[07:30:13] 10serviceops, 10SRE, 10envoy: The TLS proxy configuration in deployment-charts allows invalid listeners - https://phabricator.wikimedia.org/T291959 (10Joe) a:03Joe [08:45:15] 10serviceops, 10MW-on-K8s, 10SRE-swift-storage, 10Shellbox, and 2 others: Support large files in Shellbox - https://phabricator.wikimedia.org/T292322 (10Legoktm) Using a known broken hash like MD5 seems wrong in what's supposed to be a security-sensitive application. Since we are already calculating the SH... [09:11:04] 10serviceops, 10SRE, 10Patch-For-Review, 10good first task: Upgrade all deployment charts to use the latest version of common_templates - https://phabricator.wikimedia.org/T292390 (10elukey) knative-serving and kserve-inference should be done! :) [10:34:38] 10serviceops, 10Prod-Kubernetes, 10Kubernetes: Create a partman config for kubernetes masters - https://phabricator.wikimedia.org/T299634 (10JMeybohm) [10:53:29] 10serviceops, 10SRE, 10MW-1.35-notes (1.35.0-wmf.34; 2020-05-26), 10Patch-For-Review, 10Platform Engineering (Icebox): Undeploy graphoid - https://phabricator.wikimedia.org/T242855 (10TheDJ) I've removed graphoid info from https://www.mediawiki.org/wiki/Extension:Graph to avoid further confusion for read... [12:50:31] 10serviceops, 10Infrastructure-Foundations, 10SRE, 10SRE-tools, 10Documentation: Documentation updates in decom workflow - https://phabricator.wikimedia.org/T287388 (10Aklapper) [12:51:41] 10serviceops, 10DynamicPageList (Wikimedia), 10PoolCounter, 10SRE, and 9 others: Limit concurrency of DPL queries - https://phabricator.wikimedia.org/T263220 (10Aklapper) Half a year later, does someone plan to pick up https://gerrit.wikimedia.org/r/c/710138 , or what is left to do in this open high prio t... [14:21:25] 10serviceops, 10MW-on-K8s, 10SRE-swift-storage, 10Shellbox, and 2 others: Support large files in Shellbox - https://phabricator.wikimedia.org/T292322 (10Joe) >>! In T292322#7635623, @Legoktm wrote: > Using a known broken hash like MD5 seems wrong in what's supposed to be a security-sensitive application. S... [14:58:42] hi! so.. question about k8s and certs. If i edit an existing cert for my service in kube_services.crts.yaml in private repo, delete old cert, revoke cert on puppetmaster, use cergen to generate new certs, commit..run puppet on deploy1001, confirm new cert is in /etc/helmfile-defaults/private/main_services/.. then what? am I done and the rest is automatic? Or doesnt there have be another [14:58:49] step to get the cert deployed from deployment server? [14:59:32] if i run helmfile diff there is no diff now.. because I just edited existing cert? [15:05:39] _joe_: re: what I talked about last meeting, pretty sure you were right about the cert. I realized had to add an extra SAN to my cert in kube_services.crts.yaml (as opposed to the non-k8s one under certificate.manifests.d/ with its own yaml file). So I think I got that solved too.. just wondering if there is another step after I see my change in /etc/helmfile-defaults/ on deploy1002. Do I [15:05:45] need to deploy? I have no diff though [15:06:23] <_joe_> mutante: you have to deploy, yes [15:06:35] <_joe_> how can you have no diff if the cert value changed? [15:07:07] I am not sure, I updated the cert, so the value changed in /etc/helmfile-defaults/ but I did not touch my charts [15:07:16] since it was an existing cert [15:07:21] and already named in the chart [15:07:39] <_joe_> ok I guess something went wrong somewhere, I'll take a look in a few [15:09:06] _joe_: wait! I do have a diff when I do this on "codfw", but not on "staging" [15:09:14] and I just followed the normal "staging" first workflow [15:09:40] let me deploy on codfw I guess and ignore staging I guess [15:14:50] ok, successfully deployd cert change in codfw [15:16:03] <_joe_> mutante: yeah staging has its own cert managed centrally [15:16:20] that makes sense when thinking about it, yea [15:16:29] ok, thanks. I should be good then :) doing eqiad too now [15:22:44] 10serviceops, 10MW-on-K8s, 10Release-Engineering-Team, 10SRE: Make scap deploy to kubernetes together with the legacy systems - https://phabricator.wikimedia.org/T299648 (10Joe) [17:01:59] 10serviceops, 10DC-Ops, 10Prod-Kubernetes, 10SRE, and 3 others: decommission kubestage100[12]-eqiad - https://phabricator.wikimedia.org/T299142 (10Cmjohnson) [17:05:30] 10serviceops, 10DC-Ops, 10Prod-Kubernetes, 10SRE, and 3 others: decommission kubestage100[12]-eqiad - https://phabricator.wikimedia.org/T299142 (10Cmjohnson) 05Open→03Resolved [17:05:31] 10serviceops, 10Prod-Kubernetes, 10Kubernetes, 10Patch-For-Review: setup/install kubestage100[34] - https://phabricator.wikimedia.org/T293729 (10Cmjohnson) [21:00:06] 10serviceops, 10SRE: Debian package for httpbb - https://phabricator.wikimedia.org/T299705 (10RLazarus) p:05Triage→03Medium [21:00:40] 10serviceops, 10SRE: Debian package for httpbb - https://phabricator.wikimedia.org/T299705 (10RLazarus) [21:00:45] 10serviceops, 10SRE, 10Wikimedia-Apache-configuration: Build a black-box httpd testing framework - https://phabricator.wikimedia.org/T236699 (10RLazarus) [22:33:15] 10serviceops, 10MW-on-K8s, 10SRE-swift-storage, 10Shellbox, and 2 others: Support large files in Shellbox - https://phabricator.wikimedia.org/T292322 (10tstarling) >>! In T292322#7636542, @Joe wrote: > But given in reality I was proposing to do something like: > > signature = md5sum( secret + padding + re...