Per parent ticket, migrating cloudelastic to private IPs also means its domain will change from wikimedia.org to eqiad.wmnet .
That means we can no longer rely on acme-chief and letsencrypt to provide certificates (to the best of my knowledge, LE only supports registered TLDs).
I believe we'll also have to add some service discovery/ATS config as well.
Creating this ticket to:
- Prepare new traffic path (ATS/pybal/)
- Prepare new TLS configuration (CFSSL is preferred; see this CR for an example of how this might work.