Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #33733 - generate key for db encryption #235

Merged
merged 2 commits into from
Oct 20, 2021

Conversation

jlsherrill
Copy link
Contributor

No description provided.

@jlsherrill
Copy link
Contributor Author

I'll write a test for this, but wanted to get some initial impressions

manifests/config.pp Outdated Show resolved Hide resolved
manifests/init.pp Outdated Show resolved Hide resolved
@jlsherrill jlsherrill force-pushed the 33733 branch 2 times, most recently from 3bae9d6 to ff245a8 Compare October 20, 2021 15:49
@jlsherrill
Copy link
Contributor Author

not sure if there's more to test here, but i added a test

manifests/config.pp Outdated Show resolved Hide resolved
Co-authored-by: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
@jlsherrill
Copy link
Contributor Author

🟢 i don't have merge access

@ehelms ehelms merged commit 3c02ad4 into theforeman:master Oct 20, 2021
@wbclark
Copy link
Collaborator

wbclark commented Oct 20, 2021

I previously took a stab at this with #205 , using a puppet function to wrap Ruby's SecureRandom.urlsafe_base64(32) rather than relying on an exec and openssl. Longer term if we want to avoid the exec, that idea may be worth revisiting.

@wbclark
Copy link
Collaborator

wbclark commented Oct 20, 2021

Does the file resource require show_diff => false ? Since it manages only attributes other than the file contents

Is the key visible in puppet logs when the exec resource is evaluated?

@ehelms
Copy link
Member

ehelms commented Oct 20, 2021

Does the file resource require show_diff => false ? Since it manages only attributes other than the file contents

Is the key visible in puppet logs when the exec resource is evaluated?

Good question, if I look at the test output:

  Notice: /Stage[main]/Pulpcore::Config/Exec[Create database symmetric key]/returns: executed successfully
  Notice: /Stage[main]/Pulpcore::Config/Exec[Create database symmetric key]: Triggered 'refresh' from 1 event
  Notice: /Stage[main]/Pulpcore::Config/File[/etc/pulp/certs/database_fields.symmetric.key]/group: group changed 'root' to 'pulp'
  Notice: /Stage[main]/Pulpcore::Config/File[/etc/pulp/certs/database_fields.symmetric.key]/mode: mode changed '0644' to '0640'

@jlsherrill
Copy link
Contributor Author

sorry @wbclark didn't realize you had been working on this!

@ekohl
Copy link
Member

ekohl commented Oct 20, 2021

Notice: /Stage[main]/Pulpcore::Config/File[/etc/pulp/certs/database_fields.symmetric.key]/mode: mode changed '0644' to '0640'

This does bring a good point. We should set umask on exec so there isn't a short window where it is world readable.

@ehelms ehelms added the Enhancement New feature or request label Oct 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Enhancement New feature or request Needs testing
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants