Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow overriding passwords generated by extlib #409

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow overriding passwords generated by extlib #409

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 18 additions & 4 deletions manifests/candlepin.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,10 @@
Stdlib::Absolutepath $ca_cert = $certs::candlepin_ca_cert,
Stdlib::Absolutepath $ca_key = $certs::candlepin_ca_key,
Stdlib::Absolutepath $pki_dir = $certs::pki_dir,
Optional[String] $keystore_password = undef,
Stdlib::Absolutepath $keystore = $certs::candlepin_keystore,
String $keystore_password_file = 'keystore_password-file',
Optional[String] $truststore_password = undef,
Stdlib::Absolutepath $truststore = $certs::candlepin_truststore,
String $truststore_password_file = 'truststore_password-file',
String[2,2] $country = $certs::country,
Expand Down Expand Up @@ -67,8 +69,20 @@
build_dir => $certs::ssl_build_dir,
}

$keystore_password = extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32))
$truststore_password = extlib::cache_data('foreman_cache_data', $truststore_password_file, extlib::random_password(32))
# Generate and cache the password on the master once
# In multi-puppetmaster setups, the user should specify their own
if $keystore_password {
$final_keystore_password = $keystore_password
} else {
$final_keystore_password = extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32))
}

if $truststore_password {
$final_truststore_password = $truststore_password
} else {
$final_truststore_password = extlib::cache_data('foreman_cache_data', $truststore_password_file, extlib::random_password(32))
}

$keystore_password_path = "${pki_dir}/${keystore_password_file}"
$truststore_password_path = "${pki_dir}/${truststore_password_file}"
$client_key = $certs::foreman::client_key
Expand Down Expand Up @@ -109,7 +123,7 @@

file { $keystore_password_path:
ensure => file,
content => $keystore_password,
content => $final_keystore_password,
owner => 'root',
group => $group,
mode => '0440',
Expand All @@ -134,7 +148,7 @@

file { $truststore_password_path:
ensure => file,
content => $truststore_password,
content => $final_truststore_password,
owner => 'root',
group => $group,
mode => '0440',
Expand Down
4 changes: 3 additions & 1 deletion manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@
# $deploy:: Deploy the certs on the configured system. False means
# we want to apply it to a different system
#
# $ca_key_password:: Optional string to use for the CA key password
#
# $ca_common_name:: Common name for the generated CA certificate
#
# $country:: Country attribute for managed certificates
Expand Down Expand Up @@ -73,6 +75,7 @@
Boolean $generate = true,
Boolean $regenerate = false,
Boolean $deploy = true,
String[10] $ca_key_password = $certs::params::ca_key_password,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you keep it on the line where it used to be? So between ca_cert_stripped and ca_key_password_file?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is new because ca_key_password was not in the parameters for the class previously.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm debating having a default or not. Having it means it ends up in our installer's answer files. Not sure if that's a benefit or a downside. @ehelms?

I also wonder what happens if you change the password parameter. I fear it would break since there's no support to change the password.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit confused. I do not like having it as a default and showing up in the answers file. This currently already has a default coming from params.pp?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The diff in GH isn't clear (I also failed at that at first). Right now it's in the body of the class. This PR moves it to a class parameter (with indirection via params since Kafo can't deal with calling functions as defaults).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ehelms can we revisit this? I still think this is a good direction.

I'm still leaning to undef and also support Sensitive. So Variant[Undef, Sensitive[String[10]], String[10]]] $ca_key_password = undef (or Optional[Variant[Sensitive[String[10]], String[10]]] which is equivalent).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, for an existing setup, if a new ca_key_password is provided this will force a new key to be generated, which forces a new CA to be generated which cascades and forces all smart-proxy / Capsules and clients to need to be updated.

Will the code properly handle that? I think we need a test for it. How do we help users not break their installations accidentally?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One data point that just came up today: if puppet-agent is removed then the cache is wiped. If the ssl-build directory isn't wiped, then there's a mismatch. If we have the value as an explicit parameter, the value is stored in the answer file and there wouldn't be an issue. So an argument against undef as default and in favor of the current code.

String $ca_common_name = $certs::params::ca_common_name,
String[2,2] $country = 'US',
String $state = 'North Carolina',
Expand Down Expand Up @@ -103,7 +106,6 @@
$ca_key = "${pki_dir}/private/${default_ca_name}.key"
$ca_cert = "${pki_dir}/certs/${default_ca_name}.crt"
$ca_cert_stripped = "${pki_dir}/certs/${default_ca_name}-stripped.crt"
$ca_key_password = extlib::cache_data('foreman_cache_data', 'ca_key_password', extlib::random_password(24))
$ca_key_password_file = "${ssl_build_dir}/${default_ca_name}.pwd"

$katello_server_ca_cert = "${pki_dir}/certs/${server_ca_name}.crt"
Expand Down
4 changes: 4 additions & 0 deletions manifests/params.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,8 @@
$candlepin_ca_key = "${candlepin_certs_dir}/candlepin-ca.key"

$pulp_pki_dir = '/etc/pki/pulp'

# Generate and cache the password on the master once
# In multi-puppetmaster setups, the user should specify their own
$ca_key_password = extlib::cache_data('foreman_cache_data', 'ca_key_password', extlib::random_password(24))
}