(maint) Handle new CA path #2505
Conversation
|
This lets the docker entry-point understand the difference between the new and old CA dirs. I believe by exposing the CADIR as an env var it will also be configurable(??) I think in addition to this pupperware should be updated to have a puppet-certs volume label and the docs should be updated to call out the Puppet 7 change and importance of mounting place to keep your certs. However, this is my first change to the repo and I don't use it much. I'm not sure the best way to test this change or it in concert with any commensurate pupperware changes. Hoping to get some advice from @Iristyle on that. |
justinstoller
force-pushed
the
support-7-docker
branch
2 times, most recently
from
34e7375 to
9a4573b
Compare
|
|
||
| elif [ $new_ca_exists -eq 1 ] && [ $old_ca_exists -eq 0 ]; then | ||
| # Legacy CA upgrade | ||
| puppetserver ca migrate |
There was a problem hiding this comment.
I know we recently talked about how you don't need the --config flag to run this, but I noticed that we do pass the --config flag for the setup command. Is the setup command just being super explicit, or are we doing some custom thing that means we should pass it here too?
There was a problem hiding this comment.
The setup command is, afaict, being super explicit. However, that branch also writes to that config file so it seemed fine to leave it explicit. We don't touch the config as part of the migration and it seemed fine to leave it implicit there. But I'm happy either removing the setup's --config flag usage or adding it here.
|
Love to get a review from @Iristyle |
docker/puppetserver/Dockerfile
Outdated
| @@ -24,6 +24,7 @@ ENV PUPPERWARE_ANALYTICS_TRACKING_ID="UA-132486246-4" \ | |||
| PUPPETSERVER_JAVA_ARGS="-Xms512m -Xmx512m" \ | |||
| PATH=/opt/puppetlabs/server/bin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin:$PATH \ | |||
| SSLDIR=/etc/puppetlabs/puppet/ssl \ | |||
| CADIR=/etc/puppetlabs/puppetserver/ca \ | |||
There was a problem hiding this comment.
Do we expect users to change this here?
If not, we've been trying to move ENV vars out of the Dockerfile because it signals something that can / should be touched by end users. Instead, better to just embed it in the script where it's used (in this case maybe do a puppet config print to retrieve it?)
Puppetserver is the one container that's a bit out of date with the "best practices" we've been trying to put in everywhere -- partially because its the first container, and partially b/c there are a lot of practices to unwind that people may be relying on b/c we have a lot of active users.
| # The steps in this file correspond to the steps in the PE installer. | ||
| # | ||
| # See https://github.com/puppetlabs/puppet-enterprise-modules/blob/kearney/modules/pe_install/manifests/prepare/certificates.pp | ||
| [ -d "$CADIR" ] && [ -f "$CADIR/ca_crt.pem" ] |
There was a problem hiding this comment.
I don't think the file test will ever pass if the directory isn't there, so do we need the -d?
There was a problem hiding this comment.
Also, I think these variables have slightly confusing names since they're named opposite of what I would expect. Maybe do something like this to flip the exit code:
new_ca_exists=$([ -f "$CADIR/ca_crt.pem" ] && echo 1)
old_ca_exists=$([ -f "$SSLDIR/ca/ca_crt.pem" ] && echo 1)So that then you can use the the -n (not null) and -z (null) tests in shell code like:
# no existing CA
if [ -z "$new_ca_exists" ] && [ -z "$old_ca_exists" ]; then
# legacy CA upgrade
elif [ -z "$new_ca_exists" ] && [ -n "$old_ca_exists" ]; then
fiBut it also wouldn't be terrible to just inline the tests either and avoid the named variables b/c at least -f and -d are easier to remember shell tests than -n and -z:
# no existing CA
if [ ! -f "$CADIR/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then
# legacy CA upgrade
elif [ ! -f "$CADIR/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then
fi
justinstoller
force-pushed
the
support-7-docker
branch
from
9a4573b to
2ca21a8
Compare
|
Sorry for the premature squash! I adopted all of the recommendations that came from review. This PR will require this Pupperware PR first: puppetlabs/pupperware#272 One can test this by pulling down Pupperware and applying the above PR.
|
justinstoller
force-pushed
the
support-7-docker
branch
from
2ca21a8 to
6243165
Compare
No description provided.