[20:44:30] <ottomata>	 mutante:  yt?
[21:43:34] <mutante>	 ottomata: kind of. i see from comments it was about certs for envoy? to make those i follow https://wikitech.wikimedia.org/wiki/Cergen#Cheatsheet
[21:43:51] <ottomata>	 yaaaa
[21:43:57] <ottomata>	 ok i'll add comments there about not needing pw
[21:44:01] <ottomata>	 if you want unencrypted key
[21:46:23] <mutante>	 hmm.yea. not sure. i was just following the docs so far and didn't write them
[21:46:41] <mutante>	 let's add e.ma to that
[21:48:37] <ottomata>	 i've been doing envoyproxy in k8s with giuseppe's doocs
[21:48:41] <ottomata>	 had to edit his too
[21:48:42] <ottomata>	 https://wikitech.wikimedia.org/wiki/User:Giuseppe_Lavagetto/Add_Tls_On_Kubernetes
[21:54:50] <mutante>	 hmm.ack. it's tempting to create "TLS" on wikitech as "disambiguation page" (it's a redirect to HTTPS now) and link to both. But there was some disagreement over those kind of pages.
[21:55:05] <mutante>	 oh well.. added on https://wikitech.wikimedia.org/w/index.php?title=HTTPS&type=revision&diff=1849411&oldid=1830554
[21:55:41] <mutante>	 because even just finding those was kind of hard :p
[21:58:45] <bd808>	 just to make it all better there is https://wikitech.wikimedia.org/wiki/User:Jbond/Encryption now too :)
[22:00:16] <bd808>	 mutante: FWIW, I'd be in favor of making [[wikitech:TLS]] a disambig page. That wiki needs a lot more gnomes :)
[22:00:27] <mutante>	 hah, thanks. linked. (but actually we should slap [[Category:TLS]] on them?)
[22:00:43] <mutante>	 wants to use categories :p
[22:01:09] <bd808>	 yeah, catgories are cool too--as long as there are folks maintaining them
[22:01:54] <bd808>	 Someday™ maybe we will have a librarian for our tech docs :)
[22:05:29] <ottomata>	 mutante:  still there?
[22:05:40] <ottomata>	 i'm trying to figure out what i'm doing wrong with envoyproxy on schema1001
[22:05:52] <ottomata>	 i think i've done it just like e.g.webperf1001
[22:06:05] <ottomata>	 but i can't seem to reach envoy on 443
[22:06:06] <ottomata>	 i think...
[22:06:28] <mutante>	 bd808: https://wikitech.wikimedia.org/wiki/Category:TLS  i'll try to maintain
[22:06:31] <ottomata>	 oh hm, there is a lot less in envoy.yaml
[22:06:37] <mutante>	 ottomata: is something else already listening on 443?
[22:06:41] <ottomata>	 no
[22:06:46] <mutante>	 ferm rules?
[22:06:47] <ottomata>	 i think i must be missing some configs
[22:06:52] <ottomata>	 i'm going localhost righ tnow
[22:06:57] <mutante>	 ah, do you have the Hiera values
[22:07:05] <mutante>	 hold on ..finding an example
[22:07:14] <ottomata>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/558660
[22:07:52] <ottomata>	 i'm missing a lot in /etc/envoy/envoy.yaml
[22:07:55] <ottomata>	 compared to webperf1001
[22:08:30] <mutante>	 here is one where both ports are different:
[22:08:31] <mutante>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/552947/5/hieradata/role/common/otrs.yaml
[22:08:38] <mutante>	 looks good though
[22:08:48] <mutante>	 hmm
[22:09:37] <ottomata>	 ah mutante
[22:09:41] <ottomata>	 i just manually did
[22:09:43] <mutante>	 buster vs stretch?
[22:09:45] <ottomata>	  /usr/local/sbin/build-envoy-config -c /etc/envoy
[22:09:49] <ottomata>	 and it change envoy.yaml
[22:09:58] <ottomata>	 i think something isn't quite right in envoyproxy init.pp
[22:10:04] <mutante>	 ah, yes, (though it should happen by itself?)
[22:10:12] <ottomata>	 yeah but it is refreshonly
[22:10:14] <ottomata>	 so maybe some ordering problem
[22:10:20] <mutante>	 i think i had to do this once
[22:10:32] <ottomata>	 yesss it works now
[22:11:14] <mutante>	 it sounds familiar now. but only once and the other times it worked by itself.
[22:11:24] <mutante>	 cool!
[22:11:31] <ottomata>	 hmmm oh i had a puppet failure due to missing public cert file
[22:11:34] <ottomata>	 after i merged that one
[22:11:51] <mutante>	 caveat is you have to rename it too
[22:12:05] <ottomata>	 rename it?
[22:12:17] <mutante>	 The extension is .crt.pem on the puppetmaster, but it needs to be just .crt in operations/puppet
[22:12:53] <mutante>	 so after you create them on the master and download the file to put it in public repo
[22:13:14] <mutante>	 you have to change it to wmnet.crt in files/ssl/
[22:16:14] <ottomata>	 oh right
[22:16:20] <ottomata>	 yeah, i got that.,
[22:16:37] <ottomata>	 we should maybe fix up sslcert::certificate to be able to use things out of cergen dir
[22:16:46] <ottomata>	 so we don't have to duplicate stuff like this
[22:17:18] <mutante>	 i saw your comment about that and just thought "well, having to rename it as well supports his point" :)
[22:20:34] <ottomata>	 :)
[22:20:55] <cdanis>	 I almost made the comment "if even ottomata can't use cergen in practice, we're surely doomed" ;
[22:20:56] <cdanis>	 ;)
[22:21:15] <ottomata>	 hahah, almost and did!
[22:22:46] <ottomata>	 mutante: just curious...why not make envoy.yaml an erb template?
[22:22:52] <ottomata>	 why the extra exec
[22:22:54] <ottomata>	 do you know?
[22:26:23] <mutante>	 ottomata: not really, but i found these comments:
[22:26:31] <mutante>	   # It will also verify the new configuration and only put it in place if something
[22:26:34] <mutante>	  55     # has changed.
[22:26:49] <mutante>	 so i assume because build-envoy-config does that as well
[22:28:05] <mutante>	 "should generate all configuration starting from the puppet-declared envoyproxy::listener.. "