Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2896

Update CA CLI settings init to compute CA dir location

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Normal
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: SERVER 7.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Team:
      Froyo
    • Story Points:
      3
    • Sprint:
      Froyo 11/02/2020, Froyo - 11/09/2020
    • Release Notes:
      Deprecation
    • Release Notes Summary:
      Hide
      Beginning in Puppet 7, the default value for the `cadir` setting will be located in the puppetserver conf directory, specifically at /etc/puppetlabs/puppetserver/ca. Previously, the default location was inside puppet's own ssldir. This change will make it safer to delete the puppet's own `ssldir` without accidentally deleting your CA certificates.

      The puppetserver ca cli provides a `migrate` command to move the ca directory from the puppet conf to the puppetserver conf. It will leave behind a symlink on the old ca location, pointing to the new location at /etc/puppetlabs/puppetserver/ca. This link will provide backwards compatibility for tools still expecting the cadir to exist in the old location. In a future version of puppet, the cadir setting will be removed entirely.
      Show
      Beginning in Puppet 7, the default value for the `cadir` setting will be located in the puppetserver conf directory, specifically at /etc/puppetlabs/puppetserver/ca. Previously, the default location was inside puppet's own ssldir. This change will make it safer to delete the puppet's own `ssldir` without accidentally deleting your CA certificates. The puppetserver ca cli provides a `migrate` command to move the ca directory from the puppet conf to the puppetserver conf. It will leave behind a symlink on the old ca location, pointing to the new location at /etc/puppetlabs/puppetserver/ca. This link will provide backwards compatibility for tools still expecting the cadir to exist in the old location. In a future version of puppet, the cadir setting will be removed entirely.
    • QA Risk Assessment:
      Needs Assessment

      Description

      In Puppet 7, we are working to migrate users to a new CA dir location outside of the SSL dir. We want to seamlessly support both halves of this migration, so when computing the settings for the CA CLI tool, the cadir should be the following:

      • If the setting is configured to something custom, use that (if it is inside the ssldir warn the with the same message as in Puppet, see PUP-10720).
      • If the files are in the old location (/etc/puppetlabs/puppet/ssl/ca), use that but warn with the same messages as in Puppet, see PUP-10720
      • if they're in the new location (/etc/puppetlabs/puppetserver/ca), use that
      • if they're in neither location (i.e. we are boostrapping), use the new one.

      This logic only applies to Puppet 7, so as part of this work, branch the gem to create a 2.0 version for use with Puppet 7+ only.

       

      Ensure there are meaningful integration tests.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              justin Justin Stoller
              Reporter:
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support