cergen is currently only installed on puppetmaster1001 by means of the cergen Puppet class. Even building cergen for Buster proved to be challenging back then, as it needs python-networkx 1 and even back then needed python3-lib2to3 (https://phabricator.wikimedia.org/T235405)
There are curently 55 services defined in certificate.manifests.d which use the Puppet 5 CA (authority: puppet_ca), we should probably just fix forward and move them all to the PKI/cfssl.There are curently 47 services defined in certificate.manifests.d which use the Puppet 5 CA (authority: puppet_ca), we should probably just fix forward and move them all to the PKI/cfssl (some might also no longer be in use and just need cleaning up):
analytics_http_ui.certs.yaml
aphlict.certs.yaml
apt-staging.certs.yaml
chartmuseum.certs.yaml
config-master.certs.yaml
contint.certs.yaml
debmonitor.certs.yaml
doc.certs.yaml
docker_registry.certs.yaml
_etcd-server-ssl._tcp.v3.certs.yaml
etcd-v3.certs.yaml
etcd-v3-eqiad.certs.yaml
etherpad.certs.yaml
grafana.certs.yaml
grafana_labs.certs.yaml
graphite.certs.yaml
kafka_fundraising_client.certs.yaml
kafka_test.certs.yaml
kartotherian.certs.yaml
kibana.certs.yaml
labweb.certs.yaml
mediawiki.certs.yaml
mwmaint.certs.yaml
parsoid.certs.yaml
peopleweb.certs.yaml
performance.certs.yaml
phabricator.certs.yaml
planet.certs.yaml
prometheus.certs.yaml
puppet_ca.certs.yaml
purged.certs.yaml
releases.certs.yaml
relforge.certs.yaml
restbase.certs.yaml
rt.certs.yaml
schema.certs.yaml
search.certs.yaml
swift.certs.yaml
testreduce.certs.yaml
thanos-query.certs.yaml
ticket.certs.yaml
ticket-test.certs.yaml
wcqs.certs.yaml
wdqs.certs.yaml
wdqs-internal.certs.yaml
webperf.certs.yaml
webserver_misc_apps.certs.yaml