Fixes #23210 - Handle PuppetCA tokens #5730
Conversation
|
Issues: #23210 |
| # return if puppetca is using basic autosigning | ||
| return response if response.in? [true, false] | ||
| unless response.is_a?(Hash) && response['generated_token'].present? | ||
| logger.warn "Received an unexpected smart proxy response: #{response.to_s}" |
There was a problem hiding this comment.
Lint/StringConversionInInterpolation: Redundant use of Object#to_s in interpolation.
juliantodt
force-pushed
the
23210_handlesptokens
branch
from
37d8ece to
b4c8ffe
Compare
juliantodt
force-pushed
the
23210_handlesptokens
branch
from
b4c8ffe to
1b31cd1
Compare
test/models/token/build_test.rb
Outdated
| assert_equal 1, Token.count | ||
| end | ||
| end | ||
|
|
There was a problem hiding this comment.
Layout/TrailingBlankLines: 1 trailing blank lines detected.
juliantodt
force-pushed
the
23210_handlesptokens
branch
from
1b31cd1 to
28fb52a
Compare
| end | ||
|
|
||
| # Removes the host's name from the autosign.conf file | ||
| def delAutosign | ||
| logger.info "Delete the autosign entry for #{name}" | ||
| self.puppetca_token.delete if self.puppetca_token.present? |
There was a problem hiding this comment.
Please use .destroy so that callbacks run.
| @@ -57,15 +65,15 @@ def queue_puppetca | |||
| end | |||
|
|
|||
| def queue_puppetca_certname_reset | |||
| queue.create(:name => _("Reset PuppetCA certname for %s") % self, :priority => 49, | |||
| :action => [self, :resetCertname]) | |||
| post_queue.create(:name => _("Reset PuppetCA certname for %s") % self, :priority => 49, | |||
There was a problem hiding this comment.
Why do we need to take a look at the post_queue?
There was a problem hiding this comment.
To save tokens, we need the host's id which is only available after the host is saved, therefore we need these actions to happen in the post_queue
juliantodt
force-pushed
the
23210_handlesptokens
branch
from
28fb52a to
8ad5c2d
Compare
|
Updated, thanks @timogoebel. Tests are now green as well. |
There was a problem hiding this comment.
@juliantodt: Thanks. Looks good in general.
Could you please add puppetca_token to Host::Managed::Jail so it's allowed in safe mode template rendering? Thanks.
juliantodt
force-pushed
the
23210_handlesptokens
branch
from
8ad5c2d to
7075e12
Compare
theforeman-bot
added
Needs re-review
Needs testing
and removed
Waiting on contributor
labels
|
@timogoebel Thanks for the review, is done. |
juliantodt
force-pushed
the
23210_handlesptokens
branch
from
7075e12 to
a18186d
Compare
juliantodt
force-pushed
the
23210_handlesptokens
branch
from
a18186d to
2ddb60b
Compare
There was a problem hiding this comment.
Looks good to me. Ready to merge pending these PRs:
SmartProxy:
theforeman/smart-proxy#592
Puppet Foreman Proxy:
theforeman/puppet-foreman_proxy#433
theforeman/puppet-foreman_proxy#425
app/models/token.rb
Outdated
| @@ -2,7 +2,7 @@ class Token < ApplicationRecord | |||
| validates_lengths_from_database | |||
| belongs_to_host :foreign_key => :host_id | |||
|
|
|||
| validates :value, :host_id, :expires, :presence => true | |||
| validates :value, :host_id, :presence => true | |||
|
|
|||
| class Jail < ::Safemode::Jail | |||
| allow :host, :value, :expires, :nil? | |||
There was a problem hiding this comment.
This also needs present? for the community templates PR to work.
In a new SmartProxy PuppetCA autosigning variant tokens get returned that need to be provisioned on the host.
juliantodt
force-pushed
the
23210_handlesptokens
branch
from
2ddb60b to
29916f1
Compare
theforeman-bot
added
Needs re-review
Needs testing
and removed
Waiting on contributor
labels
|
Thanks, @juliantodt. |
In a new SmartProxy PuppetCA autosigning variant tokens get returned that need to be provisioned on the host.
This adds a Token::PuppetCa model; moves the PuppetCa-orchestration form queue to post-queue (we need the host's id to save the token); and handles the response from the SmartProxy correctly (save the token if we get one, don't do anything if we don't).
This is completely backwards-compatible - old SmartProxy versions and the basic autosigning variant will also work with this.