Fixes #6566 - If the certname does not match the hostname, nil the certname #1604
Conversation
domcleal
changed the title
|
Could you amend the commit message to "#6566" so Redmine picks up the ticket number? Thanks. |
|
[test] |
|
How does the new cert get to the host? I can see a problem with duplicate hosts showing up in foreman if we're not careful. Consider this:
Are we saying it's the users problem to create a new cert matching the new certname? With both values altered at once, Foreman has no way to identify the new host, whereas until now the certname remains the common identifier. |
|
Oh I'm being a fool, aren't I? This is only during orchestration? |
|
Yes, this is only at orchestration time. When you put the host into Build mode, Foreman sends a command to the Puppet smart-proxy to invalidate the certificate for |
| if !Setting[:use_uuid_for_certificates] && Foreman.is_uuid?(certname) | ||
| # If use_uuid_for_certificates is true, reuse the certname UUID value. | ||
| # If false, then reset the certname if it does not match the hostname. | ||
| if (Setting[:use_uuid_for_certificates] ? !Foreman.is_uuid?(certname) : certname != hostname) | ||
| logger.info "Removing UUID certificate value #{certname} for host #{name}" |
There was a problem hiding this comment.
Nitpick, we should probably change this log message to say something like: "Removing old certificate value #{certname} for host #{name} as it's out of date"
There was a problem hiding this comment.
I removed 'UUID' from the comment and rebased.
|
Looks good to me - are you happy with the change @GregSutcliffe? |
If use_uuid_for_certificates is true, reuse the certname UUID value. If false, then reset the certname if it does not match the hostname.
|
I guess my only query, and it's not a bad one, is this: with this in place, is there any value to uuid_certnames? It seems like this is a nicer fix to the problem that uuid certnames was originally implemented for (where hosts want to change hostname because the CR created them with something random). |
|
I think so, because this change is only when doing orchestration or reprovisioning. uuid_certnames are still useful for hostname changes while a host is running, e.g. a roaming laptop or multi-homed host with an identity crisis. |
|
That's a very good point. In any case, this is good to go 👍 |
Resolves http://projects.theforeman.org/issues/6566 by generalizing the solution from http://projects.theforeman.org/issues/3222