Fixes #23799 - Refactor: Make PuppetCa pluggable

[juliantodt]

Since we are planning to offer alternative options for autosinging in the future (token based instead of hostname based) (see redmine issue) and want to allow users to choose their autosigning variant (primarily to allow compatibility with old versions, old foreman versions etc) we need to make the PuppetCA module pluggable, which means moving the autosinging functionality to a provider, which can then be swapped using the SmartProxy settings. We also want to clean up the module a bit and use dependency injections etc. The common logic for listing/signing/cleaning certificates (not autosign-entries) that uses the puppet cert command will remain in the puppetca-module.

This is btw an alternative approach to #576 which should allow for backwards compatibility and a compatible API between the autosigning variants.

[timogoebel]

@juliantodt: Thanks. Looks like solid work. I just left some small comments regarding naming. If they are resolved this looks ready to 🚢.

[timogoebel]

Puppet calls this basic autosigning. I think we should stick with the term or use something like autosignfile.

[juliantodt]

I don't like basic autosigning because it says nothing about how it works, autosignfile is better, but because the token based approach will also use a file it is not clear which is which. The thing that will distinguish the providers is the attribute which is compared during autosigning which is certname vs. token.
So imho the best name would be puppetca_hostnamebasedautosigning (or certnamebased) but this is a pain to read.

[timogoebel]

How about HostnameWhitelisting?

[juliantodt]

I like that, but wouldn't we want to use snake_case?

[timogoebel]

Yep, 🐍.

[timogoebel]

Can we find a better name for this? It's not clear what this is doing. Maybe something like CaInterface or CertificateAuthority?

[timogoebel]

Sorry to be so picky about the names, but what about FileBasedAutosign.

[juliantodt]

The token-based-autosigning-approach will also use a file, so that would not work. See above.

[timogoebel]

I'd call this ca or ca_interface or something similar.

E.g. inject_attr :ca_provider, :ca reads a lot cleaner in my opinion.

[juliantodt]

Well ca is the whole thing, which consists of managing certificates and autosign-entries. Since the cert_manager basically uses the puppet cert command for everything it does, I thought this would be matching name.

[timogoebel]

I don't see autosigning as part of the CA. Basically you have two separate strings:

1. Interface to the CA (ask the ca to issue/remove/... a certificate, ...)
2. Interface to an autosigning provider (list whitelisted hosts, whitelist a host, ...). This is typically not part of the CA, but of the RA.

Certmanager is definitely misleading. Please use something else.

[juliantodt]

Well, its part of the puppetCA module and under the puppet/ca/ api endpoint...
But I can understand that that may be confusing, how about just puppet_cert so its obvious it uses the puppet cert command?

[timogoebel]

Ok, works for me.

[timogoebel]

How about just autosign?

[juliantodt]

I like to refer to objects with nouns, makes it better to read imho ^^

[timogoebel]

Ok, works for me.

[timogoebel]

Nit: Please stick either to Ca or CA. I'd prefer the former.

[juliantodt]

Thanks! Left some thoughts about the naming inline @timogoebel

[juliantodt]

I don't like basic autosigning because it says nothing about how it works, autosignfile is better, but because the token based approach will also use a file it is not clear which is which. The thing that will distinguish the providers is the attribute which is compared during autosigning which is certname vs. token.
So imho the best name would be puppetca_hostnamebasedautosigning (or certnamebased) but this is a pain to read.

[juliantodt]

Well ca is the whole thing, which consists of managing certificates and autosign-entries. Since the cert_manager basically uses the puppet cert command for everything it does, I thought this would be matching name.

[juliantodt]

I like to refer to objects with nouns, makes it better to read imho ^^

[juliantodt]

The token-based-autosigning-approach will also use a file, so that would not work. See above.

[juliantodt]

Updated the PR with the requested naming changes.

[dgoetz]

The line above has to be changed to require 'puppetca/puppetca_puppet_cert' as modules/puppetca/puppetca_main.rb is renamed to modules/puppetca/puppetca_puppet_cert.rb so it can load the feature.

[juliantodt]

puppetca/puppetca_puppet_cert is loaded via plugin_configuration::load_classes, so we don't need it here. This require can therefore be deleted.

[dgoetz]

You are right, deleting it works also.

[juliantodt]

Fixed @dgoetz. Added a migration for the settings, so that users who had set the autosignfile setting will not experience problems.

[dgoetz]

Tested the latest commit including the migration and it works.

[timogoebel]

Thanks, @juliantodt.

[tbrisker]

Looks like nightly bats tests are now failing with an error regarding PuppetCA, could it be related to this change? http://ci.theforeman.org/blue/rest/organizations/jenkins/pipelines/foreman-nightly-release/runs/248/nodes/34/steps/41/log/?start=0

[dgoetz]

@tbrisker: Yes, it is probably related. The proxy logs could be helpful.
@timogoebel, @juliantodt: Puppet code needs to be adjusted as it adds still autosign file to puppetca after installation and migration.

[timogoebel]

We already have a PR open to fix the puppet modules, see theforeman/puppet-foreman_proxy#433.
@juliantodt is going to address the comments today.

[tbrisker]

Thanks @juliantodt and @timogoebel! in the future, when something requires changes in multiple repos, please make sure all PRs are ready to merge first and are merged in coordination to avoid breakages such as this.

[tbrisker]

@juliantodt @timogoebel Care to update the manuals for 1.19 forward with this change? Looks like some users are stumbling on it - https://community.theforeman.org/t/puppetca-foreman-proxy-disabled-beacuse-of-autosign-issue/12290