Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #34875: Prevent certs regeneration on every installer run #764

Merged
merged 1 commit into from
May 19, 2022
Merged

Fixes #34875: Prevent certs regeneration on every installer run #764

merged 1 commit into from
May 19, 2022

Conversation

ehelms
Copy link
Member

@ehelms ehelms commented May 6, 2022

Given answers are stored, if a user supplies --certs-regenerate then
every installer run thereafter will regenerate certificates. Ensure this
value is reset after installation run.

@evgeni
Copy link
Member

evgeni commented May 6, 2022

forgeapi-cdn.puppet.com seems broken (I had similar results locally yesterday), shall we switch to forgeapi.puppet.com for the time being?

@ehelms
Fixes #34875: Prevent certs regeneration on every installer run
90bb2a5 
Given answers are stored, if a user supplies --certs-regenerate then
every installer run thereafter will regenerate certificates. Ensure this
value is reset after installation run.
@ehelms
Copy link
Member Author

ehelms commented May 6, 2022

This is rather tricky, as it has to be done after the installation run but it requires altering and then re-saving the answers again. Here is a version that works, we should just double think about the potential issues, if any.

@ehelms ehelms marked this pull request as ready for review May 6, 2022 18:45
@ehelms
Copy link
Member Author

ehelms commented May 6, 2022

forgeapi-cdn.puppet.com seems broken (I had similar results locally yesterday), shall we switch to forgeapi.puppet.com for the time being?

What's the difference between the two?

@evgeni
Copy link
Member

evgeni commented May 6, 2022
edited

forgeapi-cdn.puppet.com seems broken (I had similar results locally yesterday), shall we switch to forgeapi.puppet.com for the time being?

What's the difference between the two?

cdn supports v6

#735

@evgeni
Copy link
Member

evgeni commented May 10, 2022

cdn supports v6

turns out, forgeapi also now points at cloudfront and does v6: https://twitter.com/zhenech/status/1523984052033933312 & https://twitter.com/binford2k/status/1524027541270540289

@evgeni
Copy link
Member

evgeni commented May 13, 2022

How does that affect the certs-proxy scenario, where we always want to regen stuff?

foreman-installer/katello_certs/config/foreman-proxy-certs-answers.yaml

Line 3 in 59e3e54

regenerate: true

(see #608 for details)

@ehelms
Copy link
Member Author

ehelms commented May 13, 2022

certs-proxy generate uses its own configuration with it's own hooks directory. So it will now encounter this post hook.

@evgeni
Copy link
Member

evgeni commented May 13, 2022

certs-proxy generate uses its own configuration with it's own hooks directory. So it will now encounter this post hook.

Good, I wasn't too sure about all those configs.

@ehelms
Copy link
Member Author

ehelms commented May 13, 2022

https://github.com/theforeman/foreman-installer/blob/develop/katello_certs/config/foreman-proxy-certs.yaml

Since no hooks are defined here, it has only the default hooks directory which is rooted based on the :installer_dir. So it resolves as :installer_dir/hooks which would be https://github.com/theforeman/foreman-installer/tree/develop/katello_certs/hooks

@ehelms ehelms merged commit e28a519 into theforeman:develop May 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evgeni evgeni evgeni approved these changes

Assignees
No one assigned
Labels
Needs testing
Projects
None yet
Milestone
No milestone
3 participants
@ehelms @evgeni @theforeman-bot