Refs #24012 - Add PuppetCA providers settings #434
Conversation
[ci skip]
Add new variable in params dhcp_subnets Set dhcp_subnets accordingly via template dhcp.yml.erb Fixes theforemanGH-109
The smart proxy module is simply called 'puppet' and is used for environment importing as well as Puppet runs, so this should make the relationship clearer.
1.12 splits the Puppet module up into many config files per puppetrun provider and per environment import provider. 1.11 users must set the `puppet_split_config_files` parameter to false to keep the single puppet.yml. A `mcollective_user` parameter has been added to expose the setting that was introduced in 1.9.0 and is now in puppet_proxy_mcollective.yml.
Unused by the smart proxy since 1.9.0. Closes theforemanGH-250
[ci skip] Closes theforemanGH-245
When using Puppet split config files, the provider name should be 'puppet_proxy_ssh' so when puppetrun_provider is given as 'puppetssh', it's changed to 'ssh' to help migrations. Fixes theforemanGH-254 Fixes theforemanGH-255
- remove libvirt_backend parameter - remove puppet_split_config_files parameter - remove unneeded ERB in dhcp.yml and dns.yml template - mark Fedora 24 supported instead of Fedora 21 - remove Debian 7 (wheezy) support - remove Ubuntu 12.04 (precise) support
[skip ci]
In puppet 4 AIO packaging, it's the `puppetserver` package that creates a `puppet` user and group. The `puppet-agent` package doesn't create the group and unless `puppetserver` is also installed the ssl keys and certs are owned by `root:root` and are not readable by the foreman proxy. (It's the installation of `puppetserver` that chowns the ssldir to `puppet:puppet`) With this commit, the module ensures that the `puppet_group` group exists even on puppet 4. It also makes sure the ssl_key/cert/ca files and parent directories are group owned by the `puppet_group` The change is hopefully quite conservative. Only if both `$puppet` and `$puppetca` are false and `$ssl` is true will it have any effect. By default, it also only applies to puppet 4 and can be turned off completely by setting `manage_puppet_group` to `false`. Users who already manage the creation of the puppet group, (for instance to workaround https://tickets.puppetlabs.com/browse/SERVER-1381) are further protected by the `if !defined`.
This reduces the amount of default help text and confusing options for plugins. This is especially confusing for 'enabled' as there are 2 options: ``` --[no-]enable-foreman-proxy-plugin-remote-execution-ssh --foreman-proxy-plugin-remote-execution-ssh-enabled ``` The former REALLY enables the plugin, the latter is only controlling the value in the .yml configuration which has a sane default value. We should hide this, and some of the other options like `listen_on`, `group`, etc which probably don't need changing ever.
Using /etc/ansible means that the ~foreman-proxy/.ansible.cfg file we had set up will be ignored. This means the callback is ignored and any other options we might set in /etc/foreman-proxy/ansible.cfg
There was a problem hiding this comment.
Could you document puppetca_modular?
I'm considering defaulting to false so it's backwards compatible but it's probably better to start the 1.19 development cycle in this module. We've seen with the previous setting that it can be better to go for the future.
|
And by documenting I mean adding a note to https://github.com/theforeman/puppet-foreman_proxy#compatibility similar to https://github.com/theforeman/puppet-foreman_proxy/tree/5.1-stable#115-compatibility-notes |
|
|
I was mostly thinking out loud. We can change the value in the installer but you're right that it creates more difficulty than needed. |
juliantodt
force-pushed
the
24012_puppetcahostnamesettings
branch
from
ffb3664 to
7356223
Compare
theforeman-bot
added
Needs re-review
Needs testing
and removed
Waiting on contributor
labels
juliantodt
force-pushed
the
24012_puppetcahostnamesettings
branch
3 times, most recently
from
058d358 to
fec2839
Compare
manifests/config.pp
Outdated
| @@ -87,6 +87,13 @@ | |||
| feature => 'Puppet CA', | |||
| listen_on => $::foreman_proxy::puppetca_listen_on, | |||
| } | |||
| if $::foreman_proxy::puppetca_modular { | |||
| foreman_proxy::settings_file { [ | |||
There was a problem hiding this comment.
nit: there's no need for a list here and it can just be a string. The code is slightly more readable then.
There was a problem hiding this comment.
Well, it will be an array eventually when we add the other provider's setting file...
manifests/init.pp
Outdated
| @@ -81,7 +81,11 @@ | |||
| # | |||
| # $puppet_group:: Groups of Foreman proxy user | |||
| # | |||
| # $autosignfile:: Path to the autosign file | |||
| # $puppetca_modular:: Using the current modular PuppetCa implementation? | |||
There was a problem hiding this comment.
How about: Whether the PuppetCA implementation is modular. This is true for 1.19 or later.
There was a problem hiding this comment.
Oh, and I think all of these should be under advanced parameters. I think we don't want to expose these options to every user via --help and for 1.19 we should ensure proper defaults and migrations.
juliantodt
force-pushed
the
24012_puppetcahostnamesettings
branch
2 times, most recently
from
214f100 to
d231391
Compare
juliantodt
force-pushed
the
24012_puppetcahostnamesettings
branch
2 times, most recently
from
5e75b24 to
3962a68
Compare
This adds the settings for the
puppetca_hostname_whitelistingprovider for the new modular PuppetCa module. This should fix the current nightlies. @tbrisker @ekohlThis is a part of #433 but without the
token_whitelistingprovider's settings and with the suggested additions