[00:42:46] bblack: i am closing tickets for tLS work, do ping if things do not look OK, from our brief inspection of data looks fine with some nil values [00:43:08] bblack: and so you know, it would be easy to create a dashboard on superset on top of these [02:00:49] nuria: yeah, the "nil" value is reported by ATS, so that's expected [02:56:41] 10Traffic, 10Operations, 10Patch-For-Review: Move cache text cluster from nginx to ats-tls - https://phabricator.wikimedia.org/T231627 (10Vgutierrez) [03:20:32] 10Traffic, 10Operations, 10Patch-For-Review: Move cache text cluster from nginx to ats-tls - https://phabricator.wikimedia.org/T231627 (10Vgutierrez) [03:28:35] 10Traffic, 10Operations, 10observability: Add ats-tls status and availability graphs to frontend-traffic - https://phabricator.wikimedia.org/T236482 (10Vgutierrez) 05Open→03Resolved a:03Vgutierrez atls-tls availability panel is now ready: https://grafana.wikimedia.org/d/000000479/frontend-traffic?refre... [09:44:08] 10netops, 10Operations, 10observability: Determine & implement near-term method for escalating network alerts - https://phabricator.wikimedia.org/T237587 (10Volans) I'd rather not do (3), seems a step back (not respecting awake hours and such). Regarding (1) we already have a proposal from last SRE summit,... [11:08:26] the new globalsign OCSPs with the new intermediates are finally a little smaller thanks to ecdsa chain, for the ecdsa case mostly [11:08:32] still not as small as digicert :P [11:08:49] digicert gives us 471 byte ocsp responses for rsa and ecdsa [11:08:56] globalsign was 1611 for both [11:09:08] now they're 1035 for ecdsa and 1529 for rsa [11:09:24] cause is embedding the cert, right? [11:09:27] ecdsa is by far more common though, and that will trim 576 bytes off it [11:10:04] yeah the major difference is globalsign embeds an extra cert (I forget if it's the real intermediate, or the intermediate that backs the ocsp signing cert, or the ocsp signing cert, or what, but it's not necessary) [11:10:44] I don't think that changed, just now their new ecdsa certs are backed by ecdsa intermediate+root, whereas before ecdsa leafs used rsa intermediate/root/etc [11:10:55] and ecdsa is smaller in general [11:47:18] traffic people, could I borrow cp1072 (or any other host) for a reimage demonstration + decommission demonstration today? [11:47:32] I would ofc update the related task T229586 [11:47:32] T229586: decommission cp1008, cp1071, cp1072, cp1073, cp1074, cp1099 - https://phabricator.wikimedia.org/T229586 [11:56:06] volans: yeah as far as we care they're all dead to us [11:56:18] (cp1071-4) [11:57:42] perfect, thanks a lot! [15:00:03] Heya _joe_ could you comment about discovery on https://gerrit.wikimedia.org/r/c/operations/puppet/+/549177 [15:00:18] i know you advised that I didn't really need it, but ema was suggesting I add it [15:00:23] I can go either way, whatever yall say [15:01:09] <_joe_> I said it's not strictly needed but to check with traffic what they prefer ATS-wise [15:07:27] ah k, so sounds like they prefer then. danke [15:22:07] decommission cookbook has been run for cp1072, I've update the task's description, but it was using the old template (pre-cookbook) so it's a bit off. [15:22:42] thanks for the borrow, can I assume who's in charge of the task would remove all references from the puppet/dns repo? Or do you want me to do it? [15:58:41] volans: nobody here is gonna stop you I believe! :) [16:11:40] ema: I was hoping the cleanup for all those servers will happen all together so I didn't had to care about this single one :-P [16:13:27] sure, don't give much weight to what I say after 5PM on a Friday [16:24:11] lol [16:24:21] it was still 4:58 though [16:27:21] hahahah [16:27:49] I'm sure it was after 5PM somewhere [16:34:46] defintely!