Change Details

There are two contexts in which the [[ https://wikitech.wikimedia.org/wiki/Etcd/Main_cluster | etcd main cluster ]] still uses TLS certs signed by the puppet 5 CA, which in turn blocks `role::configcluster` hosts moving to puppet 7: * `profile::etcd::tlsproxy` - The nginx-based authenticating proxy supports //only// the `sslcert::certificate` define (loading the CN=`etcd-v3.(eqiad|codfw).wmnet` certificates). * `profile::etcd::v3` - etcd itself (for both peer and direct client communication, the latter being limited to nginx and etcd-mirror) supports both `sslcert::certificate` and `profile::pki::get_cert`, but in the configcluster use case still relies on the former (loading the CN=`_etcd-server-ssl._tcp.v3.(codfw|eqiad).wmnet` certificates). To unblock moving to puppet 7, we need to: [x] Add support for cfssl-based PKI in `profile::etcd::tlsproxy`. [x] Migrate etcd's nginx proxy to PKI via the above. [] Migrate etcd itself to PKI using the existing support in `profile::etcd::v3` (gated on the `use_pki_certs` hiera key, and already used by other etcd clusters we run, e.g., for k8s). As of August 2025, the first two items are complete. See T352245#10935894 for a summary of the procedure used.

There are two contexts in which the [[ https://wikitech.wikimedia.org/wiki/Etcd/Main_cluster | etcd main cluster ]] still uses TLS certs signed by the puppet 5 CA, which in turn blocks `role::configcluster` hosts moving to puppet 7: * `profile::etcd::tlsproxy` - The nginx-based authenticating proxy supports //only// the `sslcert::certificate` define (loading the CN=`etcd-v3.(eqiad|codfw).wmnet` certificates). * `profile::etcd::v3` - etcd itself (for both peer and direct client communication, the latter being limited to nginx and etcd-mirror) supports both `sslcert::certificate` and `profile::pki::get_cert`, but in the configcluster use case still relies on the former (loading the CN=`_etcd-server-ssl._tcp.v3.(codfw|eqiad).wmnet` certificates). To unblock moving to puppet 7, we need to: [x] Add support for cfssl-based PKI in `profile::etcd::tlsproxy`. [x] Migrate etcd's nginx proxy to PKI via the above. [x] Migrate etcd itself to PKI using the existing support in `profile::etcd::v3` (gated on the `use_pki_certs` hiera key, and already used by other etcd clusters we run, e.g., for k8s).

There are two contexts in which the [[ https://wikitech.wikimedia.org/wiki/Etcd/Main_cluster | etcd main cluster ]] still uses TLS certs signed by the puppet 5 CA, which in turn blocks `role::configcluster` hosts moving to puppet 7: * `profile::etcd::tlsproxy` - The nginx-based authenticating proxy supports //only// the `sslcert::certificate` define (loading the CN=`etcd-v3.(eqiad|codfw).wmnet` certificates). * `profile::etcd::v3` - etcd itself (for both peer and direct client communication, the latter being limited to nginx and etcd-mirror) supports both `sslcert::certificate` and `profile::pki::get_cert`, but in the configcluster use case still relies on the former (loading the CN=`_etcd-server-ssl._tcp.v3.(codfw|eqiad).wmnet` certificates). To unblock moving to puppet 7, we need to: [x] Add support for cfssl-based PKI in `profile::etcd::tlsproxy`. [x] Migrate etcd's nginx proxy to PKI via the above. [ [x] Migrate etcd itself to PKI using the existing support in `profile::etcd::v3` (gated on the `use_pki_certs` hiera key, and already used by other etcd clusters we run, e.g., for k8s). As of August 2025, the first two items are complete. See T352245#10935894 for a summary of the procedure usedfor k8s).