Manager certificate permissions if manage_certificates true by ehelms · Pull Request #599 · theforeman/puppet-foreman_proxy

ehelms · 2020-06-15T00:53:50Z

Reviving an old PR with fresh updates. The idea behind this is at the users choice, the module can manage the certificates for the smart-proxy. When true, this will copy certificates provided into a known and controlled location, ensuring the right owner and group are set on them such that the smart-proxy can operate as intended. This is borrowed from, and can replace, puppet-certs implementation and help prevent an ordering problem with certificate generation and deployment. And this can provide a native way to indicate when a service restart is needed.

ekohl

We also have some code to manage Puppet certificates. I'm not entirely sure if this will conflict, but want you to be aware of it:

puppet-foreman_proxy/manifests/config.pp

Lines 114 to 135 in af23995

    
           unless $foreman_proxy::puppetca or $foreman_proxy::puppet { 
        
             # The puppet-agent doesn't create a puppet user and group 
        
             # but the foreman proxy still needs to be able to read the agent's private key 
        
             if $foreman_proxy::manage_puppet_group and $foreman_proxy::ssl { 
        
               if !defined(Group[$foreman_proxy::puppet_group]) { 
        
                 group { $foreman_proxy::puppet_group: 
        
                   ensure => 'present', 
        
                   before => User[$foreman_proxy::user], 
        
                 } 
        
               } 
        
               $ssl_dirs_and_files = [ 
        
                 $foreman_proxy::ssldir, 
        
                 "${foreman_proxy::ssldir}/private_keys", 
        
                 $foreman_proxy::ssl_ca, 
        
                 $foreman_proxy::ssl_key, 
        
                 $foreman_proxy::ssl_cert, 
        
               ] 
        
               file { $ssl_dirs_and_files: 
        
                 group => $foreman_proxy::puppet_group, 
        
               } 
        
             } 
        
           }

manifests/config.pp

ehelms · 2025-03-21T20:03:50Z

I'm stuck on why the tests are not seeing the resource present.

alexjfisher · 2025-03-24T12:02:39Z

I'm stuck on why the tests are not seeing the resource present.

Use #{etc_dir} in the expected file path (as conf_dir is /usr/local/etc/foreman-proxy on FreeBSD)?

spec/classes/foreman_proxy__spec.rb

Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>

theforeman-bot added Needs testing Not yet reviewed labels Jun 15, 2020

ehelms force-pushed the cert-handling branch 2 times, most recently from ad9caed to b71baf8 Compare July 2, 2020 11:43

ehelms mentioned this pull request Mar 17, 2025

Split installation into three distinct phases theforeman/foremanctl#119

Closed

ehelms force-pushed the cert-handling branch from b71baf8 to 8d97dbe Compare March 18, 2025 17:33

ehelms changed the title ~~Set ownership on SSL key~~ Manager certificate permissions if manage_certificates true Mar 18, 2025

ehelms marked this pull request as ready for review March 18, 2025 17:35

ehelms force-pushed the cert-handling branch from 8d97dbe to 40f8621 Compare March 18, 2025 17:38

ekohl reviewed Mar 19, 2025

View reviewed changes

manifests/config.pp Outdated Show resolved Hide resolved

manifests/config.pp Outdated Show resolved Hide resolved

pr-processor bot removed the Not yet reviewed label Mar 19, 2025

ehelms force-pushed the cert-handling branch 3 times, most recently from 50b00c6 to 3dc3c6d Compare March 21, 2025 14:53

alexjfisher reviewed Mar 24, 2025

View reviewed changes

spec/classes/foreman_proxy__spec.rb Outdated Show resolved Hide resolved

Manager certificate permissions if manage_certificates true

7708a32

Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>

ehelms force-pushed the cert-handling branch from 3dc3c6d to 7708a32 Compare April 3, 2025 16:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Manager certificate permissions if manage_certificates true#599

Manager certificate permissions if manage_certificates true#599
ehelms wants to merge 1 commit intotheforeman:masterfrom
ehelms:cert-handling

ehelms commented Jun 15, 2020 •

edited

Loading

Uh oh!

ekohl left a comment

Uh oh!

Uh oh!

Uh oh!

ehelms commented Mar 21, 2025

Uh oh!

alexjfisher commented Mar 24, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

	unless $foreman_proxy::puppetca or $foreman_proxy::puppet {
	# The puppet-agent doesn't create a puppet user and group
	# but the foreman proxy still needs to be able to read the agent's private key
	if $foreman_proxy::manage_puppet_group and $foreman_proxy::ssl {
	if !defined(Group[$foreman_proxy::puppet_group]) {
	group { $foreman_proxy::puppet_group:
	ensure => 'present',
	before => User[$foreman_proxy::user],
	}
	}
	$ssl_dirs_and_files = [
	$foreman_proxy::ssldir,
	"${foreman_proxy::ssldir}/private_keys",
	$foreman_proxy::ssl_ca,
	$foreman_proxy::ssl_key,
	$foreman_proxy::ssl_cert,
	]
	file { $ssl_dirs_and_files:
	group => $foreman_proxy::puppet_group,
	}
	}
	}

Conversation

ehelms commented Jun 15, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ekohl left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

ehelms commented Mar 21, 2025

Uh oh!

alexjfisher commented Mar 24, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

ehelms commented Jun 15, 2020 •

edited

Loading