Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2284

Backport new CA CLI gem to 5.3.x

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 5.3.5
    • Component/s: None
    • Labels:
    • Template:
    • Acceptance Criteria:
      • puppetserver ca CLI can be use in puppetserver 5.3.5
    • Team:
      Froyo
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      We have added a new command line tool for interacting with the Puppet CA, under the {{puppetserver ca}} command. This can be used to generate an intermediate CA for puppetserver (note that caveats about needing to manually copy these certs to agents still apply in the Puppet 5 series), generate, sign, revoke, clean, and list certs. All of these actions are executed by making requests to Puppet Server's CA API, in particular the {{certificate_status}} and {{certificate_statuses}} endpoint. Note that currently requests to these endpoint are denied by the blanket rule in {{auth.conf}}, so if you would like to try out the new tool, you should first add two rules to {{auth.conf}}, whitelisting your master's certname to talk to those two endpoints.

      The {{puppet cert}} command and other assorted CA-related puppet subcommands are going to be removed in Puppet 6, so we encourage you to try out this tool now and give us feedback on any bugs or functionality gaps, so we can fix them before removing the tools is it replacing.
      Show
      We have added a new command line tool for interacting with the Puppet CA, under the {{puppetserver ca}} command. This can be used to generate an intermediate CA for puppetserver (note that caveats about needing to manually copy these certs to agents still apply in the Puppet 5 series), generate, sign, revoke, clean, and list certs. All of these actions are executed by making requests to Puppet Server's CA API, in particular the {{certificate_status}} and {{certificate_statuses}} endpoint. Note that currently requests to these endpoint are denied by the blanket rule in {{auth.conf}}, so if you would like to try out the new tool, you should first add two rules to {{auth.conf}}, whitelisting your master's certname to talk to those two endpoints. The {{puppet cert}} command and other assorted CA-related puppet subcommands are going to be removed in Puppet 6, so we encourage you to try out this tool now and give us feedback on any bugs or functionality gaps, so we can fix them before removing the tools is it replacing.
    • QA Risk Assessment:
      Needs Assessment

      Description

      In Puppet 6 we are removing puppet cert and the other CA related puppet faces. They are getting depricated the next Platform 5 release. In order to give users an alternative to try out, we should backport support for the new puppetserver ca CLI and start shipping that gem in this same release. This also entails backporting a few packaging changes to support the shim for the gem.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              justin Justin Stoller
              Reporter:
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support