Cleaning a puppet certificate logic is incomplete
A certificate removal should fail if there is no CA but succeed if there is no certificate in the CA
#4 Updated by Paul Kelly over 10 years ago
I guess that we have a misunderstanding about what constitutes an error.
An error condition is raised if the CA or puppetca are not available. This indicates in installation problem and should NEVER happen. I added this, per your request, as you were quite right about that oversight.
At this point we are requested to ensure that there is no certificate for the host.
If there is a certificate then we remove it using puppetca and return the status of puppetca as the status of the removal. Also, if this operation caused an exception then we return a failed response.
If there was no certificate for the host then I accept that this is unexpected, however I return true because the Foreman operation that I am expecting to perform is still able to progress. I could return false and abort the creation of the host but this would be unhelpful to the user. Do you want me to add a logger.warning message along the lines of "Unable to remove certificate for host XXX as it is already removed"?
It is also possible that a host may get it build button pressed repeatedly and this removes the certificate on the first press, so later ones will be unable to remove the certificate again.
What do you think?