-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth crl allow #139
Auth crl allow #139
Conversation
@@ -298,8 +303,8 @@ | |||
validate_string($ca_server) | |||
validate_string($server_external_nodes) | |||
|
|||
class { 'puppet::config': } -> | |||
Class['puppet'] | |||
include ::puppet::config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why change this to an include? a standard class definition works the same way...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True, but this is leftover from a test to see if I could use puppet::config
params in the tests instead of puppet
. That didn't work. It is now consistent with agent and server a few lines below so I didn't bother changing it back.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point. Not opposed to it, just curious.
Untested but seems like it should work :) |
@@ -199,6 +199,9 @@ | |||
# Valid values are 'v2' for latest, and 'v1' | |||
# for Foreman =< 1.2 | |||
# | |||
# $allow_any_crl:: Allow any authentication for the CRL. This | |||
# is needed for the puppet CA proxy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing type:boolean for kafo
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic states the following should be present in auth.conf if using a puppet ca proxy: path /certificate_revocation_list auth any method find allow * In my testing /certificate_revocation_list/ca was sufficient.
Updated & rebased. |
Merged, thanks @ekohl! |
This patch first refactors puppet::config a bit to make it easier to extend. It also adds fairly minimal tests. The next patch adds an auth_crl_allow parameter. http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic states the following should be present in auth.conf if using a puppet ca proxy:
path /certificate_revocation_list
auth any
method find
allow *
In my testing /certificate_revocation_list/ca was sufficient.