Change Details

The [[ https://github.com/wikimedia/puppet/blob/production/modules/cassandra/files/cassandra-ca-manager | `casssandra-ca-manager` ]] exists to ease generation and distribution of Java keystore files to enable encryption between Cassandra clients and cluster nodes. However, this script doesn't have anything Cassandra specific in it, and could be reused to enable encryption for Kafka traffic. We should: - move this to a more generic location/name in puppet - create a `cassandra-ca-manager` symlink to keep backwards compatibility - Generate key formats other than java keystores, e.g. .pem files, etc. At least whatever is needed for non Java Kafka clients, (kafka-python, librdkafka, etc.) - Make it easy to distribute these files via puppet (if it isn't easy enough already). - create (or update and move) wikitech documentation See also T108953 and T141541.

The [[ https://github.com/wikimedia/puppet/blob/production/modules/cassandra/files/cassandra-ca-manager | `casssandra-ca-manager` ]] exists to ease generation and distribution of Java keystore files to enable encryption between Cassandra clients and cluster nodes. However, this script doesn't have anything Cassandra specific in it, and could be reused to enable encryption for Kafka traffic. [[ https://github.com/wikimedia/puppet/blob/production/modules/puppetmaster/files/puppet_ecdsacert.rb | puppet_ecdsacert.rb ]] exists to help signing of certificates with our Puppet CA infrastructure, but does not include tooling for managing and declaring many certificates. [[ https://github.com/wikimedia/puppet/blob/production/utils/create_ecdsa_cert | create_ecdsa_cert ]] helps a bit, but only works for generating one certificate at a time. puppet_ecdsacert.rb only generates .pem format certificate files, and both Kafka and Cassandra need Java keystores. We should have a generic way of managing certificates that will work for both of these use cases, and hopefully future ones. I plan to adapt Eric's cassandra-ca-manager, but make it generic and extensible, so that it works with more CAs than just self-signing ones.

The [[ https://github.com/wikimedia/puppet/blob/production/modules/cassandra/files/cassandra-ca-manager | `casssandra-ca-manager` ]] exists to ease generation and distribution of Java keystore files to enable encryption between Cassandra clients and cluster nodes. However, this script doesn't have anything Cassandra specific in it, and could be reused to enable encryption for Kafka traffic. [[ https://github.com/wikimedia/puppet/blob/production/modules/puppetmaster/files/puppet_ecdsacert.rb | puppet_ecdsacert.rb ]] exists to help signing of certificates with our Puppet CA infrastructure, but does not include tooling for managing and declaring many certificates. [[ https://github.com/wikimedia/puppet/blob/production/utils/create_ecdsa_cert | create_ecdsa_cert ]] helps a bit, but only works for generating one certificate at a time. We should:puppet_ecdsacert.rb only generates .pem format certificate files, and both Kafka and Cassandra need Java keystores. - move this to a more generic location/name in puppet - create a `cassandra-ca-manager` symlink to keep backwards compatibility - Generate key formats other than java keystores, e.g. .pem files, etc. At least whatever is needed for non Java Kafka clients, (kafka-python, librdkafkaWe should have a generic way of managing certificates that will work for both of these use cases, etc.) - Make it easy to distribute these files via puppet (if it isn't easy enough already). - create (or update and move) wikitech documentationand hopefully future ones. See also T108953 and T141541.I plan to adapt Eric's cassandra-ca-manager, but make it generic and extensible, so that it works with more CAs than just self-signing ones.