Page MenuHomePhabricator
Create Task
Maniphest T357750

Phase out cergen
Open, HighPublic
Actions

Description

cergen is currently only installed on puppetmaster1001 by means of the cergen Puppet class. Even building cergen for Buster proved to be challenging back then, as it needs python-networkx 1 and even back then needed python3-lib2to3 (https://phabricator.wikimedia.org/T235405)

There are curently 48 services defined in certificate.manifests.d which use the Puppet 5 CA (authority: puppet_ca), we should probably just fix forward and move them all to the PKI/cfssl (some might also no longer be in use and just need cleaning up):

Data Engineering:

Collaboration Services:

ServiceOps:

  • chartmuseum.certs.yaml T360636
  • docker_registry.certs.yaml T360636
  • _etcd-server-ssl._tcp.v3.certs.yaml T352245
  • etcd-v3.certs.yaml T352245
  • etcd-v3-eqiad.certs.yaml T352245
  • mediawiki.certs.yaml (will be obsoleted when all legacy deployments are moved to wikikube) T360636
  • mwmaint.certs.yaml (used by noc.w.o which is already on wikikube, should be just a cleanup) T360636
  • parsoid.certs.yaml (will be obsoleted when all legacy deployments are moved to wikikube) T359387
  • restbase.certs.yaml T360636
  • testreduce.certs.yaml T360636
  • maps/karthoterian T360778

Infrastructure Foundations:

  • config-master.certs.yaml
  • debmonitor.certs.yaml
  • puppet_ca.certs.yaml (will be phased out along with Puppet 5)

Observability:

frtech:

  • kafka_fundraising_client.certs.yaml T360779

Cloud Services:

Traffic:

Search:

Data Persistence:

Details

Related Changes in Gerrit:
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Dzahn updated the task description. (Show Details)Mar 28 2024, 8:05 PM
MoritzMuehlenhoff updated the task description. (Show Details)Apr 2 2024, 8:06 AM
MoritzMuehlenhoff updated the task description. (Show Details)Apr 2 2024, 11:12 AM
MoritzMuehlenhoff updated the task description. (Show Details)Apr 2 2024, 11:17 AM
Dzahn updated the task description. (Show Details)Apr 2 2024, 6:15 PM
gerritbot added a comment.Apr 3 2024, 9:34 AM

Change #1016723 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] debmonitor: Remove obsolete discovery certificate

https://gerrit.wikimedia.org/r/1016723

gerritbot added a comment.Apr 3 2024, 9:49 AM

Change #1016726 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] Remove dummy cert for debmonitor

https://gerrit.wikimedia.org/r/1016726

Paladox unsubscribed.Apr 3 2024, 10:17 AM
Dzahn updated the task description. (Show Details)Apr 3 2024, 9:57 PM
gerritbot added a comment.Apr 4 2024, 11:19 AM

Change #1016723 merged by Muehlenhoff:

[operations/puppet@production] debmonitor: Remove obsolete discovery certificate

https://gerrit.wikimedia.org/r/1016723

gerritbot added a comment.Apr 4 2024, 11:27 AM

Change #1016726 merged by Muehlenhoff:

