Fundraising/techops/procedures/services-kafkatee

Notes on the legacy Kafkatee banner impression pipeline.

Kafka uses client certificate authentication for client connections. Kafka client certificates expire every six months, see https://phabricator.wikimedia.org/T360779. This covers how to obtain and deploy the certificate.

Kafka client certificates are generated automatically by production puppet ten days prior to expiration. We have icinga monitoring expiration, and will start getting warnings at this time. At eight days the alert goes to critical and we will start getting paged. There is also a systemd timer on cumin* that should email us.

The certificate can be retrieved from cumin\d{4}:/etc/fr-tech-kafka-client/*, there you'll find:

kafka__kafka_fundraising_client_kafka_11.chained.pem
kafka__kafka_fundraising_client_kafka_11.chain.pem
kafka__kafka_fundraising_client_kafka_11.csr
kafka__kafka_fundraising_client_kafka_11-key.pem
kafka__kafka_fundraising_client_kafka_11.pem

Copy these to (frack)puppet-private/secrets/kafkatee and do the git commit/push, and 'puppet-merge private' to deploy.