Currently rsyslog uses PKi for both the TLS terminations and for client authentication. Although I'm not sure that later is enforced.
We should update rsyslog so that clients and daemons request there certificates from pki.discovery.wmnet.
Currently rsyslog uses PKi for both the TLS terminations and for client authentication. Although I'm not sure that later is enforced.
We should update rsyslog so that clients and daemons request there certificates from pki.discovery.wmnet.
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T330490 Next steps for Puppet 7 | |||
In Progress | None | T340741 expose_puppet_certs: Services will need to trust the new ca | |||
Open | None | T347565 Switch rsyslog to use the new PKI infrastructure |
Change 961703 had a related patch set uploaded (by Jbond; author: jbond):
[operations/puppet@production] syslog::centralserver: use mTLS for blackbox check
Change 961735 had a related patch set uploaded (by Jbond; author: jbond):
[operations/puppet@production] profile::rsyslog::syslog: refactor base::remote_syslog to a profile
Change 961740 had a related patch set uploaded (by Jbond; author: jbond):
[operations/puppet@production] profile::syslog::remote: create variables for cert and key
Change 961741 had a related patch set uploaded (by Jbond; author: jbond):
[operations/puppet@production] profile::syslog::remote: Add support for pki
Change 956481 had a related patch set uploaded (by Jbond; author: jbond):
[operations/puppet@production] rsyslog: switch the endpoints to use the PKI system
Change 961745 had a related patch set uploaded (by Jbond; author: jbond):
[operations/puppet@production] pki::root_ca: add new intermediate for syslog
Change 961745 merged by Jbond:
[operations/puppet@production] pki::root_ca: add new intermediate for syslog
Change 961749 had a related patch set uploaded (by Jbond; author: jbond):
[operations/puppet@production] pki: add syslog intermediate
Change 961749 merged by Jbond:
[operations/puppet@production] pki: add syslog intermediate
Change 961758 had a related patch set uploaded (by Jbond; author: jbond):
[operations/puppet@production] rsyslog::receiver: drop support for acme_name
Change 961759 had a related patch set uploaded (by Jbond; author: jbond):
[operations/puppet@production] syslog::centralserver: switch to cfssl
Change 961758 abandoned by Jbond:
[operations/puppet@production] rsyslog::receiver: drop support for acme_name
Reason:
acme support is requierd
Change 961785 had a related patch set uploaded (by Jbond; author: jbond):
[operations/puppet@production] sretest: switch sretest to cfssl for rsyslog mTLS
Change 956481 merged by Jbond:
[operations/puppet@production] rsyslog: update code to support cfssl and puppet
Change 961759 merged by Jbond:
[operations/puppet@production] syslog::centralserver: switch to cfssl
Change 961735 merged by Jbond:
[operations/puppet@production] profile::rsyslog::syslog: refactor base::remote_syslog to a profile
Change 961740 merged by Jbond:
[operations/puppet@production] profile::syslog::remote: create variables for cert and key
Change 961703 merged by Jbond:
[operations/puppet@production] syslog::centralserver: use mTLS for blackbox check
Change 961741 merged by Jbond:
[operations/puppet@production] profile::syslog::remote: Add support for pki
Change 961785 merged by Jbond:
[operations/puppet@production] sretest: switch sretest to cfssl for rsyslog mTLS
Conclusion at end of meeting was that o11y would migrate the base profile
to use the new cfssl support ~next week