2024-04-30: Update gitlab.com certificate for HAProxy in gprd
Production Change
Change Summary
The certificate for gitlab.com
in SSLMate was rekeyed at some point around the time it was pushed to Cloudflare (#17305 (closed)?), so now certificates-updater
fails to update it automatically in the cookbook secrets in Vault, so we need to update it manually.
See GitLab.com certificate not updated for HAProxy ... (production-engineering#25328 - closed)
Change Details
- Services Impacted - ServiceHAProxy
-
Change Technician -
@pguinoiseau
- Change Reviewer - @ayeung @mchacon3
- Time tracking - 10 minutes
- Downtime Component - none
Set Maintenance Mode in GitLab
If your change involves scheduled maintenance, add a step to set and unset maintenance mode per our runbooks. This will make sure SLA calculations adjust for the maintenance period.
Detailed steps for the change
Change Steps - steps to take to execute the change
Estimated Time to Complete (mins) - 10 minutes
-
Set label changein-progress /label ~change::in-progress
-
Get the new certificate and private key from ci/ops-gitlab-net/gitlab-com/gl-infra/config-mgmt/cloudflare-custom-certs/gitlab-com
:CERT="$(vault kv get -mount ci -field certificate_chain ops-gitlab-net/gitlab-com/gl-infra/config-mgmt/cloudflare-custom-certs/gitlab-com)" PKEY="$(vault kv get -mount ci -field private_key ops-gitlab-net/gitlab-com/gl-infra/config-mgmt/cloudflare-custom-certs/gitlab-com)"
-
Update the HAProxy cookbook secret with the new certificate and private key: vault kv get -mount chef -format json env/gprd/cookbook/gitlab-haproxy/frontend-loadbalancer \ | jq --arg pkey "${PKEY}" --arg cert "${CERT}" '.data.data * {"gitlab-haproxy": {"ssl": {"gitlab_crt": $cert, "gitlab_key": $pkey}}}' \ | vault kv put -mount chef env/gprd/cookbook/gitlab-haproxy/frontend-loadbalancer -
-
Disable Chef client on all main HAProxy nodes: knife ssh --no-host-key-verify 'roles:gprd-base-haproxy-main' 'sudo chef-client-disable "See: https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17923"'
-
Run Chef client on a HAProxy node: ssh haproxy-main-01-lb-gprd.c.gitlab-production.internal sudo chef-client-enable sudo pkill -USR1 chef-client sudo journalctl -f -u chef-client
-
Verify that HAProxy is serving the new certificate: curl -v --connect-to gitlab.com:443:127.0.0.1:11443 https://gitlab.com/
-
Re-enable Chef client on all main HAProxy nodes: knife ssh --no-host-key-verify 'roles:gprd-base-haproxy-main' sudo chef-client-enable
-
Set label changecomplete /label ~change::complete
Rollback
Rollback steps - steps to be taken in the event of a need to rollback this change
Estimated Time to Complete (mins) - 2 minutes
-
Rollback the HAProxy cookbook secrets: vault kv rollback -mount chef -version 5 env/gprd/cookbook/gitlab-haproxy/frontend-loadbalancer
-
Set label changeaborted /label ~change::aborted
Monitoring
Key metrics to observe
- Metric: HAProxy Apdex and error rates
- Location: https://dashboards.gitlab.net/d/frontend-main/frontend3a-overview?orgId=1&var-PROMETHEUS_DS=PA258B30F88C30650&var-environment=gprd&var-stage=main
- What changes to this metric should prompt a rollback: any significant deviation
- What changes to this metric should prompt a rollback: Describe Changes
Change Reviewer checklist
-
Check if the following applies: - The scheduled day and time of execution of the change is appropriate.
- The change plan is technically accurate.
- The change plan includes estimated timing values based on previous testing.
- The change plan includes a viable rollback plan.
- The specified metrics/monitoring dashboards provide sufficient visibility for the change.
-
Check if the following applies: - The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
- The change plan includes success measures for all steps/milestones during the execution.
- The change adequately minimizes risk within the environment/service.
- The performance implications of executing the change are well-understood and documented.
- The specified metrics/monitoring dashboards provide sufficient visibility for the change.
- If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
- The change has a primary and secondary SRE with knowledge of the details available during the change window.
- The change window has been agreed with Release Managers in advance of the change. If the change is planned for APAC hours, this issue has an agreed pre-change approval.
- The labels blocks deployments and/or blocks feature-flags are applied as necessary.
Change Technician checklist
-
Check if all items below are complete: - The change plan is technically accurate.
- This Change Issue is linked to the appropriate Issue and/or Epic
- Change has been tested in staging and results noted in a comment on this issue.
- A dry-run has been conducted and results noted in a comment on this issue.
- The change execution window respects the Production Change Lock periods.
- For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
- For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention
@sre-oncall
and this issue and await their acknowledgement.) - For C1 and C2 change issues, the SRE on-call provided approval with the eoc_approved label on the issue.
- For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue.
- Release managers have been informed prior to any C1, C2, or blocks deployments change being rolled out. (In #production channel, mention
@release-managers
and this issue and await their acknowledgment.) - There are currently no active incidents that are severity1 or severity2
- If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.