Bug #27847
foreman-proxy-certs-generate uses a value for --foreman-proxy-cname to add a DNS record even if it is invalid
Description
foreman-proxy-certs-generate uses the value for --foreman-proxy-cname to add a DNS record in the SAN field regardless of that setting making sense or not. E.g. DNS:[] and DNS: <= empty string.
This is what foreman-proxy-certs-generate is generating for qpid-router-server.crt: (used by capsules' qdrouterd on port 5647 to listen to clients' goferds)
X509v3 Subject Alternative Name:
DNS:mycapsule.example.com, DNS:[]The DNS:[] comes from the default value for --foreman-proxy-cname:
~~~
[root@sat65a ~]# foreman-proxy-certs-generate --help
(...snip...)= Module foreman_proxy_certs:
--certs-tar Path to tar file with certs to generate (current: UNDEF)
--foreman-proxy-cname additional names of the foreman proxy (current: ["[]"]) <========= here
--foreman-proxy-fqdn FQDN of the foreman proxy (current: "sat65a.usersys.redhat.com")
Turns out, if you use `--foreman-proxy-cname ""` with `foreman-proxy-certs-generate` it will still generate certs with DNS:<fqdn>, DNS: <==== second DNS entry empty.
The problem is that puppet-strings parses the default as the string "[]" rather than an empty array [].
Associated revisions
Refs #27847 - Set parameter mapping
In puppet-certs master the default values are loaded via params.pp to
workaround kafo limitations. This configures kafo to actually find it.
Otherwise it can't load the defaults and the values are nil.
Refs #27847 - Load CNAME default from params
3beda1df35481210b581f9beeb63d1dcafd2aca0 intended to load the variable
from params and even added it to params.pp, but missed using that
variable.
Refs #27847 - Use legacy facts
In foreman-installer we test the command inside bundler. There is only a
facter 2 gem which doesn't have the modern facts. That means
$facts['networking'] is undef and breaks, even though this won't be a
problem in production. In many places we still use legacy facts so this
reverts back to legacy facts.
History
#1
Updated by The Foreman Bot over 3 years ago
Updated by - Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/puppet-certs/pull/256 added
#2
Updated by The Foreman Bot over 3 years ago
- Fixed in Releases 1.24.0 added
#3
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
Updated by - Status changed from Ready For Testing to Closed
Applied in changeset puppet-certs|3beda1df35481210b581f9beeb63d1dcafd2aca0.
#4
Updated by The Foreman Bot over 3 years ago
- Pull request https://github.com/theforeman/foreman-packaging/pull/4115 added
#5
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
- Pull request deleted (
https://github.com/theforeman/foreman-packaging/pull/4115)
#6
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
- Triaged changed from No to Yes
- Target version set to 1.24.0
- Assignee changed from Eric Helms to Ewoud Kohl van Wijngaarden
- Category set to Foreman modules
#7
Updated by The Foreman Bot over 3 years ago
- Pull request https://github.com/theforeman/puppet-certs/pull/259 added
#8
Updated by The Foreman Bot over 3 years ago
- Pull request https://github.com/theforeman/foreman-installer/pull/397 added
#9
Updated by The Foreman Bot over 3 years ago
- Pull request https://github.com/theforeman/puppet-certs/pull/260 added
Fixes #27847 - Refactor foreman_proxy_content class
touch this
class inheritance