Page MenuHomePhabricator
Create Task
Maniphest T360778

Move maps/karthoterian to PKI/cfssl
Closed, ResolvedPublic
Actions

Description

cergen is our legacy tooling to manage/generate TLS certificates (https://wikitech.wikimedia.org/wiki/Cergen). It has been replaced by an installation of cfssl (https://wikitech.wikimedia.org/wiki/PKI) and the majority of services uses it.

Our cergen installation is co-hosted on one of the Puppet master (5) frontends (puppetmaster1001), which runs Buster. cergen is based on legacy libraries (it uses networkx v1, which is incompatible with current networkx releases (networkx 2 was released in 2017) and even when the puppetmasters were moved to Buster, this needed a hack to build a co-installable legacy package in a compomnent (T235405).

Instead of forward-porting it yet again to the new installation we'll use the Puppet 5 -> Puppet 7 migration to also phase out cergen and only use cfssl.

Most of those certs are used by Envoy and our Puppet integration makes switching relatively straightforward by switching the profile::tlsproxy::envoy::ssl_provider Hiera flag to "cfssl" (along with specifying SNI names via profile::tlsproxy::envoy::cfssl_options/hosts)

Some examples for this can be found at
https://github.com/wikimedia/operations-puppet/commit/66fbddeac3a4b2dfa1d8e19a49cc649dcb745f18
https://github.com/wikimedia/operations-puppet/commit/a00d0441b4509e736d8abd6ff63f25224e306239

For use cases outside of Envoy the profile::pki::get_cert define provides a convenient method to request certificates. An example how the gradual migration was implemented for the Ganeti RAPI endpoint can be found at https://github.com/wikimedia/operations-puppet/commit/98350d2dff51bb9bf57263fe50f409374892ae1d

The kartotherian discovery cert is current defined in /srv/private/modules/secret/secrets/certificates/certificate.manifests.d/karthoterian.certs.yaml and needs to be moved to PKI/cfssl.

Details

SubjectRepoBranchLines +/-
profile::maps::tlsproxy: Unconditionally use PKIoperations/puppetproduction+9 -22
Remove kartotherian stub certlabs/privatemaster+0 -3
Remove kartotherian.discovery.wmnet.crt cergen certoperations/puppetproduction+0 -25
Switch maps/eqiad to PKI as welloperations/puppetproduction+2 -1
Switch maps/codfw to PKIoperations/puppetproduction+1 -2
maps: Switch kartotherian on maps2007 to PKIoperations/puppetproduction+1 -0
maps: Don't pass additional server aliases when using PKIoperations/puppetproduction+0 -1
maps: Add option to use PKIoperations/puppetproduction+25 -8
Customize query in gerrit

Related Objects
Search...

Event Timeline

MoritzMuehlenhoff created this task.Mar 22 2024, 1:51 PM
MoritzMuehlenhoff mentioned this in T357750: Phase out cergen.
jcrespo moved this task from Backlog to Acknowledged on the SRE board.Mar 25 2024, 9:06 AM
jcrespo added a project: Infrastructure-Foundations.Mar 26 2024, 10:23 AM
MoritzMuehlenhoff removed a project: Infrastructure-Foundations.Apr 8 2024, 12:08 PM
LSobanski added a project: serviceops.Apr 8 2024, 2:17 PM
jijiki edited parent tasks, added: T360636: Phase out cergen for ServiceOps services; removed: T357750: Phase out cergen.Apr 11 2024, 9:34 AM
jijiki mentioned this in T360636: Phase out cergen for ServiceOps services.
jijiki claimed this task.Apr 11 2024, 9:37 AM
gerritbot added a comment.May 23 2024, 10:26 AM

Change #1035351 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] maps: Add option to use PKI (WIP)

https://gerrit.wikimedia.org/r/1035351

gerritbot added a project: Patch-For-Review.May 23 2024, 10:26 AM
gerritbot added a comment.May 27 2024, 10:32 AM

