Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable connecting to metrics without certificates #34

Merged
merged 2 commits into from
Jun 8, 2017
Merged

Enable connecting to metrics without certificates #34

merged 2 commits into from
Jun 8, 2017

Conversation

npwalker
Copy link
Owner

@npwalker npwalker commented Jun 6, 2017
edited
Loading

Prior to this commit, we used certificates to connect to the metrics
endpoints despite using SSL_VERIFY_NONE.

After this commit, we forgo the certificates so non-root users can easily
run the script.

@npwalker npwalker requested a review from reidmv June 6, 2017 22:50
@npwalker npwalker force-pushed the enable_connecting_to_metrics_endpoint_without_ssl branch from 2598d05 to 7e5edd3 Compare June 6, 2017 22:52
@reidmv
Copy link
Collaborator

reidmv commented Jun 8, 2017

@npwalker have you had a chance to test this yet?

@npwalker npwalker force-pushed the enable_connecting_to_metrics_endpoint_without_ssl branch from 2eaaa5d to 7497628 Compare June 8, 2017 17:47
@npwalker npwalker changed the title Enable connecting to metrics without SSL Enable connecting to metrics without certificates Jun 8, 2017
@npwalker
Copy link
Owner Author

npwalker commented Jun 8, 2017

@reidmv I came to a different conclusion after testing. No need to use certs at all.

@npwalker npwalker force-pushed the enable_connecting_to_metrics_endpoint_without_ssl branch from 7497628 to b06f079 Compare June 8, 2017 19:57
jarretlavallee
jarretlavallee approved these changes Jun 8, 2017
View reviewed changes
Copy link
Collaborator

@jarretlavallee jarretlavallee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Looks good on Davis and Glisan

@npwalker
Copy link
Owner Author

npwalker commented Jun 8, 2017

Tested this out a few different times.

Essentially running the script as the centos user ensure's that it can be run as non-root. Due to the 744 permissions of the script we execute it via ruby instead of executing the script directly.

su - centos -c "/opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/pe_metric_curl_cron_jobs/scripts/tk_metrics --metrics_type puppetserver"

su - centos -c "/opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/pe_metric_curl_cron_jobs/scripts/tk_metrics --metrics_type puppetdb"

@npwalker
No longer pass certificate information to netHTTP
db9a483 
Prior to this commit, we set the cacert, cert, and key but also
pass SSL_VERIFY_NONE which negates the need for the former.

After this commit, we do not set the cacert, cert, and key so that
non-root users can run the script without hitting permissions
errors on the keys.
@npwalker
Add 4.3.0 to changelog and bump version in metadata.json
d14ee6d
@npwalker npwalker force-pushed the enable_connecting_to_metrics_endpoint_without_ssl branch from b06f079 to d14ee6d Compare June 8, 2017 23:42
@npwalker npwalker merged commit 44d6b9f into master Jun 8, 2017
@npwalker npwalker mentioned this pull request Jun 9, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jarretlavallee jarretlavallee jarretlavallee approved these changes

@reidmv reidmv Awaiting requested review from reidmv

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@npwalker @reidmv @jarretlavallee