Calculate the client DN for Artemis, ignoring empty values #457
Conversation
|
@ekohl could I ask for a round of review on this idea? |
There was a problem hiding this comment.
I like the concept, but I think it breaks some design choices.
The idea is that katello::candlepin could be deployed on one server and katello::application on another (requiring the user/admin to take care of any relationship between the two). Then there is katello for the all-in-one installation we use in our installer. I'll grant you that we may be a long way away from a true split deployment, but this shows how you could build HA setups.
manifests/candlepin.pp
Outdated
| @@ -31,8 +31,11 @@ | |||
| Boolean $manage_db = true, | |||
| ) { | |||
| include certs | |||
| include certs::foreman | |||
There was a problem hiding this comment.
I don't quite like that this pulls in Foreman certificates, even though they may not be used at all (this class is still intended to be used standalone on a server without Katello).
Instead, I'd suggest to make add $artemis_client_dn as a class parameter here. Then in init.pp you would pass it. For that to work you need to swap the order of katello::candlepin and katello::application (due to compile time dependencies, no actual chaining).
You could set $artemis_client_dn (as you calculate it below) in application.pp and reuse it in init.pp. That would signal the relationship.
There was a problem hiding this comment.
Hrmm, testing that idea out I am running into cyclic dependency issues:
Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Class[Certs::Candlepin] is already declared; cannot redeclare (file: /home/ehelms/workspace/upstream/installer/puppet-katello/spec/fixtures/modules/katello/manifests/candlepin.pp, line: 37) (file: /home/ehelms/workspace/upstream/installer/puppet-katello/spec/fixtures/modules/katello/manifests/candlepin.pp, line: 37, column: 3) on node wareagle.com
Thoughts on #457 (comment) ?
There was a problem hiding this comment.
Hmm, tricky. We don't have a proper separation in certs::candlepin. Ideally we'd have certs::candlepin::server and certs::candlepin::client where katello::candlepin configures the former while katello::application uses the latter.
Given it actually uses the Foreman certificates as client bits, perhaps we can get away with NOT including certs::candlepin at all in katello::application.
I've pushed some changes that pass unit tests.
| @@ -50,7 +53,7 @@ | |||
| keystore_password => $certs::candlepin::keystore_password, | |||
| truststore_file => $certs::candlepin::truststore, | |||
| truststore_password => $certs::candlepin::truststore_password, | |||
| artemis_client_dn => $certs::candlepin::artemis_client_dn, | |||
There was a problem hiding this comment.
Does the prior existence of this not already imply the behavior you mentioned trying to avoid with this change? This relies on certs::candlepin which in turn relies on certs::foreman -- https://github.com/theforeman/puppet-certs/blob/master/manifests/candlepin.pp#L27
There was a problem hiding this comment.
Yes, I do think that eventually certs::candlepin should no longer include certs::foreman. It'll be a breaking change, but worth it.
| Puppet::Functions.create_function(:'katello::build_dn') do | ||
| # @param options | ||
| # | ||
| # @return String |
There was a problem hiding this comment.
Technically you need to write
| # @return String | |
| # @return [String] human readable description |
However, I prefer to use return_type 'String' in the dispatch, similar to param.
|
Currently, acceptance tests are failing due to foreman.service timing out on boot through systemd. I observed this locally and that theforeman/foreman-packaging#8660 seemed to provide a fix.... granted that is not a complete root cause analysis but does close a gap. I could see no other obvious evidence as to why it was suddenly timing out on start yet. |
|
Testing the same assertion round trip, seems to fix test runs locally as well: |
Moving the computation of the Artemis client DN into this class
instead of relying on the value provided directly by classes in
puppet-certs aims to solve two problems:
1) Testing at all levels of the value of the client DN
2) Adding a function to calculate the DN based on a set of values and
ignoring any empty values which do not end up in the actual certificate
The Candlepin server should not deploy the Foreman client certificates. Instead, it should be passed in as a parameter. This allows a standalone deployment. In case an all-in-one deployment is done the value is taken from the application. The Candlepin server certificates are no longer needed on the application side: the Foreman certificates are used as client certificates.
By using a stricter type definition we can be sure about the input. The actual DN construction then becomes very simple.
ekohl
force-pushed
the
calculate_client_dn
branch
from
5906491 to
b2893ab
Compare
Moving the computation of the Artemis client DN into this class
instead of relying on the value provided directly by classes in
puppet-certs aims to solve two problems:
ignoring any empty values which do not end up in the actual certificate
Additionally this removes the layers of indirection
certs::candlepin::artemis_client_dnwhich pointedcerts::foreman::client_dnand moves the calculation closer to the input as this class serves to bring another of items together to properly configure Candlepin/Artemis/Tomcat.This aims to solve a reported BZ from Satellite where if a user customizes parts of the certificate creation process, the statically calculated client DN breaks and the Artemis connection breaks. By ignoring empty values the right DN gets provided.
Somewhere in the future, there is a path to eventually calculate this directly from the certificate and avoid even more ambiguity -- my attempts at this previously have proved difficult.