Jira (PUP-7737) Add HTTP report processor setting for including system truststore

[Jeremy Barlow (JIRA)]

Jeremy Barlow created an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore Issue Type: Task Assignee: Unassigned Created: 2017/06/27 5:22 PM Priority: Normal Reporter: Jeremy Barlow This ticket is dependent upon the work being discussed in SERVER-1543 and PUP-5069 to enhance Puppet::Network::HttpPool with configurable support for setting whether or not the "system" truststore should be included for HTTP client requests. For this ticket, we would introduce a new Puppet setting that the HTTP report processor would use to control how the corresponding HttpPool setting is configured. We'll need to decide what the default for the setting would be. As Charlie Sharpsteen argued in this comment in SERVER-1543, it may make set to set this to "true" by default to make it easier for users to use the HTTP report processor with an externally hosted receiver which is using a cert issued outside of Puppet's PKI, e.g., on a public AWS instance. Defaulting to "true" may constitute a security risk for users accustomed to only having the Puppet PKI cert bundle used. Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Moses Mendoza Labels: the-goods

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Moses Mendoza Story Points: 5

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Moses Mendoza Sprint: Platform Core Hopper

Add Comment

[Karen Van der Veer (JIRA)]

Karen Van der Veer updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Karen Van der Veer Sprint: Platform Core  Hopper  Grooming

Add Comment

[Justin Stoller (JIRA)]

Justin Stoller updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Justin Stoller Sprint: Platform Core Grooming

Add Comment

This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Josh Cooper Sub-team: Server Coremunity

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Jorie Tappa (JIRA)]

Jorie Tappa updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Jorie Tappa Story Points: 5

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Josh Cooper Sprint: Coremunity Grooming

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Josh Cooper Fix Version/s: PUP 6.15.0

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Josh Cooper Acceptance Criteria: Add a puppet setting to include the system CA store when posting the report to an HTTPS URL. If enabled, pass {{include_system_store: true}} in the call to {{Client#post}}. For this ticket, it will only affect when the {{http}} report processor is used in puppet apply. A separate SERVER ticket will be needed to update puppetserver's HTTP client implementation.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Josh Cooper Sprint: Coremunity Grooming Hopper

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Josh Cooper Acceptance Criteria: Add a {{report_include_system_store}} puppet setting to include the system CA store when posting the report to an HTTPS URL. It should default to false. If enabled, update the http report processor to pass {{include_system_store: true}} in the call to {{Client#post}}. Update the `spec/integration/application/apply_spec.rb` to verify this works when the HTTPS server is not the puppet CA, but is in the system store.

For this ticket, it will only affect when the {{http}} report processor is used in puppet apply. A separate SERVER ticket will be needed to update puppetserver's HTTP client implementation.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper assigned an issue to Josh Cooper

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Josh Cooper Assignee: Josh Cooper

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-7737 Add HTTP report processor setting for including system truststore

Change By: Josh Cooper Sprint: Coremunity Hopper Platform Core KANBAN

Add Comment

[Melissa Stone (Jira)]

Melissa Stone commented on PUP-7737

Re: Add HTTP report processor setting for including system truststore Merged into master with https://github.com/puppetlabs/puppet/commit/c36f71853c086b98e075f010e652af30968ff54c

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-7737

Add HTTP report processor setting for including system truststore

Change By: Josh Cooper Release Notes: Enhancement Release Notes Summary: The "http" report processor forwards puppet reports to the report server based on the Puppet[:reporturl] setting. If an HTTPS URL is specified, then up until now, the processor would only trust the puppet CA when verifying the server's SSL certificate. This change adds a Puppet[:report_include_system_store] setting, which defaults to false. If set to true, the report processor will trust CA certificates in the puppet-agent CA bundle in addition to the puppet CA. This change only affects the "http" processor when running in the context of "puppet apply". A separate change will be made in puppetserver, so that the "http" processor behaves the same as "puppet apply".

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-7737

Re: Add HTTP report processor setting for including system truststore Passed CI in 5c6227417c

Add Comment

[Claire Cadman (Jira)]

Claire Cadman updated an issue

Puppet / PUP-7737

Add HTTP report processor setting for including system truststore

Change By: Claire Cadman Labels: doc_reviewed the-goods

Add Comment