[06:00:49] jbond: you can add the project-puppet-diffs group to ::restricted_to to keep the old behavior to allow project members in addition to the newly configured groups [13:33:59] FYI: In ~ 10 minutes I'll stop puppet in codfw and the edges (for 20-30 mins for some puppetdb maintenance) [13:34:11] if that's bad timing for anyone, let me know [13:34:18] ack [14:07:48] puppet is back on [14:07:53] thanks :) [14:48:55] taavi: ahh of course will do thanks [15:23:01] elukey: I see ssl.ca.locaiton set to /etc/ssl/certs/wmf-ca-certificates.crt in oher eventgatets [15:23:07] just not eventgate-main [15:23:15] ah lovely [15:23:28] oh, maybe just not staging? [15:23:40] ok, i thitnk it must be just this misconfig [15:23:42] right? [15:23:43] i think i can fix [15:23:57] yes yes I think so, it works now :) [15:26:51] elukey: https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/908258 [15:26:54] ottomata: I think the issue is only in staging [15:27:37] oh yes looks good [15:27:40] yeah, and it probably happened that way because the config overrides were a little out of place, i think ^ will help [15:28:06] let's wait for CI but I'd say that it will works just fine [15:28:10] k th [15:28:11] ty [15:28:20] glad it was just a little thing! :) [15:33:00] ottomata: +1ed, ci looks good! [15:36:59] actually, elukey we should make that the default in the chart :) [15:37:11] doing now [15:38:31] ottomata: it is ok to keep it as default at the helmfile level, ssl settings may change etc.. [15:38:48] hm, true. the chart currently has the puppetca as the default [15:39:10] and also other settings like cipher.suites, curves.list, etc. [15:39:14] I mean we are not really planning to use eventgate without ssl and puppet anymore, so it is ok to change the chart as well [15:39:24] but I think the change is good to go :) [15:39:29] so the chart sets defaults for ssl settings [15:39:32] but does not enable ssl by default [15:39:36] that is done by helmfile