[labs/private@master] Remove dummy cert for debmonitor

https://gerrit.wikimedia.org/r/1016726

Muehlenhoff mentioned this in rLPRI65548fbb92fb: Remove dummy cert for debmonitor.Apr 4 2024, 11:29 AM
MoritzMuehlenhoff updated the task description. (Show Details)Apr 4 2024, 11:33 AM
andrea.denisse changed the status of subtask T360414: Phase out cergen for Observability services from Open to In Progress.Apr 4 2024, 5:45 PM
andrea.denisse updated the task description. (Show Details)Apr 4 2024, 8:03 PM
akosiaris subscribed.Apr 8 2024, 3:59 PM
MoritzMuehlenhoff updated the task description. (Show Details)Apr 9 2024, 12:32 PM
andrea.denisse updated the task description. (Show Details)Apr 9 2024, 4:31 PM
andrea.denisse updated the task description. (Show Details)Apr 9 2024, 6:45 PM
MoritzMuehlenhoff updated the task description. (Show Details)Apr 10 2024, 11:29 AM
jijiki removed a subtask: T360778: Move maps/karthoterian to PKI/cfssl.Apr 11 2024, 9:34 AM
jijiki updated the task description. (Show Details)
MoritzMuehlenhoff updated the task description. (Show Details)Apr 12 2024, 7:35 AM
MoritzMuehlenhoff updated the task description. (Show Details)Apr 15 2024, 1:35 PM
MoritzMuehlenhoff updated the task description. (Show Details)Apr 16 2024, 8:29 AM
MoritzMuehlenhoff updated the task description. (Show Details)Apr 17 2024, 7:16 AM
Dzahn closed subtask T360413: Phase out cergen for Collaboration Services services as Resolved.Apr 18 2024, 9:47 PM
Dzahn updated the task description. (Show Details)
Dzahn updated the task description. (Show Details)Apr 18 2024, 11:11 PM
MoritzMuehlenhoff updated the task description. (Show Details)Apr 25 2024, 3:22 PM
BTullis updated the task description. (Show Details)Apr 26 2024, 5:00 PM
andrea.denisse updated the task description. (Show Details)Apr 29 2024, 3:12 PM
andrea.denisse updated the task description. (Show Details)Apr 29 2024, 6:30 PM
bking closed subtask T360439: Phase out cergen for Search Platform services as Resolved.May 1 2024, 1:23 PM
MoritzMuehlenhoff updated the task description. (Show Details)May 2 2024, 12:58 PM
elukey mentioned this in T356412: Consolidate TLS cert puppetry for ms and thanos swift frontends.May 2 2024, 4:12 PM
andrea.denisse updated the task description. (Show Details)May 2 2024, 5:47 PM
gerritbot added a comment.May 3 2024, 8:58 AM

Change #1026804 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Stop supporting sslcert in Profile::Pki::Provider type

https://gerrit.wikimedia.org/r/1026804

gerritbot added a comment.May 7 2024, 1:50 PM

Change #1026804 merged by Muehlenhoff:

[operations/puppet@production] Stop supporting sslcert in Profile::Pki::Provider type

https://gerrit.wikimedia.org/r/1026804

gerritbot added a comment.May 8 2024, 8:53 AM

Change #1029128 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] profile::swift::proxy_tls: Use Envoy unconditionally and drop Hiera flag

https://gerrit.wikimedia.org/r/1029128

gerritbot added a comment.May 8 2024, 9:50 AM

Change #1029140 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Inline profile::swift::proxy_tls

https://gerrit.wikimedia.org/r/1029140

andrea.denisse closed subtask T360414: Phase out cergen for Observability services as Resolved.May 9 2024, 2:17 PM
andrea.denisse updated the task description. (Show Details)May 9 2024, 4:15 PM
MoritzMuehlenhoff updated the task description. (Show Details)May 10 2024, 5:54 AM
Jgreen closed subtask T360779: Phase out cergen for Fundraising services as Resolved.May 13 2024, 5:49 PM
Jgreen reopened subtask T360779: Phase out cergen for Fundraising services as Open.May 13 2024, 5:59 PM
Jgreen closed subtask T360779: Phase out cergen for Fundraising services as Resolved.May 13 2024, 6:28 PM
gerritbot added a comment.May 14 2024, 10:33 AM

Change #1029128 merged by Muehlenhoff:

[operations/puppet@production] profile::swift::proxy_tls: Use Envoy unconditionally and drop Hiera flag

https://gerrit.wikimedia.org/r/1029128

gerritbot added a comment.May 14 2024, 11:22 AM

Change #1029140 merged by Muehlenhoff:

[operations/puppet@production] Inline profile::swift::proxy_tls

https://gerrit.wikimedia.org/r/1029140

elukey changed the status of subtask T356412: Consolidate TLS cert puppetry for ms and thanos swift frontends from Open to Stalled.May 15 2024, 2:42 PM
Pppery removed a project: Patch-For-Review.May 21 2024, 6:10 PM
gerritbot added a comment.May 24 2024, 6:55 AM

