Project

General

Profile

Bug #27847

foreman-proxy-certs-generate uses a value for --foreman-proxy-cname to add a DNS record even if it is invalid

Added by Ewoud Kohl van Wijngaarden over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Category:
Foreman modules
Target version:

Description

foreman-proxy-certs-generate uses the value for --foreman-proxy-cname to add a DNS record in the SAN field regardless of that setting making sense or not. E.g. DNS:[] and DNS: <= empty string.

This is what foreman-proxy-certs-generate is generating for qpid-router-server.crt: (used by capsules' qdrouterd on port 5647 to listen to clients' goferds)

X509v3 Subject Alternative Name: 
DNS:mycapsule.example.com, DNS:[]

The DNS:[] comes from the default value for --foreman-proxy-cname:
~~~
[root@sat65a ~]# foreman-proxy-certs-generate --help

(...snip...)

= Module foreman_proxy_certs:
--certs-tar Path to tar file with certs to generate (current: UNDEF)
--foreman-proxy-cname additional names of the foreman proxy (current: ["[]"]) <========= here
--foreman-proxy-fqdn FQDN of the foreman proxy (current: "sat65a.usersys.redhat.com")

Turns out, if you use `--foreman-proxy-cname ""` with `foreman-proxy-certs-generate` it will still generate certs with DNS:<fqdn>, DNS: <==== second DNS entry empty.

The problem is that puppet-strings parses the default as the string "[]" rather than an empty array [].

Associated revisions

Revision 3beda1df (diff)
Added by Ewoud Kohl van Wijngaarden over 3 years ago

Fixes #27847 - Refactor foreman_proxy_content class

  • Move $parent_fqdn to Advanced Parameters since users generally don't
    touch this
  • Implement stricter data types
  • Use modern facts
  • Work around a kafo_parsers/puppet-strings limitation by using
    class inheritance

Revision 425987e2 (diff)
Added by Ewoud Kohl van Wijngaarden over 3 years ago

Refs #27847 - Set parameter mapping

In puppet-certs master the default values are loaded via params.pp to
workaround kafo limitations. This configures kafo to actually find it.
Otherwise it can't load the defaults and the values are nil.

Revision 265404ac (diff)
Added by Ewoud Kohl van Wijngaarden over 3 years ago

Refs #27847 - Load CNAME default from params

3beda1df35481210b581f9beeb63d1dcafd2aca0 intended to load the variable
from params and even added it to params.pp, but missed using that
variable.

Revision f913ba18 (diff)
Added by Ewoud Kohl van Wijngaarden over 3 years ago

Refs #27847 - Use legacy facts

In foreman-installer we test the command inside bundler. There is only a
facter 2 gem which doesn't have the modern facts. That means
$facts['networking'] is undef and breaks, even though this won't be a
problem in production. In many places we still use legacy facts so this
reverts back to legacy facts.

History

#1 Updated by The Foreman Bot over 3 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-certs/pull/256 added

#2 Updated by The Foreman Bot over 3 years ago

  • Fixed in Releases 1.24.0 added

#3 Updated by Ewoud Kohl van Wijngaarden over 3 years ago

  • Status changed from Ready For Testing to Closed

#4 Updated by The Foreman Bot over 3 years ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/4115 added

#5 Updated by Ewoud Kohl van Wijngaarden over 3 years ago

  • Pull request deleted (https://github.com/theforeman/foreman-packaging/pull/4115)

#6 Updated by Ewoud Kohl van Wijngaarden over 3 years ago

  • Triaged changed from No to Yes
  • Target version set to 1.24.0
  • Assignee changed from Eric Helms to Ewoud Kohl van Wijngaarden
  • Category set to Foreman modules

#7 Updated by The Foreman Bot over 3 years ago

  • Pull request https://github.com/theforeman/puppet-certs/pull/259 added

#8 Updated by The Foreman Bot over 3 years ago

  • Pull request https://github.com/theforeman/foreman-installer/pull/397 added

#9 Updated by The Foreman Bot over 3 years ago

  • Pull request https://github.com/theforeman/puppet-certs/pull/260 added

Also available in: Atom PDF