Move to new RDS CAs #105
Comments
production docs.rs doesn't use RDS, so you're safe to do whatever you want :) To my knowledge there is a test environment where a new ECS based setup was tested, where we have RDS, perhaps @jdno knows more |
|
Yeah, I know there's no production usage, but it likely makes sense to update code at the same time while it's in cache for the non-prod usage. |
We still need to update RDS to actually use the new CA. |
|
Updated docs.rs staging DB 👍 
|
|
I found a db called docs-rs-prod in the legacy account. Terraform here. syphar said that docs.rs doesn't use RDS, so now I'm wondering if this DB used.
|
|
I'm checking the data of this DB to understand if it's still used. Apparently the 
Same is true for the 
The Same for the 
I think we got the idea 😅 Probably this DB was used until 2 years ago and now isn't used anymore. How to proceed
Of course I need approval from the docs-rs team to proceed 👍 @syphar what do you think? |
|
Deleted the docs-rs-prod DBs in rust-lang/simpleinfra#474 and rust-lang/simpleinfra#475 👍 Tomorrow I will update the CA of the |
|
Updated the CA of |
The current RDS instances we use ~all (as far as I know) use a soon-to-be-expired root CA to authenticate the TLS connections. That CA is going to expire on August 22, 2024, so we need to migrate to the new set of CAs.
I've put up a sample PR doing so in rust-lang/triagebot#1772. Presuming that goes well it'd be great to get PRs for:
cc @jdno - possibly a good onboarding issue for code changes but also time-sensitive
Once these are all done we should update our terraform config for the shared DB to use the new set of roots. It probably doesn't matter which we pick but I'd lean towards the rds-ca-ecc384-g1 root.
The text was updated successfully, but these errors were encountered: