[SERVER-2284] Backport new CA CLI gem to 5.3.x - Puppet Jira Server

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: SERVER 5.3.5
Component/s: None
Labels:
- docs_reviewed

Acceptance Criteria:
- puppetserver ca CLI can be use in puppetserver 5.3.5
Team:
Froyo

Release Notes:
New Feature
Release Notes Summary:

Hide
We have added a new command line tool for interacting with the Puppet CA, under the {{puppetserver ca}} command. This can be used to generate an intermediate CA for puppetserver (note that caveats about needing to manually copy these certs to agents still apply in the Puppet 5 series), generate, sign, revoke, clean, and list certs. All of these actions are executed by making requests to Puppet Server's CA API, in particular the {{certificate_status}} and {{certificate_statuses}} endpoint. Note that currently requests to these endpoint are denied by the blanket rule in {{auth.conf}}, so if you would like to try out the new tool, you should first add two rules to {{auth.conf}}, whitelisting your master's certname to talk to those two endpoints.

The {{puppet cert}} command and other assorted CA-related puppet subcommands are going to be removed in Puppet 6, so we encourage you to try out this tool now and give us feedback on any bugs or functionality gaps, so we can fix them before removing the tools is it replacing.

Show
We have added a new command line tool for interacting with the Puppet CA, under the {{puppetserver ca}} command. This can be used to generate an intermediate CA for puppetserver (note that caveats about needing to manually copy these certs to agents still apply in the Puppet 5 series), generate, sign, revoke, clean, and list certs. All of these actions are executed by making requests to Puppet Server's CA API, in particular the {{certificate_status}} and {{certificate_statuses}} endpoint. Note that currently requests to these endpoint are denied by the blanket rule in {{auth.conf}}, so if you would like to try out the new tool, you should first add two rules to {{auth.conf}}, whitelisting your master's certname to talk to those two endpoints. The {{puppet cert}} command and other assorted CA-related puppet subcommands are going to be removed in Puppet 6, so we encourage you to try out this tool now and give us feedback on any bugs or functionality gaps, so we can fix them before removing the tools is it replacing.

QA Risk Assessment:
Needs Assessment

Description

In Puppet 6 we are removing puppet cert and the other CA related puppet faces. They are getting depricated the next Platform 5 release. In order to give users an alternative to try out, we should backport support for the new puppetserver ca CLI and start shipping that gem in this same release. This also entails backporting a few packaging changes to support the shim for the gem.

Attachments

Issue Links

relates to

SERVER-1747 New CLI tools for interacting with CA

Closed

Activity

People

Assignee:: Justin Stoller

Reporter:: Maggie Dreyer

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2018/08/14 2:40 PM

Updated:: 2018/08/22 1:14 PM

Resolved:: 2018/08/22 1:14 PM