[PUP-6828] Simplify agent SSL initialization Created: 2016/10/17 Updated: 2019/07/26 Resolved: 2019/07/26
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Epic Name:||Simplify agent SSL initialization|
|Sprint:||SE 2017-01-11, SE 2017-02-08, SE 2017-02-22|
The Puppet X.509 PKI initialization logic is currently confusing, inconsistent, and buggy, due to the ad hoc nature of its implementation. The Puppet::SSL::Host class is responsible, either directly or indirectly, for fetching the CA certificate, CRL, RSA key pair, CSR, and certificate. This initialization is scattered across a number of functions and files, and is largely triggered by lazy methods. This structure makes it very hard to reason about or improve the PKI initialization process.
|Comment by Maggie Dreyer [ 2018/10/02 ]|
Josh Cooper I guess this is the epic we should groom as part of scoping the overhaul to the agent cert bootstrapping that we were talking about. Although we'll probably end up writing new tickets, some of the stuff in here could inform the route we take. I've taken a quick pass through here and moved a few things out.