[07:55:20] <jbond_>	 hi all back from  vacation today, will mostly be catching up but please bing if there is anything needing to go to the top of the pile :)
[07:59:47] <RhinosF1>	 I have a patch when you're free a review would be nice on
[08:00:24] <RhinosF1>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/713863
[08:00:40] <RhinosF1>	 Apparently rack tables has the same logic if it's needed to add for time
[08:00:50] <godog>	 welcome back jbond 
[08:00:56] <RhinosF1>	 And yes wb
[08:04:35] <jbond>	 thanks and will do RhinosF1 
[11:55:54] <vgutierrez>	 jbond: it looks like back in the day when use_remote_address was added to the envoyproxy puppetization the SNI HCM was missed: https://gerrit.wikimedia.org/r/c/operations/puppet/+/714350/
[11:57:49] <jbond>	 vgutierrez: good catch thanks
[11:58:16] <kormat>	 jbond: uff re: puppet 6 for SAN. as for alternative certs, the last time we discussed this there was no suitable mechanism to issue _host_ certs to >200 hosts
[12:01:35] <kormat>	 but maybe pki::client can do it now?
[12:02:32] <jbond>	 kormat: we have had the debmonitor client using pki.discovery.wmnet for some time now so i think it should be fine to start using cfssl::cert or more likley profile::pki::get_cert
[12:02:37] <jbond>	 https://wikitech.wikimedia.org/wiki/PKI/Clients#profile::pki::get_cert
[12:03:35] <kormat>	 jbond: how long are the certs valid for?
[12:03:40] <jbond>	 fixing this in puppet without puppet server 6 would mean generating the puppet agent certificates with openssl and hacking the provisioning code paths (this would be a lot of work and would introduce a lot of places where bad things could happen)
[12:04:58] <jbond>	 kormat: depends on the CA in use.  curtrently we two CA's the discovery CA which is just for issuing server certificates e.g. https and the debmonitor CA which issues client auth certs.  both have an expiry of 4 weeks, and the code that relies on the certs auto refreshses any services that depend on them
[12:05:08] <kormat>	 jbond: 😬
[12:05:16] <kormat>	 i'll need an expiry time measured in years
[12:05:18] <jbond>	 but for something like marriadb we would likley create a new CA with a much higfher expiry
[12:05:31] <jbond>	 as autorestarting would be a problem
[12:05:55] <jbond>	 the intermidates have an expiry of 5 years i think the root has 10 years so anything less then that is valid
[12:06:11] <kormat>	 ok
[12:06:24] <kormat>	 ah, looks like it's possible to get mariadb to reload certs so long as none of the paths change
[12:06:31] <kormat>	 https://mariadb.com/kb/en/flush/#flush-ssl
[12:06:48] <kormat>	 still, not something we'd want to do frequently
[12:07:07] <jbond>	 ahh nice, and yes we can start with a very conservitavie value and play./change over time
[12:08:01] <kormat>	 jbond: does pki::client work from within wmcs?
[12:08:26] <jbond>	 kormat: yes with caveates https://wikitech.wikimedia.org/wiki/PKI/Cloud
[12:08:59] <jbond>	 as in its opt-in for the project and there is a bit of a dance to get your project configuered
[12:09:29] <jbond>	 im not sure anyone iother then me has gone through that guide so feel free to ping me when you look at it
[12:10:49] <godog>	 I have played a little with pki in pontoon, not exactly that though
[12:11:09] <godog>	 not 100% there yet but not far either, FWIW
[12:12:33] <jbond>	 nice let me know if i can help godog (cant remember where we got to)
[12:14:05] <godog>	 jbond: sure will do, thank you! yeah basically we left off with the root CA hosted on the pontoon server, and the intermediates on a separate host, which worked as expected
[12:14:28] <jbond>	 ack
[12:15:18] <godog>	 they are both basically "zero touch" bootstrappable with a little bit of initialization IIRC, plus a manual commit to puppet to update the public key of the root ca
[12:15:43] <godog>	 might pick up the work again in the following weeks though
[12:16:07] * kormat wishes someday for a zero-touch puppet
[12:16:25] <godog>	 like not having to touch the puppet anymore kormat ?
[12:16:44] <kormat>	 godog: the dream™
[12:17:25] <jbond>	 yes thats sounds about right to me, we could probably make the pontoon CA zero touch but it would mean diverging a little from how productin is set up so ++/-- (think we may have even discussed some of those options)
[12:19:32] <godog>	 kormat: one can dream indeed! I wish I could find a reaction gif, but I can't
[12:20:10] <godog>	 jbond: agreed that'd be nice, I'll poke at it a little more and let you know what I come up with
[12:20:43] <godog>	 also on a related note, I noticed 'pki' isn't in service::catalog
[12:21:25] <jbond>	 sgtm as to service::catalog, thanks will look at that in a sec
[12:22:56] <godog>	 ack, not a huge or urgent deal FWIW, more like in the "would be nice to have" column
[12:28:29] <kormat>	 jbond: wrote up a task for my team about what we discussed. thanks for the input :)
[12:31:29] <jbond>	 no problem and ping me on task if not allready :)
[15:54:48] <volans>	 razzi: FYI the cumin alias kafkamon: P{O:kafka::monitoring} doesn't match any host (it's reported by a periodic check). LMK if you need/want me to open a task for it
[16:22:38] <volans>	 btullis FYI too I guess ^^
[16:22:49] <volans>	 lmk if you need any help on that
[16:23:02] <volans>	 or context for that matters ;)
[16:23:16] <btullis>	 volans: Thanks. Will look into it.
[16:23:33] <volans>	 thanks a lot!
[17:02:52] <btullis>	 volans: I've put a question for herron here: https://phabricator.wikimedia.org/T252773#7302311 about this. Can we downtime the check until the question is resolved?
[17:08:17] <herron>	 hey btullis volans I'm in a meeting at the moment but will have a look shortly
[17:12:26] <volans>	 ok, no prob for me
[17:12:34] <volans>	 it's not that urgent, just an email alert ;)