cergen is our legacy tooling to manage/generate TLS certificates (https://wikitech.wikimedia.org/wiki/Cergen). It has been replaced by an installation of cfssl (https://wikitech.wikimedia.org/wiki/PKI) and the majority of services uses it.
Our cergen installation is co-hosted on one of the Puppet master (5) frontends (puppetmaster1001), which runs Buster. cergen is based on legacy libraries (it uses networkx v1, which is incompatible with current networkx releases (networkx 2 was released in 2017) and even when the puppetmasters were moved to Buster, this needed a hack to build a co-installable legacy package in a compomnent (T235405).
Instead of forward-porting it yet again to the new installation we'll use the Puppet 5 -> Puppet 7 migration to also phase out cergen and only use cfssl.
Most of those certs are used by Envoy and our Puppet integration makes switching relatively straightforward by switching the profile::tlsproxy::envoy::ssl_provider Hiera flag to "cfssl" (along with specifying SNI names via profile::tlsproxy::envoy::cfssl_options/hosts)
Some examples for this can be found at
https://github.com/wikimedia/operations-puppet/commit/66fbddeac3a4b2dfa1d8e19a49cc649dcb745f18
https://github.com/wikimedia/operations-puppet/commit/a00d0441b4509e736d8abd6ff63f25224e306239
For use cases outside of Envoy the profile::pki::get_cert define provides a convenient method to request certificates. An example how the gradual migration was implemented for the Ganeti RAPI endpoint can be found at https://github.com/wikimedia/operations-puppet/commit/98350d2dff51bb9bf57263fe50f409374892ae1d
Some existing certs will be obsoleted when the migration of mediawiki to k8s is completed and T352245 has a pre-existing task already.
In addition there are 4 certificate YAML specs defined in /srv/private/modules/secret/secrets/certificates/certificate.manifests.d which need to be moved to PKI/cfssl. Some services are likely also ported already and only the YAML spec file and the legacy certs were forgotten and fixing it might be a simple as removing the legacy cert material.
- chartmuseum.certs.yaml
- docker_registry.certs.yaml
- _etcd-server-ssl._tcp.v3.certs.yaml T352245
- etcd-v3.certs.yaml T352245
- etcd-v3-eqiad.certs.yaml T352245
- mediawiki.certs.yaml (will be obsoleted when all legacy deployments are moved to wikikube)
- mwmaint.certs.yaml (used by noc.w.o which is already on wikikube, should be just a cleanup)
- parsoid.certs.yaml (will be obsoleted when all legacy deployments are moved to wikikube)
- restbase.certs.yaml
- testreduce.certs.yaml
- maps/karthoterian T360778