Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #37817: Only copy server CA in build root if generate is true #463

Merged
merged 2 commits into from
Sep 13, 2024
Merged

Fixes #37817: Only copy server CA in build root if generate is true #463

merged 2 commits into from
Sep 13, 2024

Conversation

ehelms
Copy link
Member

@ehelms ehelms commented Sep 13, 2024

Alternative to #461. This does include the tests from 461, but not the re-factorings. I wanted to have as crisp of a solution to the regression as possible. The re-factoring, which I like, we can layer on top of the fix afterward.

If you rewind to 433dadc, prior to this change, the ca resource was used to perform the copying to the server CA in the build root. This resource had the generate parameter built into it. This is what prevented the current regression from happening in the old design. When deploying a foreman-proxy-content scenario in the installer, we are supplying all the certificates in the tarball. Therefore no generation needs to occur. Which we can see as the case by looking at the answers file (https://github.com/theforeman/foreman-installer/blob/develop/config/foreman-proxy-content-answers.yaml#L13C1-L14C1):

certs:
  generate: false

I think this is the correct solution at this point in time, as it restores the prior behavior and fixes the issues (as evidenced by the reproducer tests -- thanks @ekohl).

This issue has given me some ideas on how this could be improved in upcoming releases through some re-factoring and re-design.

@ehelms ehelms mentioned this pull request Sep 13, 2024
Draft
ekohl
ekohl approved these changes Sep 13, 2024
View reviewed changes
spec/acceptance/certs_spec.rb
describe 'deploy certificates' do
manifest = <<-PUPPET
class { 'certs':
generate => false,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to self: this bit I missed in my PR.

@ekohl ekohl added the Bug label Sep 13, 2024
ekohl and others added 2 commits September 13, 2024 12:11
@ekohl
Add a test for custom server certificates in tar file
182becf 
This asserts that the default CA and server CA are the same in one
scenario and differ in the other.
@ehelms @ekohl
Fixes #37817: Only copy server CA in build root if generate is true
975bdb9 
Fixes: 433dadc ("Copy the server CA certificate with file resource")
@ekohl ekohl linked an issue Sep 13, 2024 that may be closed by this pull request
Custom CA overwritten when certs::server_ca_cert is undefined #456
Closed
@ekohl ekohl enabled auto-merge (rebase) September 13, 2024 10:12
@ekohl
Copy link
Member

ekohl commented Sep 13, 2024

I fixed up my commit message (customer -> custom) and added a Fixes trailer to yours.

@ekohl ekohl merged commit 15a3cc2 into theforeman:master Sep 13, 2024
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl approved these changes

Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Custom CA overwritten when certs::server_ca_cert is undefined
2 participants
@ehelms @ekohl