Page MenuHomePhabricator
Create Task
Maniphest T360779

Phase out cergen for Fundraising services
Closed, ResolvedPublic
Actions

Description

cergen is our legacy tooling to manage/generate TLS certificates (https://wikitech.wikimedia.org/wiki/Cergen). It has been replaced by an installation of cfssl (https://wikitech.wikimedia.org/wiki/PKI) and the majority of services uses it.

Fundraising uses a client certificate generated with cergen for its kafaktee instance, which consumes from the kafka-jumbo cluster. Historically Fundraising Tech Ops generates the certificate in production, and imports it to the fundraising puppet-private repository.

If we can continue to manually generate a certificate with cfssl that will be fine for our purposes.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add an icinga/nsca collector for Fundraising kafka client cert expire check.operations/puppetproduction+6 -0
profile::frtech::kafka_certificate: Fix owneroperations/puppetproduction+1 -1
Add a class to Cumin hosts which generates a Kafka certificate for frtechoperations/puppetproduction+23 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Jgreen created this task.Mar 22 2024, 3:04 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptMar 22 2024, 3:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Jgreen mentioned this in T357750: Phase out cergen.Mar 22 2024, 3:05 PM
elukey added a comment.Apr 4 2024, 12:54 PM

Hi Jeff!

After a chat with Moritz we agreed that the simplest solution would be to create the cert via puppet in production on some host (we need to figure out which one) and then you can copy the necessary files over to Fundraising when needed.

Caveat: the TLS certs issued by the Kafka intermediate CA last for 180 days, so puppet will create a new cert twice a year.

The code to generate the client cert should be the same (or very similar) to what we do for varnishkafka in profile::cache::kafka::certificate.

MoritzMuehlenhoff added a comment.Apr 4 2024, 12:56 PM

As for the host where to export the keys, the cumin hosts seems like the best choice.

MoritzMuehlenhoff removed projects: Puppet-Infrastructure, Puppet (Puppet 7.0), Infrastructure-Foundations.Apr 8 2024, 12:12 PM
MoritzMuehlenhoff triaged this task as Medium priority.Apr 9 2024, 7:04 AM
Jgreen added a comment.Apr 9 2024, 1:03 PM
In T360779#9688343, @elukey wrote:

Hi Jeff!

After a chat with Moritz we agreed that the simplest solution would be to create the cert via puppet in production on some host (we need to figure out which one) and then you can copy the necessary files over to Fundraising when needed.

Caveat: the TLS certs issued by the Kafka intermediate CA last for 180 days, so puppet will create a new cert twice a year.

The code to generate the client cert should be the same (or very similar) to what we do for varnishkafka in profile::cache::kafka::certificate.

Sounds fine to me. I looked at the puppet code and if I understand correctly, cfssl::cert will automatically generate a new certificate 10 (default) days before expiration. Hopefully we can figure out how to make puppet send a notification when the new cert is available, so we can fetch and deploy it in frack.

MoritzMuehlenhoff added a comment.Apr 9 2024, 1:46 PM
In T360779#9700772, @Jgreen wrote:

Sounds fine to me. I looked at the puppet code and if I understand correctly, cfssl::cert will automatically generate a new certificate 10 (default) days before expiration. Hopefully we can figure out how to make puppet send a notification when the new cert is available, so we can fetch and deploy it in frack.

One option would be to add a daily systemd::timer::job in Puppet which runs a short script which checks the remaining validity of the frack cert and if it's less than ten days, sends an email notification (via the $send_mail and $send_mail_to parameters) to some frtech mail alias.

For reviewing and merging patches, simply add me as reviewer, happy to happy/unblock what is needed.

BCornwall edited projects, added Fundraising-Backlog; removed SRE.Apr 23 2024, 7:30 PM
AKanji-WMF moved this task from Triage to FR-Ops on the Fundraising-Backlog board.May 1 2024, 4:25 PM
gerritbot added a comment.May 10 2024, 9:21 AM

Change #1030018 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add a class to Cumin hosts which generates a Kafka certificate for frtech

https://gerrit.wikimedia.org/r/1030018

gerritbot added a project: Patch-For-Review.May 10 2024, 9:21 AM
gerritbot added a comment.May 13 2024, 11:20 AM

Change #1030018 merged by Muehlenhoff:

[operations/puppet@production] Add a class to Cumin hosts which generates a Kafka certificate for frtech

https://gerrit.wikimedia.org/r/1030018

gerritbot added a comment.May 13 2024, 11:30 AM

Change #1030917 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] profile::frtech::kafka_certificate: Fix owner

https://gerrit.wikimedia.org/r/1030917

gerritbot added a comment.May 13 2024, 11:35 AM

Change #1030917 merged by Muehlenhoff:

[operations/puppet@production] profile::frtech::kafka_certificate: Fix owner

https://gerrit.wikimedia.org/r/1030917

MoritzMuehlenhoff added a comment.May 13 2024, 11:59 AM

@Dwisehaupt @Jgreen The kafka cert issued by the PKI is now getting deployed to /etc/fr-tech-kafka-client on cumin1002/cumin2002. Could you please sync it to fr-tech and test/deploy instead of the old cergen-issued cert? When this has been confirmed to work fine, we can add a systemd timer which sends a notification if the key renewal is forthcoming.

