[16:09:47] <cwhite>	 godog: going to be around for a bit?  I'm thinking we can merge the grafana-next-rw patches.  Hoping for another set of eyes to watch for issues.
[16:10:14] <godog>	 cwhite: sure! I'll be here
[16:10:42] <cwhite>	 awesome, let's goooo
[16:11:05] <godog>	 woot woot
[16:11:23] <lmata>	 godspeed o/
[16:19:57] <cwhite>	 next up is the cas parts
[16:21:07] <godog>	 ack
[16:24:45] <cwhite>	 No smoke so far AFAICT
[16:29:50] <cwhite>	 on to the traffic layer now
[16:34:30] <godog>	 ok!
[16:35:36] <elukey>	 hi folks
[16:36:19] <elukey>	 I am currently working on moving the logstash collectors to the profile::base::certificates jks truststore
[16:36:29] <elukey>	 containing the root pki + root puppet certs
[16:36:45] <elukey>	 (rather than picking up the ones created by cergen in the puppet private repo)
[16:37:17] <elukey>	 I checked logstash::input::kafka and profile::logstash::collector
[16:38:08] <elukey>	 it seems easier to just remove the old truststore part (including the auto-management etc..) and move the codebase to profile::base::certificates, but it will be a broader change of course
[16:38:28] <elukey>	 we can definitely test it somewhere first, and in case roll it out one node at the time if you like the idea
[16:38:49] <elukey>	 the alternative is to add puppet conditionals and hiera settings to use both kind of configs
[16:39:08] <elukey>	 but the puppet code may become a bit messy in my opinion
[16:40:26] <godog>	 agreed, seems best to have one canonical way of doing things
[16:40:29] <cwhite>	 elukey: profile::logstash::collector (and collector7) are due for removal from puppet.  The active classes are profile::logstash::beta (for deployment-prep) and profile::logstash::production
[16:42:26] <cwhite>	 The same issue applies, since logstash::input::kafka does try to manage the truststore.  There's a flag to turn that off though
[16:42:40] <cwhite>	 `manage_truststore`
[16:49:43] <elukey>	 cwhite: ack thanks! Afaics in logstash::input::kafka there is no way to pass the location of the truststore, it assumes puppet private no?
[16:51:33] <cwhite>	 yeah, it seems hardcoded.  If management was disabled, one could link to it for testing purposes?
[16:52:55] <elukey>	 maybe I can try to add the parameter, and tune it via the profile::logstash::{beta,production}
[16:54:09] <cwhite>	 sounds good :)
[17:27:48] <cwhite>	 godog: Traffic appears to be flowing correctly.  I think the next is to add the new fqdn to alt_names.  Not sure what the step after that is.  Cergen?
[18:02:21] <godog>	 cwhite: nice! yeah add grafana-next-rw to alt_names in cergen, nuke the cert from the puppet CA and ask cergen for a new one
[18:02:39] <godog>	 and remove the password from the cergen config IMHO while we're at it
[18:03:47] <cwhite>	 I don't have enough context to know why it should or should not be removed. :/
[18:04:56] <godog>	 my understanding is that if the password is set then the private key will be also password protected, which doesn't do anything in practice for our deployment
[18:05:32] <godog>	 cwhite: regardless of the password though the rest of the process is the same
[18:05:46] <cwhite>	 ack, giving that a try now :)
[18:06:16] <godog>	 cwhite: ok! I have to go now, will check back tomorrow