Page MenuHomePhabricator

Move maps/karthoterian to PKI/cfssl
Open, Needs TriagePublic

Description

cergen is our legacy tooling to manage/generate TLS certificates (https://wikitech.wikimedia.org/wiki/Cergen). It has been replaced by an installation of cfssl (https://wikitech.wikimedia.org/wiki/PKI) and the majority of services uses it.

Our cergen installation is co-hosted on one of the Puppet master (5) frontends (puppetmaster1001), which runs Buster. cergen is based on legacy libraries (it uses networkx v1, which is incompatible with current networkx releases (networkx 2 was released in 2017) and even when the puppetmasters were moved to Buster, this needed a hack to build a co-installable legacy package in a compomnent (T235405).

Instead of forward-porting it yet again to the new installation we'll use the Puppet 5 -> Puppet 7 migration to also phase out cergen and only use cfssl.

Most of those certs are used by Envoy and our Puppet integration makes switching relatively straightforward by switching the profile::tlsproxy::envoy::ssl_provider Hiera flag to "cfssl" (along with specifying SNI names via profile::tlsproxy::envoy::cfssl_options/hosts)

Some examples for this can be found at
https://github.com/wikimedia/operations-puppet/commit/66fbddeac3a4b2dfa1d8e19a49cc649dcb745f18
https://github.com/wikimedia/operations-puppet/commit/a00d0441b4509e736d8abd6ff63f25224e306239

For use cases outside of Envoy the profile::pki::get_cert define provides a convenient method to request certificates. An example how the gradual migration was implemented for the Ganeti RAPI endpoint can be found at https://github.com/wikimedia/operations-puppet/commit/98350d2dff51bb9bf57263fe50f409374892ae1d

The kartotherian discovery cert is current defined in /srv/private/modules/secret/secrets/certificates/certificate.manifests.d/karthoterian.certs.yaml and needs to be moved to PKI/cfssl.

Event Timeline

Change #1035351 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] maps: Add option to use PKI (WIP)

https://gerrit.wikimedia.org/r/1035351

Change #1035351 merged by Muehlenhoff:

[operations/puppet@production] maps: Add option to use PKI

https://gerrit.wikimedia.org/r/1035351

Change #1036236 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] maps: Switch kartotherian on maps2007 to PKI

https://gerrit.wikimedia.org/r/1036236

Change #1036247 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] maps: Don't pass additional server aliases when using PKI

https://gerrit.wikimedia.org/r/1036247

Change #1036247 merged by Muehlenhoff:

[operations/puppet@production] maps: Don't pass additional server aliases when using PKI

https://gerrit.wikimedia.org/r/1036247