⚓ T357750 Phase out cergen

Subject	Repo	Branch	Lines +/-
Remove various stub certs for now removed cergen certs	labs/private	master	+0 -28
tlsproxy::envoy: Remove support for legacy sslcert provider	operations/puppet	production	+5 -47
sslcert::certificate: Remove use_cergen	operations/puppet	production	+2 -19
varnishkafka: Remove some obsolete references to cergen	operations/puppet	production	+4 -11
Remove cergen	operations/puppet	production	+0 -34
Remove build hooks once needed to be build cergen	operations/puppet	production	+0 -19
Remove documentation about the legacy way to configure TLS for Kafka	operations/puppet	production	+1 -32
Remove stub certs for ms-fe	labs/private	master	+0 -2
Remove obsolete rendering stub certs	labs/private	master	+0 -6
Remove obsolete stub cert for config-master	labs/private	master	+0 -1
Remove obsolete config-master cergen cert	operations/puppet	production	+0 -26
Remove obsolete parsoid records	operations/dns	master	+0 -4
Remove obsolete rendering certs	operations/puppet	production	+0 -84
labs-private: Remove parsoid stub secrets	labs/private	master	+0 -9
Remove old parsoid certs	operations/puppet	production	+0 -128
tlsproxy::localssl: Remove support for cergen certs	operations/puppet	production	+4 -37
Remove obsolete wikikube etcd certificates	operations/puppet	production	+0 -50
Remove ms-fe certs	operations/puppet	production	+0 -52
Remove obsolete wikikube/staging etcd certificates	operations/puppet	production	+0 -52
Inline profile::swift::proxy_tls	operations/puppet	production	+7 -13
profile::swift::proxy_tls: Use Envoy unconditionally and drop Hiera flag	operations/puppet	production	+1 -19
Stop supporting sslcert in Profile::Pki::Provider type	operations/puppet	production	+1 -1
Remove dummy cert for debmonitor	labs/private	master	+0 -3
debmonitor: Remove obsolete discovery certificate	operations/puppet	production	+0 -24
hieradata: use cfssl for cloudweb in eqiad	operations/puppet	production	+8 -1
Add component/cergen for Bookworm	operations/puppet	production	+1 -0

Status	Subtype	Assigned	Task
Open		None	T330490 Next steps for Puppet 7
Open		None	T365798 Shutdown of Puppet 5 servers
Resolved		MoritzMuehlenhoff	T357750 Phase out cergen
Resolved		BTullis	T360412 Phase out cergen for Data Platform services
Resolved		Dzahn	T360413 Phase out cergen for Collaboration Services services
Resolved		Dzahn	T369796 Puppet CA certificate phabricator.discovery.wmnet is about to expire
Resolved		andrea.denisse	T360414 Phase out cergen for Observability services
Resolved		BTullis	T360439 Phase out cergen for Search Platform services
Resolved		elukey	T356412 Consolidate TLS cert puppetry for ms and thanos swift frontends
Resolved		CDobbins	T360506 Migrate purged away from cergen-issued certificate
Resolved		MoritzMuehlenhoff	T360636 Phase out cergen for ServiceOps services
Resolved		MoritzMuehlenhoff	T360778 Move maps/karthoterian to PKI/cfssl
Resolved		Jgreen	T360779 Phase out cergen for Fundraising services
Resolved		MoritzMuehlenhoff	T364622 Review/cleanup content of /srv/git/private/modules/secret/secrets/ssl in the private repo
Resolved	Request	hashar	T417887 Archive the cergen repository

MoritzMuehlenhoff updated the task description. (Show Details)Apr 17 2024, 7:16 AM

Dzahn closed subtask T360413: Phase out cergen for Collaboration Services services as Resolved.Apr 18 2024, 9:47 PM

Dzahn updated the task description. (Show Details)

Dzahn updated the task description. (Show Details)Apr 18 2024, 11:11 PM

MoritzMuehlenhoff updated the task description. (Show Details)Apr 25 2024, 3:22 PM