Change #1035631 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] tlsproxy::envoy: Remove support for legacy sslcert provider

https://gerrit.wikimedia.org/r/1035631

gerritbot added a project: Patch-For-Review.May 24 2024, 6:55 AM
MoritzMuehlenhoff added a parent task: T365798: Shutdown of Puppet 5 servers.May 24 2024, 10:39 AM
gerritbot added a comment.May 29 2024, 8:09 AM

Change #1036998 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove obsolete wikikube/staging etcd certificates

https://gerrit.wikimedia.org/r/1036998

gerritbot added a comment.May 29 2024, 8:28 AM

Change #1037002 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove obsolete wikikube etcd certificates

https://gerrit.wikimedia.org/r/1037002

elukey closed subtask T356412: Consolidate TLS cert puppetry for ms and thanos swift frontends as Resolved.May 29 2024, 1:32 PM
elukey updated the task description. (Show Details)
gerritbot added a comment.May 29 2024, 1:38 PM

Change #1037074 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove ms-fe certs

https://gerrit.wikimedia.org/r/1037074

gerritbot added a comment.Jun 3 2024, 7:39 AM

Change #1036998 merged by Muehlenhoff:

[operations/puppet@production] Remove obsolete wikikube/staging etcd certificates

https://gerrit.wikimedia.org/r/1036998

MoritzMuehlenhoff updated the task description. (Show Details)Jun 3 2024, 8:02 AM
gerritbot added a comment.Jun 3 2024, 1:42 PM

Change #1037074 merged by Muehlenhoff:

[operations/puppet@production] Remove ms-fe certs

https://gerrit.wikimedia.org/r/1037074

MoritzMuehlenhoff updated the task description. (Show Details)Jun 5 2024, 10:53 AM
gerritbot added a comment.Jun 13 2024, 7:30 AM

Change #1042898 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] tlsproxy::localssl: Remove support for cergen certs

https://gerrit.wikimedia.org/r/1042898

MoritzMuehlenhoff updated the task description. (Show Details)Jun 13 2024, 10:31 AM
MoritzMuehlenhoff mentioned this in T368023: Move the private Puppet repository to puppetserver1001.Jun 20 2024, 8:47 AM
gerritbot added a comment.Jun 20 2024, 11:38 AM

Change #1037002 merged by Muehlenhoff:

[operations/puppet@production] Remove obsolete wikikube etcd certificates

https://gerrit.wikimedia.org/r/1037002

gerritbot added a comment.Sep 4 2024, 3:56 PM

Change #1042898 merged by Ryan Kemper:

[operations/puppet@production] tlsproxy::localssl: Remove support for cergen certs

https://gerrit.wikimedia.org/r/1042898

gerritbot added a comment.Sep 13 2024, 12:35 PM

Change #1072737 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove old parsoid certs

https://gerrit.wikimedia.org/r/1072737

gerritbot added a comment.Sep 13 2024, 12:35 PM

Change #1072738 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] labs-private: Remove parsoid stub secrets

https://gerrit.wikimedia.org/r/1072738

gerritbot added a comment.Sep 13 2024, 2:51 PM

Change #1072737 merged by Alexandros Kosiaris:

[operations/puppet@production] Remove old parsoid certs

https://gerrit.wikimedia.org/r/1072737

gerritbot added a comment.Sep 13 2024, 2:51 PM

Change #1072738 merged by Alexandros Kosiaris:

[labs/private@master] labs-private: Remove parsoid stub secrets

https://gerrit.wikimedia.org/r/1072738

Muehlenhoff mentioned this in rLPRI92ec426bd176: labs-private: Remove parsoid stub secrets.Sep 13 2024, 3:15 PM
MoritzMuehlenhoff updated the task description. (Show Details)Sep 18 2024, 11:00 AM
MoritzMuehlenhoff closed subtask T360506: Migrate purged away from cergen-issued certificate as Resolved.Sep 19 2024, 9:59 AM
gerritbot added a comment.Sep 24 2024, 9:48 AM

Change #1075152 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove obsolete rendering certs

https://gerrit.wikimedia.org/r/1075152

gerritbot added a comment.Sep 26 2024, 1:40 PM

Change #1075152 merged by Muehlenhoff:

