Allow overriding passwords generated by extlib #409
Conversation
manifests/init.pp
Outdated
| @@ -73,6 +75,7 @@ | |||
| Boolean $generate = true, | |||
| Boolean $regenerate = false, | |||
| Boolean $deploy = true, | |||
| String[1] $ca_key_password = $certs::params::ca_key_password, | |||
There was a problem hiding this comment.
What's the reason for moving this parameter to another line?
I also like the data type, but should we enforce at least X characters? for NSS we use 10 and I think that's a good number.
There was a problem hiding this comment.
This wasn't a parameter before. The other line in the diff was where it was defined inside the class. I also increased the string size to 10 per your suggestion.
manifests/params.pp
Outdated
| # Generate and cache the password on the master once | ||
| # In multi-puppetmaster setups, the user should specify their own | ||
| $ca_key_password = extlib::cache_data('foreman_cache_data', 'ca_key_password', extlib::random_password(24)) | ||
| $nss_db_password = extlib::cache_data('foreman_cache_data', 'certs-nss-db-password', extlib::random_password(32)) |
There was a problem hiding this comment.
What's the reason to move the NSS DB pass to params.pp? Looks like we can continue using it in certs::ssltools:nssdb. You do need to set it via Hiera, but you don't introduce it as a top level parameter anyway.
There was a problem hiding this comment.
This was just following a pattern. Most of the other modules I looked at had this kind of thing done in params.pp, so I just did it there as well. I can move it out to the class itself if that makes more sense.
There was a problem hiding this comment.
Ideally we would get rid of params.pp. In our installer we use Kafo, which can't deal with function calls in parameters (default parsing breaks). Now I do see that ca_key_password already was doing that in init.pp so now I wonder if that was broken all along.
There was a problem hiding this comment.
Ah, I missed something in my review: it's in the body now, not the actual class parameter. That's why it's not a problem today.
coreone
force-pushed
the
passwords
branch
2 times, most recently
from
be4f369
to
7b4234a
Compare
|
@ekohl anything else needed on this? |
manifests/candlepin.pp
Outdated
| # Generate and cache the password on the master once | ||
| # In multi-puppetmaster setups, the user should specify their own | ||
| $final_keystore_password = pick( | ||
| $keystore_password, extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32)) |
There was a problem hiding this comment.
This may be a slight nuance, but in this case I do think the data is generated and cached, even if unused. Would it make sense to use a more traditional approach with if/else here?
There was a problem hiding this comment.
Changed these 2 lines into if/else blocks
| @@ -73,6 +75,7 @@ | |||
| Boolean $generate = true, | |||
| Boolean $regenerate = false, | |||
| Boolean $deploy = true, | |||
| String[10] $ca_key_password = $certs::params::ca_key_password, | |||
There was a problem hiding this comment.
Can you keep it on the line where it used to be? So between ca_cert_stripped and ca_key_password_file?
There was a problem hiding this comment.
This is new because ca_key_password was not in the parameters for the class previously.
There was a problem hiding this comment.
I'm debating having a default or not. Having it means it ends up in our installer's answer files. Not sure if that's a benefit or a downside. @ehelms?
I also wonder what happens if you change the password parameter. I fear it would break since there's no support to change the password.
There was a problem hiding this comment.
I'm a bit confused. I do not like having it as a default and showing up in the answers file. This currently already has a default coming from params.pp?
There was a problem hiding this comment.
The diff in GH isn't clear (I also failed at that at first). Right now it's in the body of the class. This PR moves it to a class parameter (with indirection via params since Kafo can't deal with calling functions as defaults).
There was a problem hiding this comment.
@ehelms can we revisit this? I still think this is a good direction.
I'm still leaning to undef and also support Sensitive. So Variant[Undef, Sensitive[String[10]], String[10]]] $ca_key_password = undef (or Optional[Variant[Sensitive[String[10]], String[10]]] which is equivalent).
There was a problem hiding this comment.
If I understand correctly, for an existing setup, if a new ca_key_password is provided this will force a new key to be generated, which forces a new CA to be generated which cascades and forces all smart-proxy / Capsules and clients to need to be updated.
Will the code properly handle that? I think we need a test for it. How do we help users not break their installations accidentally?
There was a problem hiding this comment.
One data point that just came up today: if puppet-agent is removed then the cache is wiped. If the ssl-build directory isn't wiped, then there's a mismatch. If we have the value as an explicit parameter, the value is stored in the answer file and there wouldn't be an issue. So an argument against undef as default and in favor of the current code.
coreone
force-pushed
the
passwords
branch
3 times, most recently
from
d1e4700
to
7a7de26
Compare
|
I did some testing: if you change the password for either the keystore or the truststore it fails to open it: You can delete the file and it will be recreated, but rotating passwords is not supported. I'm not sure what's the best solution to prevent users from this footgun. @ehelms any thoughts on changing the keystore & truststore types to catch the password error and recreate the file? |
Possible to add I should think -- if password change is detected we need to trigger a delete of the truststore and then let it re-build itself. |
|
I've opened #428 but it doesn't work yet. I'll continue on it tomorrow. |
Update suggestions
|
I think this needs at least two acceptance tests added:
|
No description provided.