BTullis updated the task description. (Show Details)Apr 26 2024, 5:00 PM

andrea.denisse updated the task description. (Show Details)Apr 29 2024, 3:12 PM

andrea.denisse updated the task description. (Show Details)Apr 29 2024, 6:30 PM

bking closed subtask T360439: Phase out cergen for Search Platform services as Resolved.May 1 2024, 1:23 PM

MoritzMuehlenhoff updated the task description. (Show Details)May 2 2024, 12:58 PM

elukey mentioned this in T356412: Consolidate TLS cert puppetry for ms and thanos swift frontends.May 2 2024, 4:12 PM

andrea.denisse updated the task description. (Show Details)May 2 2024, 5:47 PM

Change #1026804 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Stop supporting sslcert in Profile::Pki::Provider type

https://gerrit.wikimedia.org/r/1026804

Change #1026804 merged by Muehlenhoff:

[operations/puppet@production] Stop supporting sslcert in Profile::Pki::Provider type

https://gerrit.wikimedia.org/r/1026804

Change #1029128 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] profile::swift::proxy_tls: Use Envoy unconditionally and drop Hiera flag

https://gerrit.wikimedia.org/r/1029128

Change #1029140 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Inline profile::swift::proxy_tls

https://gerrit.wikimedia.org/r/1029140

andrea.denisse closed subtask T360414: Phase out cergen for Observability services as Resolved.May 9 2024, 2:17 PM

andrea.denisse updated the task description. (Show Details)May 9 2024, 4:15 PM

MoritzMuehlenhoff updated the task description. (Show Details)May 10 2024, 5:54 AM

Jgreen closed subtask T360779: Phase out cergen for Fundraising services as Resolved.May 13 2024, 5:49 PM

Jgreen reopened subtask T360779: Phase out cergen for Fundraising services as Open.May 13 2024, 5:59 PM

Jgreen closed subtask T360779: Phase out cergen for Fundraising services as Resolved.May 13 2024, 6:28 PM

Change #1029128 merged by Muehlenhoff:

[operations/puppet@production] profile::swift::proxy_tls: Use Envoy unconditionally and drop Hiera flag

https://gerrit.wikimedia.org/r/1029128

Change #1029140 merged by Muehlenhoff:

[operations/puppet@production] Inline profile::swift::proxy_tls

https://gerrit.wikimedia.org/r/1029140

elukey changed the status of subtask T356412: Consolidate TLS cert puppetry for ms and thanos swift frontends from Open to Stalled.May 15 2024, 2:42 PM

Pppery removed a project: Patch-For-Review.May 21 2024, 6:10 PM

Change #1035631 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] tlsproxy::envoy: Remove support for legacy sslcert provider

https://gerrit.wikimedia.org/r/1035631

gerritbot added a project: Patch-For-Review.May 24 2024, 6:55 AM

MoritzMuehlenhoff added a parent task: T365798: Shutdown of Puppet 5 servers.May 24 2024, 10:39 AM

Change #1036998 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove obsolete wikikube/staging etcd certificates

https://gerrit.wikimedia.org/r/1036998

Change #1037002 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove obsolete wikikube etcd certificates

https://gerrit.wikimedia.org/r/1037002

elukey closed subtask T356412: Consolidate TLS cert puppetry for ms and thanos swift frontends as Resolved.May 29 2024, 1:32 PM

elukey updated the task description. (Show Details)

Change #1037074 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove ms-fe certs

https://gerrit.wikimedia.org/r/1037074

Change #1036998 merged by Muehlenhoff:

[operations/puppet@production] Remove obsolete wikikube/staging etcd certificates

https://gerrit.wikimedia.org/r/1036998

MoritzMuehlenhoff updated the task description. (Show Details)Jun 3 2024, 8:02 AM

Change #1037074 merged by Muehlenhoff:

[operations/puppet@production] Remove ms-fe certs

https://gerrit.wikimedia.org/r/1037074

MoritzMuehlenhoff updated the task description. (Show Details)Jun 5 2024, 10:53 AM

Change #1042898 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] tlsproxy::localssl: Remove support for cergen certs

https://gerrit.wikimedia.org/r/1042898

MoritzMuehlenhoff updated the task description. (Show Details)Jun 13 2024, 10:31 AM

MoritzMuehlenhoff mentioned this in T368023: Move the private Puppet repository to puppetserver1001.Jun 20 2024, 8:47 AM

Change #1037002 merged by Muehlenhoff:

[operations/puppet@production] Remove obsolete wikikube etcd certificates

https://gerrit.wikimedia.org/r/1037002

Change #1042898 merged by Ryan Kemper:

[operations/puppet@production] tlsproxy::localssl: Remove support for cergen certs

https://gerrit.wikimedia.org/r/1042898

Change #1072737 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove old parsoid certs

https://gerrit.wikimedia.org/r/1072737

Change #1072738 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] labs-private: Remove parsoid stub secrets

https://gerrit.wikimedia.org/r/1072738

Change #1072737 merged by Alexandros Kosiaris:

[operations/puppet@production] Remove old parsoid certs

https://gerrit.wikimedia.org/r/1072737

Change #1072738 merged by Alexandros Kosiaris:

[labs/private@master] labs-private: Remove parsoid stub secrets

https://gerrit.wikimedia.org/r/1072738

Muehlenhoff mentioned this in rLPRI92ec426bd176: labs-private: Remove parsoid stub secrets.Sep 13 2024, 3:15 PM

MoritzMuehlenhoff updated the task description. (Show Details)Sep 18 2024, 11:00 AM

MoritzMuehlenhoff closed subtask T360506: Migrate purged away from cergen-issued certificate as Resolved.Sep 19 2024, 9:59 AM

Change #1075152 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove obsolete rendering certs

https://gerrit.wikimedia.org/r/1075152

Change #1075152 merged by Muehlenhoff:

[operations/puppet@production] Remove obsolete rendering certs

https://gerrit.wikimedia.org/r/1075152

Change #1075922 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove obsolete config-master cergen cert

https://gerrit.wikimedia.org/r/1075922

Change #1080254 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/dns@master] Remove obsolete parsoid records

https://gerrit.wikimedia.org/r/1080254

Change #1080254 merged by Clément Goubert:

[operations/dns@master] Remove obsolete parsoid records

https://gerrit.wikimedia.org/r/1080254

Change #1075922 merged by Muehlenhoff:

[operations/puppet@production] Remove obsolete config-master cergen cert

https://gerrit.wikimedia.org/r/1075922

Change #1084058 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] Remove obsolete stub cert for config-master

https://gerrit.wikimedia.org/r/1084058

Change #1084058 merged by Muehlenhoff:

[labs/private@master] Remove obsolete stub cert for config-master

https://gerrit.wikimedia.org/r/1084058

MoritzMuehlenhoff updated the task description. (Show Details)Oct 29 2024, 12:42 PM

MoritzMuehlenhoff updated the task description. (Show Details)

Change #1084149 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] Remove obsolete rendering stub certs

https://gerrit.wikimedia.org/r/1084149

Change #1084150 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] Remove stub certs for ms-fe

https://gerrit.wikimedia.org/r/1084150

Change #1084149 merged by Muehlenhoff:

[labs/private@master] Remove obsolete rendering stub certs

https://gerrit.wikimedia.org/r/1084149

Change #1084150 merged by Muehlenhoff:

[labs/private@master] Remove stub certs for ms-fe

https://gerrit.wikimedia.org/r/1084150

Mentioned in SAL (#wikimedia-operations) [2025-04-14T12:43:45Z] <moritzm> remove ganeti01.svc.eqsin.wmnet cert (replaced by cfssl cert) T357750

Mentioned in SAL (#wikimedia-operations) [2025-04-14T12:46:05Z] <moritzm> remove ganeti01.svc.ulsfo.wmnet cert (replaced by cfssl cert) T357750

Mentioned in SAL (#wikimedia-operations) [2025-04-14T12:49:37Z] <moritzm> remove ganeti01.svc.esams.wmnet cert (replaced by cfssl cert) T357750

Mentioned in SAL (#wikimedia-operations) [2025-04-14T12:53:06Z] <moritzm> remove ganeti01.svc.codfw.wmnet cert (replaced by cfssl cert) T357750

Mentioned in SAL (#wikimedia-operations) [2025-04-14T13:00:58Z] <moritzm> remove ganeti01.svc.eqiad.wmnet cert (replaced by cfssl cert) T357750

hashar mentioned this in T335765: Migrate all CI jobs from buster to bullseye or later and drop buster testing support.Jul 11 2025, 1:20 PM

hashar added a parent task: T335765: Migrate all CI jobs from buster to bullseye or later and drop buster testing support.

LSobanski awarded a token.Nov 24 2025, 12:30 PM

JMeybohm closed subtask T360636: Phase out cergen for ServiceOps services as Resolved.Dec 16 2025, 1:01 PM

MoritzMuehlenhoff reopened subtask T360636: Phase out cergen for ServiceOps services as Open.Dec 16 2025, 1:23 PM

Change #1229573 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove documentation about the legacy way to configure TLS for Kafka

https://gerrit.wikimedia.org/r/1229573

Change #1229573 merged by Muehlenhoff:

[operations/puppet@production] Remove documentation about the legacy way to configure TLS for Kafka

https://gerrit.wikimedia.org/r/1229573

MoritzMuehlenhoff closed subtask T360636: Phase out cergen for ServiceOps services as Resolved.Jan 22 2026, 11:11 AM

MoritzMuehlenhoff updated the task description. (Show Details)Feb 13 2026, 9:54 AM

MoritzMuehlenhoff closed subtask T364622: Review/cleanup content of /srv/git/private/modules/secret/secrets/ssl in the private repo as Resolved.Feb 17 2026, 11:28 AM

Change #1239912 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove cergen

https://gerrit.wikimedia.org/r/1239912

Change #1239915 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove build hooks once needed to be build cergen

https://gerrit.wikimedia.org/r/1239915

Change #1239915 merged by Muehlenhoff:

[operations/puppet@production] Remove build hooks once needed to be build cergen

https://gerrit.wikimedia.org/r/1239915

Change #1239921 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] varnishkafka: Remove some obsolete references to cergen

https://gerrit.wikimedia.org/r/1239921

Change #1239912 merged by Muehlenhoff:

[operations/puppet@production] Remove cergen

https://gerrit.wikimedia.org/r/1239912

Change #1239921 merged by Muehlenhoff:

[operations/puppet@production] varnishkafka: Remove some obsolete references to cergen

https://gerrit.wikimedia.org/r/1239921

hashar mentioned this in T417887: Archive the cergen repository.Feb 19 2026, 1:13 PM

hashar added a subtask: T417887: Archive the cergen repository.

hashar removed a parent task: T335765: Migrate all CI jobs from buster to bullseye or later and drop buster testing support.

hashar closed subtask T417887: Archive the cergen repository as Resolved.Feb 19 2026, 1:29 PM

Change #1240711 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] sslcert::certificate: Remove use_cergen

https://gerrit.wikimedia.org/r/1240711

Change #1240711 merged by Muehlenhoff:

[operations/puppet@production] sslcert::certificate: Remove use_cergen

https://gerrit.wikimedia.org/r/1240711

Change #1035631 merged by Muehlenhoff:

[operations/puppet@production] tlsproxy::envoy: Remove support for legacy sslcert provider

https://gerrit.wikimedia.org/r/1035631

Maintenance_bot removed a project: Patch-For-Review.Feb 19 2026, 4:32 PM

Change #1240866 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] Remove various stub certs for now removed cergen certs

https://gerrit.wikimedia.org/r/1240866

Change #1240866 merged by Muehlenhoff:

[labs/private@master] Remove various stub certs for now removed cergen certs

https://gerrit.wikimedia.org/r/1240866

cergen is fully undeployed from our infrastructure: All certificates have been migrated to the PKI (or in some cases were obsoleted like some certs only relevant for baremetal Mediawiki), all old certificates were cleaned up (with the exception of two old Puppet CA certs which might still be needed to decrypt old backups) and cergen were removed from Puppet.

Maintenance_bot removed a project: Patch-For-Review.Feb 20 2026, 9:31 AM

Phase out cergen
Closed, ResolvedPublic
Actions

Description

Details

Related Objects
Search...

Event Timeline

	MoritzMuehlenhoff
	Feb 16 2024, 8:34 AM

Phase out cergenClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Phase out cergen
Closed, ResolvedPublic
Actions

Related Objects
Search...