As we are due to update the puppet CA we will need to know all locations where the certificate is currently used. The following is a good list of places to start looking but may not be complete
- keys created using cergen
- users of base::expose_puppet_certs
- the few users we have that are referencing either puppet_ssldir() or manually hardcoding the /var/lib/puppet/ssl directory
- Any helm charts that need our CA cert: [[ https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/551610/2/charts/eventgate/templates/configmap.yaml | eventgate ]]
The following services make reference to `Puppet_Internal_CA.crt`
[] etcd: [[ https://github.com/wikimedia/puppet/blob/production/modules/etcd/templates/initscripts/etcd.systemd.erb#L30 | The systemd service references the puppet CA ]]
* etcd::v3: also [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/manifests/etcd/v3.pp#L77 | references this file ]] for use in [[ https://github.com/wikimedia/puppet/blob/production/modules/etcd/templates/v3.etcd.default.erb#L28 | `/etc/default/ectd` ]]
[x] trafficserver: The main [[ https://github.com/wikimedia/puppet/blob/production/modules/trafficserver/templates/records.config.erb#L197-L199 | ATS config uses the puppet CA ]] via [[ https://github.com/wikimedia/puppet/blob/production/hieradata/common/profile/trafficserver/backend.yaml#L281-L290 | `$profile::trafficserver::backend::outbound_tls_settings` ]]
[x] puppetdb: The puppetDB application references the public cert both in the [[ https://github.com/wikimedia/puppet/blob/production/modules/puppetdb/manifests/app.pp#L68-L100 | postgress ]] and [[ https://github.com/wikimedia/puppet/blob/production/modules/puppetdb/manifests/app.pp#L132-L149 | jetty ]] config
* its also the default for [[ https://github.com/wikimedia/puppet/blob/production/modules/puppetmaster/manifests/puppetdb.pp#L10 | puppetmaster::pupetdb::ca_path ]]
[x] prometheus - mysqld_exporter_config.py: [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/files/prometheus/mysqld_exporter_config.py#L16 | references the file ]] however this is a script and not a daemon so shouldn't need special handling
[x] debmonitor::client: this [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/manifests/debmonitor/client.pp#L19 | references ]] and [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/templates/debmonitor/client/debmonitor.conf.erb#L5 | uses the puppet CA file ]] however this runs from cron so shouldn't require special treatment
[x] profile::netbox: [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/manifests/netbox.pp#L65-L67 | references the file ]] and uses it to for [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/templates/netbox/netbox-ganeti-sync.cfg.erb#L7 | ganeti ]], [[ https://github.com/wikimedia/puppet/blob/production/modules/netbox/manifests/init.pp#L157-L159 | swift ]] and [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/templates/netbox/netbox-reports.cfg.erb#L11 | puppetdb ]] operations
[x] profile::cache::kafka::certificate: [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/manifests/cache/kafka/certificate.pp#L75-L77 | refrences this file ]] and [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/manifests/cache/kafka/certificate.pp#L82-L87 | creates it under /etc/ssl/certs/ ]] however this should not be required as its handled by [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/manifests/base/certificates.pp#L37-L42 | base::certificates ]] and `update-ca-certificates` which is installed everywhere
[x] postgresql: This module [[ https://github.com/wikimedia/puppet/blob/production/modules/postgresql/files/ssl.conf#L4 | hard-codes the CA cert path ]]
[] k8s cube controler manager: [[ https://github.com/wikimedia/puppet/blob/production/modules/k8s/templates/kube-controller-manager.default.erb#L10 | has this file hard-coded ]]
[] calico: mentions this file in its [[ https://github.com/wikimedia/puppet/blob/production/modules/calico/templates/initscripts/calico-node.systemd.erb#L9 | systemd init file ]] and its [[ https://github.com/wikimedia/puppet/blob/production/modules/calico/templates/cni.conf.erb#L5 | config file ]]
[] mariadb: uses this file in roles for [[ https://github.com/wikimedia/puppet/blob/production/modules/role/templates/mariadb/mysqld_config/phabricator.my.cnf.erb#L97 | phabricator ]], [[ https://github.com/wikimedia/puppet/blob/production/modules/role/templates/mariadb/mysqld_config/labsdb-replica.my.cnf.erb#L94 | labsdb ]], [[ https://github.com/wikimedia/puppet/blob/production/modules/role/templates/mariadb/mysqld_config/tools.my.cnf.erb#L90 | tools ]], [[ https://github.com/wikimedia/puppet/blob/production/modules/role/templates/mariadb/mysqld_config/parsercache.my.cnf.erb#L105 | parsecache ]], [[ https://github.com/wikimedia/puppet/blob/production/modules/role/templates/mariadb/mysqld_config/misc.my.cnf.erb#L92 | misc ]], [[ https://github.com/wikimedia/puppet/blob/production/modules/role/templates/mariadb/mysqld_config/core-mysql.my.cnf.erb#L119 | core-mysql ]], [[ https://github.com/wikimedia/puppet/blob/production/modules/role/templates/mariadb/mysqld_config/production.my.cnf.erb#L150 | production ]] and [[ https://github.com/wikimedia/puppet/blob/production/modules/role/templates/mariadb/mysqld_config/dbstore_multiinstance.my.cnf.erb#L79 | dbstore ]]
[x] check_mariadb.py: [[ https://github.com/wikimedia/puppet/blob/production/modules/mariadb/files/check_mariadb.py#L145 | references this file ]] however as its a script it should not cause an issue
[x] backup_mariadb.py: [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/files/mariadb/backup_mariadb.py#L47 | references this file ]] however as its a script it should not cause an issue
[x] rsync::server can reference the internal CA (when the [[ https://github.com/wikimedia/puppet/blob/production/modules/rsync/templates/stunnel.conf.erb | stunnel wrapper ]] is enabled). a simple `systemctl reload stunnel` should be sufficient on the servers using this
[x] [[ https://github.com/wikimedia/puppet/blob/production/modules/profile/templates/rsyslog/output_kafka.conf.erb#L63 | rsyslog kafka output ]]
[x] helm refences this certificate in the [[ https://github.com/wikimedia/operations-deployment-charts/blob/master/helmfile.d/services/eqiad/eventgate-logging-external/values.yaml#L24-L25 | deployment charts repo ]]