Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth crl allow #139

Merged
merged 2 commits into from Mar 5, 2014
Merged

Auth crl allow #139

merged 2 commits into from Mar 5, 2014

Conversation

ekohl
Copy link
Member

@ekohl ekohl commented Feb 25, 2014

This patch first refactors puppet::config a bit to make it easier to extend. It also adds fairly minimal tests. The next patch adds an auth_crl_allow parameter. http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic states the following should be present in auth.conf if using a puppet ca proxy:

path /certificate_revocation_list
auth any
method find
allow *

In my testing /certificate_revocation_list/ca was sufficient.

@ekohl ekohl mentioned this pull request Feb 25, 2014
Closed
GregSutcliffe
GregSutcliffe reviewed Feb 26, 2014
View reviewed changes
manifests/init.pp
@@ -298,8 +303,8 @@
validate_string($ca_server)
validate_string($server_external_nodes)

class { 'puppet::config': } ->
Class['puppet']
include ::puppet::config
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why change this to an include? a standard class definition works the same way...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, but this is leftover from a test to see if I could use puppet::config params in the tests instead of puppet. That didn't work. It is now consistent with agent and server a few lines below so I didn't bother changing it back.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair point. Not opposed to it, just curious.

@GregSutcliffe
Copy link
Member

Untested but seems like it should work :)

domcleal
domcleal reviewed Mar 5, 2014
View reviewed changes
manifests/init.pp
@@ -199,6 +199,9 @@
# Valid values are 'v2' for latest, and 'v1'
# for Foreman =< 1.2
#
# $allow_any_crl:: Allow any authentication for the CRL. This
# is needed for the puppet CA proxy.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing type:boolean for kafo

@ekohl
Refactor puppet::config and add tests
94e967e
@ekohl
Issue #4345: Add an allow_any_crl parameter
11e65eb 
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic
states the following should be present in auth.conf if using a puppet ca
proxy:

path /certificate_revocation_list
auth any
method find
allow *

In my testing /certificate_revocation_list/ca was sufficient.
@ekohl
Copy link
Member Author

ekohl commented Mar 5, 2014

Updated & rebased.

@domcleal domcleal merged commit 11e65eb into theforeman:master Mar 5, 2014
@domcleal
Copy link
Contributor

domcleal commented Mar 5, 2014

Merged, thanks @ekohl!

@ekohl ekohl deleted the auth-crl-allow branch March 5, 2014 11:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ekohl @GregSutcliffe @domcleal