Jgreen added a comment.May 13 2024, 5:44 PM
In T360779#9789862, @MoritzMuehlenhoff wrote:

@Dwisehaupt @Jgreen The kafka cert issued by the PKI is now getting deployed to /etc/fr-tech-kafka-client on cumin1002/cumin2002. Could you please sync it to fr-tech and test/deploy instead of the old cergen-issued cert? When this has been confirmed to work fine, we can add a systemd timer which sends a notification if the key renewal is forthcoming.

@MoritzMuehlenhoff We've switched over to the new cert.

Jgreen closed this task as Resolved.May 13 2024, 5:49 PM
Jgreen claimed this task.
Jgreen reopened this task as Open.May 13 2024, 5:59 PM

Hmmmm. I'm seeing this occasionally:

Kafka error (-195): ssl://kafka-jumbo1010.eqiad.wmnet:9093/1010: Connect to ipv4#10.64.130.10:9093 failed: Connection refused (after 0ms in state CONNECT, 1 identical error(s) suppressed)

Only from kafka-jumbo1010 and kafka-jumbo1011. Kafkatee is receiving content, although I'm not sure yet whether from these two brokers.

Jgreen added a comment.May 13 2024, 6:10 PM

This isn't limited to the two hosts I mentioned above. It seems like at any given time one of the kafka-jumbo is refusing connections.

Jgreen closed this task as Resolved.May 13 2024, 6:28 PM

Looks like coincidental rolling kafka restarts.

MoritzMuehlenhoff added a comment.May 29 2024, 9:37 AM

@Jgreen: Just to doublecheck, the certificate expiry is tracked via monitoring internal to fr-tech (or some manual equialent like a gcal entry)? Just want to make sure nothing else is needed before I clean out the old cergen definitions for the previously used Kafka cert.

gerritbot added a comment.May 29 2024, 1:42 PM

Change #1037075 had a related patch set uploaded (by Jgreen; author: Jgreen):

[operations/puppet@production] Add an icinga/nsca collector for Fundraising kafka client cert expire check.

https://gerrit.wikimedia.org/r/1037075

Jgreen added a comment.May 29 2024, 1:48 PM
In T360779#9841199, @MoritzMuehlenhoff wrote:

@Jgreen: Just to doublecheck, the certificate expiry is tracked via monitoring internal to fr-tech (or some manual equialent like a gcal entry)? Just want to make sure nothing else is needed before I clean out the old cergen definitions for the previously used Kafka cert.

I added a local nagios/icinga check, once the above-linked commit is merged we should be good to go.

gerritbot added a comment.May 30 2024, 9:03 AM

Change #1037075 merged by Filippo Giunchedi:

[operations/puppet@production] Add an icinga/nsca collector for Fundraising kafka client cert expire check.

https://gerrit.wikimedia.org/r/1037075

MoritzMuehlenhoff added a comment.May 31 2024, 8:31 AM
In T360779#9842162, @Jgreen wrote:
In T360779#9841199, @MoritzMuehlenhoff wrote:

@Jgreen: Just to doublecheck, the certificate expiry is tracked via monitoring internal to fr-tech (or some manual equialent like a gcal entry)? Just want to make sure nothing else is needed before I clean out the old cergen definitions for the previously used Kafka cert.

I added a local nagios/icinga check, once the above-linked commit is merged we should be good to go.

With the patch merged, can you please doublecheck the cert monitoring is now working fine for you? Then as the last cleanup step, I'd go ahead and remove the legacy cert from cergen.

Jgreen added a comment.May 31 2024, 1:46 PM
In T360779#9849539, @MoritzMuehlenhoff wrote:
In T360779#9842162, @Jgreen wrote:
In T360779#9841199, @MoritzMuehlenhoff wrote:

@Jgreen: Just to doublecheck, the certificate expiry is tracked via monitoring internal to fr-tech (or some manual equialent like a gcal entry)? Just want to make sure nothing else is needed before I clean out the old cergen definitions for the previously used Kafka cert.

I added a local nagios/icinga check, once the above-linked commit is merged we should be good to go.

With the patch merged, can you please doublecheck the cert monitoring is now working fine for you? Then as the last cleanup step, I'd go ahead and remove the legacy cert from cergen.

@MoritzMuehlenhoff cert monitoring looks good, icinga is reporting the check correctly.

MoritzMuehlenhoff added a comment.Jun 3 2024, 8:06 AM
In T360779#9850057, @Jgreen wrote:

@MoritzMuehlenhoff cert monitoring looks good, icinga is reporting the check correctly.

Ack, I've just removed the cergen certs formerly used by the Kafka fundraising client.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits