[SERVER-2424] CA CLI tool action for bootstrapping infra-crl Created: 2019/01/09  Updated: 2019/06/21  Resolved: 2019/01/17

Status: Closed
Project: Puppet Server
Component/s: None
Affects Version/s: None
Fix Version/s: SERVER 6.0.z, SERVER 6.y

Type: Task Priority: Normal
Reporter: Maggie Dreyer Assignee: Maggie Dreyer
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Blocks
Relates
Template:
Team: Froyo
QA Risk Assessment: Needs Assessment

 Description   

When enabling the infra-crl functionality, puppetserver expects three additional files to be present in order for the server to start: and inventory of the certnames of nodes considered to be "infrastructure", a map of those names to their serial numbers, and a CRL containing only the revocations from that list of nodes. These files will be generated automatically in call cases by puppetserver ca setup and puppetserver ca import, but in Puppet Server's bootstrapping code, only if the setting is enabled the first time the server is started (it generates them along with the rest of the CA). Likewise, pre-6 versions of Puppet Server will not generate them at all, in FOSS or PE.

This means that enabling this setting by default in PE will cause Puppet Server to fail to start either when upgrading from 2018.1 to 2019.0+, because the expected files do not exist. Likewise, a FOSS user toggling the setting to "on" would have to manually generate all three files before starting the server, not just the inventory file as documented.

In PE, we manage the creation of the inventory file. In FOSS, we expect users to populate it themselves. We should add an action the CA CLI that generates the other two files based on it, creating the mapping of certnames to serial numbers, and generating a new, empty CRL based on the chain of the existing full CRL.



 Comments   
Comment by Maggie Dreyer [ 2019/01/16 ]

This has been merged and released in the gem. Getting into pe-puppetserver now to unblock PE-25662.

Generated at Sat Jan 25 01:20:09 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.