM

Change 961758 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] rsyslog::receiver: drop support for acme_name

https://gerrit.wikimedia.org/r/961758

gerritbot added a comment.Sep 28 2023, 11:17 AM

Change 961759 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] syslog::centralserver: switch to cfssl

https://gerrit.wikimedia.org/r/961759

Aklapper renamed this task from Switch rsyslog to use the new PKI infrastrcutre to Switch rsyslog to use the new PKI infrastructure.Sep 28 2023, 11:30 AM
gerritbot added a comment.Sep 28 2023, 11:32 AM

Change 961758 abandoned by Jbond:

[operations/puppet@production] rsyslog::receiver: drop support for acme_name

Reason:

acme support is requierd

https://gerrit.wikimedia.org/r/961758

gerritbot added a comment.Sep 28 2023, 12:18 PM

Change 961785 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] sretest: switch sretest to cfssl for rsyslog mTLS

https://gerrit.wikimedia.org/r/961785

gerritbot added a comment.Oct 2 2023, 10:33 AM

Change 956481 merged by Jbond:

[operations/puppet@production] rsyslog: update code to support cfssl and puppet

https://gerrit.wikimedia.org/r/956481

CDanis subscribed.Nov 13 2023, 4:12 PM
jbond updated the task description. (Show Details)Nov 14 2023, 2:45 PM
jbond mentioned this in T351181: syslog tls clients failing to connect to centrallog2002 post puppet7 migration.Nov 15 2023, 10:48 AM
jbond mentioned this in T351624: Probes for centrallog hosts fail to validate with "x509: issuer name does not match subject from issuing certificate".Nov 20 2023, 10:50 AM
gerritbot added a comment.Nov 29 2023, 4:07 PM

Change 961759 merged by Jbond:

[operations/puppet@production] syslog::centralserver: switch to cfssl

https://gerrit.wikimedia.org/r/961759

gerritbot added a comment.Nov 29 2023, 4:23 PM

Change 961735 merged by Jbond:

[operations/puppet@production] profile::rsyslog::syslog: refactor base::remote_syslog to a profile

https://gerrit.wikimedia.org/r/961735

gerritbot added a comment.Nov 29 2023, 4:23 PM

Change 961740 merged by Jbond:

[operations/puppet@production] profile::syslog::remote: create variables for cert and key

https://gerrit.wikimedia.org/r/961740

gerritbot added a comment.Nov 29 2023, 4:23 PM

Change 961703 merged by Jbond:

[operations/puppet@production] syslog::centralserver: use mTLS for blackbox check

https://gerrit.wikimedia.org/r/961703

gerritbot added a comment.Nov 29 2023, 4:23 PM

Change 961741 merged by Jbond:

[operations/puppet@production] profile::syslog::remote: Add support for pki

https://gerrit.wikimedia.org/r/961741

gerritbot added a comment.Nov 29 2023, 4:23 PM

Change 961785 merged by Jbond:

[operations/puppet@production] sretest: switch sretest to cfssl for rsyslog mTLS

https://gerrit.wikimedia.org/r/961785

Maintenance_bot removed a project: Patch-For-Review.Nov 29 2023, 4:30 PM
CDanis added a comment.Nov 29 2023, 4:31 PM

Conclusion at end of meeting was that o11y would migrate the base profile
to use the new cfssl support ~next week

lmata subscribed.Nov 29 2023, 6:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL