Skip to content

Manager certificate permissions if manage_certificates true #599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Manager certificate permissions if manage_certificates true #599

wants to merge 1 commit into from

Conversation

ehelms
Copy link
Member

@ehelms ehelms commented Jun 15, 2020
edited
Loading

Reviving an old PR with fresh updates. The idea behind this is at the users choice, the module can manage the certificates for the smart-proxy. When true, this will copy certificates provided into a known and controlled location, ensuring the right owner and group are set on them such that the smart-proxy can operate as intended. This is borrowed from, and can replace, puppet-certs implementation and help prevent an ordering problem with certificate generation and deployment. And this can provide a native way to indicate when a service restart is needed.

@ehelms ehelms force-pushed the cert-handling branch 2 times, most recently from ad9caed to b71baf8 Compare July 2, 2020 11:43
@ehelms ehelms mentioned this pull request Mar 17, 2025
Closed
@ehelms ehelms changed the title Set ownership on SSL key Manager certificate permissions if manage_certificates true Mar 18, 2025
@ehelms ehelms marked this pull request as ready for review March 18, 2025 17:35
ekohl
ekohl reviewed Mar 19, 2025
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also have some code to manage Puppet certificates. I'm not entirely sure if this will conflict, but want you to be aware of it:

puppet-foreman_proxy/manifests/config.pp

Lines 114 to 135 in af23995

unless $foreman_proxy::puppetca or $foreman_proxy::puppet {
# The puppet-agent doesn't create a puppet user and group
# but the foreman proxy still needs to be able to read the agent's private key
if $foreman_proxy::manage_puppet_group and $foreman_proxy::ssl {
if !defined(Group[$foreman_proxy::puppet_group]) {
group { $foreman_proxy::puppet_group:
ensure => 'present',
before => User[$foreman_proxy::user],
}
}
$ssl_dirs_and_files = [
$foreman_proxy::ssldir,
"${foreman_proxy::ssldir}/private_keys",
$foreman_proxy::ssl_ca,
$foreman_proxy::ssl_key,
$foreman_proxy::ssl_cert,
]
file { $ssl_dirs_and_files:
group => $foreman_proxy::puppet_group,
}
}
}

@ehelms ehelms force-pushed the cert-handling branch 3 times, most recently from 50b00c6 to 3dc3c6d Compare March 21, 2025 14:53
@ehelms
Copy link
Member Author

ehelms commented Mar 21, 2025

I'm stuck on why the tests are not seeing the resource present.

@alexjfisher
Copy link
Contributor

I'm stuck on why the tests are not seeing the resource present.

Use #{etc_dir} in the expected file path (as conf_dir is /usr/local/etc/foreman-proxy on FreeBSD)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexjfisher alexjfisher alexjfisher left review comments

@ekohl ekohl ekohl left review comments

Assignees
No one assigned
Labels
Needs testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ehelms @alexjfisher @ekohl @theforeman-bot