Support passing puppetdb certificates via environment variables

[SeanHood]

Closes #669

Adds support for passing certificates and keys to the following environment variables:

• PUPPETDB_SSL_VERIFY
• PUPPETDB_KEY
• PUPPETDB_CERT

I have tested this in my own environment as per the issue. With the container running in AWS Fargate, certificates being passed as env vars from AWS SSM Parameter store.

I had ran into a couple edge cases where the shell was breaking the new lines. These feel like general environment variable edge cases and not so much an issue with this code.

[codecov]

Codecov Report

Merging #671 (c32bd58) into master (2d5e44a) will increase coverage by 0.19%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master     #671      +/-   ##
==========================================
+ Coverage   88.12%   88.32%   +0.19%     
==========================================
  Files          18       18              
  Lines         943      959      +16     
==========================================
+ Hits          831      847      +16     
  Misses        112      112              

Impacted Files	Coverage Δ
puppetboard/docker_settings.py	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2d5e44a...c32bd58. Read the comment docs.

[gdubicki]

Thanks @SeanHood!

If this works for you then we can merge it. But if you write that:

I had ran into a couple edge cases where the shell was breaking the new lines. These feel like general environment variable edge cases and not so much an issue with this code.

...then perhaps you should consider implementing support for base64-encoded strings, without line wrapping, as input? This is a common solution for passing file contents in a env variables when the file may contain new lines and you want to avoid having them in the variable because it causes problems. (Yes, I know that the certificates in PEM are internally base64-encoded too but they DO have wrapped lines and thus the new lines.)

[SeanHood]

That's a good shout, I'll add that to this PR.

As for where I've put this code does it make sense?

[gdubicki]

As for where I've put this code does it make sense?

Yes, for this purpose it makes perfect sense.

(Of course we could start a long design discussion that because it could be useful for non-dockerized Puppetboard, it should be moved out of docker_settings.py. Or that it should rather be implemented in the upstream pypuppetdb. Or that we should consider using something more secure than /tmp to keep the certificates (especially in non-dockerized env, with other processes possibly running on the host), so maybe we should use memory-tempfile module and so on and on, but this would be overdesign at this point. We can get back to these ideas in the future, when more people will be interested in the feature. 😊)

[gdubicki]

Please also add docs update, @SeanHood.

[SeanHood]

As for where I've put this code does it make sense?

Yes, for this purpose it makes perfect sense.

(Of course we could start a long design discussion that because it could be useful for non-dockerized Puppetboard, it should be moved out of docker_settings.py. Or that it should rather be implemented in the upstream pypuppetdb. Or that we should consider using something more secure than /tmp to keep the certificates (especially in non-dockerized env, with other processes possibly running on the host), so maybe we should use memory-tempfile module and so on and on, but this would be overdesign at this point. We can get back to these ideas in the future, when more people will be interested in the feature. 😊)

100% onboard with you there.

[gdubicki]

Thanks for the code, @SeanHood, and for the code review, @russellcain!