cergen is currently only installed on puppetmaster1001 by means of the cergen Puppet class. Even building cergen for Buster proved to be challenging back then, as it needs python-networkx 1 and even back then needed python3-lib2to3 (https://phabricator.wikimedia.org/T235405)
There are curently 47 services defined in certificate.manifests.d which use the Puppet 5 CA (authority: puppet_ca), we should probably just fix forward and move them all to the PKI/cfssl (some might also no longer be in use and just need cleaning up):
Data Engineering:
[] analytics_http_ui.certs.yaml T360412
[] kafka_test.certs.yaml T360412
[] schema.certs.yaml T360412
Collaboration Services:
[] aphlict.certs.yaml T360413
[x] apt-staging.certs.yaml T360413
[] contint.certs.yaml T360413
[x] doc.certs.yaml T360413
[x] etherpad.certs.yaml T360413
[] phabricator.certs.yaml T360413
[x] peopleweb.certs.yaml T360413
[x] planet.certs.yaml T360413
[x] releases.certs.yaml T360413
[x] rt.certs.yaml T360413
[x] ticket.certs.yaml T360413
[x] ticket-test.certs.yaml T360413
[] webserver_misc_apps.certs.yaml T360413
ServiceOps:
[] chartmuseum.certs.yaml T360636
[] docker_registry.certs.yaml T360636
[] _etcd-server-ssl._tcp.v3.certs.yaml T352245
[] etcd-v3.certs.yaml T352245
[] etcd-v3-eqiad.certs.yaml T352245
[] mediawiki.certs.yaml (will be obsoleted when all legacy deployments are moved to wikikube) T360636
[] mwmaint.certs.yaml (used by noc.w.o which is already on wikikube, should be just a cleanup) T360636
[] parsoid.certs.yaml (will be obsoleted when all legacy deployments are moved to wikikube) T360636
[] restbase.certs.yaml T360636
[] testreduce.certs.yaml T360636
Infrastructure Foundations:
[] config-master.certs.yaml (config-master.w.o uses cfssl starting with https://github.com/wikimedia/operations-puppet/commit/131906b285e54518cbed24937ca84228e593d7f4, but cert still in use for Puppet master frontends (and will be phased out along with it))
[] debmonitor.certs.yaml
[] puppet_ca.certs.yaml
Observability:
[] grafana.certs.yaml T360414
[] grafana_labs.certs.yaml T360414
[] graphite.certs.yaml T360414
[] kibana.certs.yaml T360414
[] performance.certs.yaml T360414
[] prometheus.certs.yaml T360414
[] thanos-query.certs.yaml T360414
[] webperf.certs.yaml T360414
frtech:
[] kafka_fundraising_client.certs.yaml T360779
Unowned:
[] kartotherian.certs.yaml T360778
Cloud Services:
[x] labweb.certs.yaml (Removed by Taavi in https://gerrit.wikimedia.org/r/c/operations/puppet/+/1012629 and https://gerrit.wikimedia.org/r/c/operations/puppet/+/1013009)
Traffic:
[] purged.certs.yaml T360506
Search:
[] relforge.certs.yaml T360439
[] search.certs.yaml T360439
[] wcqs.certs.yaml T360439
[] wdqs.certs.yaml T360439
[] wdqs-internal.certs.yaml T360439
Data Persistence:
[] swift.certs.yaml T356412