[operations/puppet@production] Remove obsolete rendering certs

https://gerrit.wikimedia.org/r/1075152

gerritbot added a comment.Sep 26 2024, 1:41 PM

Change #1075922 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove obsolete config-master cergen cert

https://gerrit.wikimedia.org/r/1075922

gerritbot added a comment.Oct 15 2024, 10:35 AM

Change #1080254 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/dns@master] Remove obsolete parsoid records

https://gerrit.wikimedia.org/r/1080254

gerritbot added a comment.Oct 15 2024, 10:40 AM

Change #1080254 merged by Clément Goubert:

[operations/dns@master] Remove obsolete parsoid records

https://gerrit.wikimedia.org/r/1080254

gerritbot added a comment.Oct 24 2024, 12:14 PM

Change #1075922 merged by Muehlenhoff:

[operations/puppet@production] Remove obsolete config-master cergen cert

https://gerrit.wikimedia.org/r/1075922

gerritbot added a comment.Oct 29 2024, 11:19 AM

Change #1084058 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] Remove obsolete stub cert for config-master

https://gerrit.wikimedia.org/r/1084058

gerritbot added a comment.Oct 29 2024, 12:22 PM

Change #1084058 merged by Muehlenhoff:

[labs/private@master] Remove obsolete stub cert for config-master

https://gerrit.wikimedia.org/r/1084058

MoritzMuehlenhoff updated the task description. (Show Details)Oct 29 2024, 12:42 PM
MoritzMuehlenhoff updated the task description. (Show Details)
gerritbot added a comment.Oct 29 2024, 3:48 PM

Change #1084149 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] Remove obsolete rendering stub certs

https://gerrit.wikimedia.org/r/1084149

gerritbot added a comment.Oct 29 2024, 3:48 PM

Change #1084150 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] Remove stub certs for ms-fe

https://gerrit.wikimedia.org/r/1084150

gerritbot added a comment.Oct 29 2024, 3:58 PM

Change #1084149 merged by Muehlenhoff:

[labs/private@master] Remove obsolete rendering stub certs

https://gerrit.wikimedia.org/r/1084149

gerritbot added a comment.Oct 30 2024, 1:46 PM

Change #1084150 merged by Muehlenhoff:

[labs/private@master] Remove stub certs for ms-fe

https://gerrit.wikimedia.org/r/1084150

Stashbot added a comment.Apr 14 2025, 12:43 PM

Mentioned in SAL (#wikimedia-operations) [2025-04-14T12:43:45Z] <moritzm> remove ganeti01.svc.eqsin.wmnet cert (replaced by cfssl cert) T357750

Stashbot added a comment.Apr 14 2025, 12:46 PM

Mentioned in SAL (#wikimedia-operations) [2025-04-14T12:46:05Z] <moritzm> remove ganeti01.svc.ulsfo.wmnet cert (replaced by cfssl cert) T357750

Stashbot added a comment.Apr 14 2025, 12:49 PM

Mentioned in SAL (#wikimedia-operations) [2025-04-14T12:49:37Z] <moritzm> remove ganeti01.svc.esams.wmnet cert (replaced by cfssl cert) T357750

Stashbot added a comment.Apr 14 2025, 12:53 PM

Mentioned in SAL (#wikimedia-operations) [2025-04-14T12:53:06Z] <moritzm> remove ganeti01.svc.codfw.wmnet cert (replaced by cfssl cert) T357750

Stashbot added a comment.Apr 14 2025, 1:00 PM

Mentioned in SAL (#wikimedia-operations) [2025-04-14T13:00:58Z] <moritzm> remove ganeti01.svc.eqiad.wmnet cert (replaced by cfssl cert) T357750

hashar mentioned this in T335765: Migrate all CI jobs from buster to bullseye or later and drop buster testing support.Jul 11 2025, 1:20 PM
hashar added a parent task: T335765: Migrate all CI jobs from buster to bullseye or later and drop buster testing support.
LSobanski awarded a token.Mon, Nov 24, 12:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits