Page MenuHomePhabricator

Phase out cergen
Open, HighPublic

Description

cergen is currently only installed on puppetmaster1001 by means of the cergen Puppet class. Even building cergen for Buster proved to be challenging back then, as it needs python-networkx 1 and even back then needed python3-lib2to3 (https://phabricator.wikimedia.org/T235405)

There are curently 47 services defined in certificate.manifests.d which use the Puppet 5 CA (authority: puppet_ca), we should probably just fix forward and move them all to the PKI/cfssl (some might also no longer be in use and just need cleaning up):

Data Engineering:

Collaboration Services:

ServiceOps:

  • chartmuseum.certs.yaml T360636
  • docker_registry.certs.yaml T360636
  • _etcd-server-ssl._tcp.v3.certs.yaml T352245
  • etcd-v3.certs.yaml T352245
  • etcd-v3-eqiad.certs.yaml T352245
  • mediawiki.certs.yaml (will be obsoleted when all legacy deployments are moved to wikikube) T360636
  • mwmaint.certs.yaml (used by noc.w.o which is already on wikikube, should be just a cleanup) T360636
  • parsoid.certs.yaml (will be obsoleted when all legacy deployments are moved to wikikube) T359387
  • restbase.certs.yaml T360636
  • testreduce.certs.yaml T360636
  • maps/karthoterian T360778

Infrastructure Foundations:

Observability:

frtech:

  • kafka_fundraising_client.certs.yaml T360779

Unowned:

Cloud Services:

Traffic:

Search:

Data Persistence:

Related Objects

Event Timeline

Change 1004043 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add component/cergen for Bookworm

https://gerrit.wikimedia.org/r/1004043

MoritzMuehlenhoff renamed this task from Build cergen for Bookworm and add cergen to Puppet 7 servers to Figure out next steps for cergen in Puppet setup.Feb 16 2024, 9:40 AM
MoritzMuehlenhoff updated the task description. (Show Details)

Change 1004043 abandoned by Muehlenhoff:

[operations/puppet@production] Add component/cergen for Bookworm

Reason:

https://gerrit.wikimedia.org/r/1004043

Should this ticket really be "deprecate cergen"? :)

Should this ticket really be "deprecate cergen"? :)

Good point :-)

MoritzMuehlenhoff renamed this task from Figure out next steps for cergen in Puppet setup to Phase out cergen.Feb 28 2024, 3:16 PM

Change 1012629 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] hieradata: use cfssl for cloudweb in eqiad

https://gerrit.wikimedia.org/r/1012629

Change 1012629 merged by Majavah:

[operations/puppet@production] hieradata: use cfssl for cloudweb in eqiad

https://gerrit.wikimedia.org/r/1012629

Change #1016723 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] debmonitor: Remove obsolete discovery certificate

https://gerrit.wikimedia.org/r/1016723

Change #1016726 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] Remove dummy cert for debmonitor

https://gerrit.wikimedia.org/r/1016726

Change #1016723 merged by Muehlenhoff:

[operations/puppet@production] debmonitor: Remove obsolete discovery certificate

https://gerrit.wikimedia.org/r/1016723

Change #1016726 merged by Muehlenhoff:

[labs/private@master] Remove dummy cert for debmonitor

https://gerrit.wikimedia.org/r/1016726