Change #1035351 merged by Muehlenhoff:

[operations/puppet@production] maps: Add option to use PKI

https://gerrit.wikimedia.org/r/1035351

gerritbot added a comment.May 27 2024, 11:07 AM

Change #1036236 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] maps: Switch kartotherian on maps2007 to PKI

https://gerrit.wikimedia.org/r/1036236

gerritbot added a comment.May 27 2024, 11:52 AM

Change #1036247 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] maps: Don't pass additional server aliases when using PKI

https://gerrit.wikimedia.org/r/1036247

gerritbot added a comment.May 27 2024, 3:07 PM

Change #1036247 merged by Muehlenhoff:

[operations/puppet@production] maps: Don't pass additional server aliases when using PKI

https://gerrit.wikimedia.org/r/1036247

gerritbot added a comment.Jun 3 2024, 8:58 AM

Change #1036236 merged by Muehlenhoff:

[operations/puppet@production] maps: Switch kartotherian on maps2007 to PKI

https://gerrit.wikimedia.org/r/1036236

gerritbot added a comment.Jun 3 2024, 9:23 AM

Change #1038240 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Switch maps/codfw to PKI

https://gerrit.wikimedia.org/r/1038240

gerritbot added a comment.Jun 4 2024, 12:51 PM

Change #1038240 merged by Muehlenhoff:

[operations/puppet@production] Switch maps/codfw to PKI

https://gerrit.wikimedia.org/r/1038240

taavi unsubscribed.Jun 4 2024, 12:52 PM
Maintenance_bot removed a project: Patch-For-Review.Jun 4 2024, 1:30 PM
Paladox unsubscribed.Jun 4 2024, 1:31 PM
gerritbot added a comment.Jun 4 2024, 2:07 PM

Change #1038815 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Switch maps/eqiad to PKI as well

https://gerrit.wikimedia.org/r/1038815

gerritbot added a project: Patch-For-Review.Jun 4 2024, 2:07 PM
gerritbot added a comment.Jun 5 2024, 9:41 AM

Change #1038815 merged by Muehlenhoff:

[operations/puppet@production] Switch maps/eqiad to PKI as well

https://gerrit.wikimedia.org/r/1038815

gerritbot added a comment.Jun 5 2024, 9:48 AM

Change #1039188 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] profile::maps::tlsproxy: Unconditionally use PKI

https://gerrit.wikimedia.org/r/1039188

gerritbot added a comment.Jun 5 2024, 10:14 AM

Change #1039190 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove kartotherian.discovery.wmnet.crt cergen cert

https://gerrit.wikimedia.org/r/1039190

gerritbot added a comment.Jun 5 2024, 10:15 AM

Change #1039191 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[labs/private@master] Remove kartotherian stub cert

https://gerrit.wikimedia.org/r/1039191

gerritbot added a comment.Jun 5 2024, 10:32 AM

Change #1039190 merged by Muehlenhoff:

[operations/puppet@production] Remove kartotherian.discovery.wmnet.crt cergen cert

https://gerrit.wikimedia.org/r/1039190

gerritbot added a comment.Jun 5 2024, 10:36 AM

Change #1039191 merged by Muehlenhoff:

[labs/private@master] Remove kartotherian stub cert

https://gerrit.wikimedia.org/r/1039191

Muehlenhoff mentioned this in rLPRI056410e87e2e: Remove kartotherian stub cert.Jun 5 2024, 10:36 AM
MoritzMuehlenhoff closed this task as Resolved.Jun 5 2024, 10:52 AM
MoritzMuehlenhoff claimed this task.

maps is now using cfssl.

gerritbot added a comment.Jun 13 2024, 7:14 AM

Change #1039188 merged by Muehlenhoff:

[operations/puppet@production] profile::maps::tlsproxy: Unconditionally use PKI

https://gerrit.wikimedia.org/r/1039188

Maintenance_bot removed a project: Patch-For-Review.Jun 13 2024, 7:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits