Jira (PUP-10617) Request to status endpoint not using extra_headers setting

28 views
Skip to first unread message

David Moreno García

unread,
Aug 12, 2020, 10:01:06 AM8/12/20
to puppe...@googlegroups.com
David Moreno García created an issue
 
Puppet / New Feature PUP-10617
Request to status endpoint not using extra_headers setting
Issue Type: New Feature New Feature
Affects Versions: PUP 6.y
Assignee: Unassigned
Created: 2020/08/12 7:00 AM
Priority: Normal Normal
Reporter: David Moreno García

When using server_list, Puppet 6 adds a new request to validate that the server is listening. This request is done by using Puppet::HTTP::Client which in opposition to Puppet::HTTP::Service, doesn't have a proper way to handle the extra_headers setting.

This suppose a problem as I'm redirecting the traffic based on that header. As the header is not present in status requests, the catalog compilation doesn't go through.

For more information on the extra_header setting refer to PUP-9566.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

David Moreno García

unread,
Aug 12, 2020, 10:02:03 AM8/12/20
to puppe...@googlegroups.com
David Moreno García updated an issue
Change By: David Moreno García
When using server_list, Puppet 6 adds a [new request|https://github.com/puppetlabs/puppet/blob/eadd5474c26e7d28d90de00b9d7a7545ac10e55d/lib/puppet/http/resolver/server_list.rb#L61] to validate that the server is listening. This request is done by using [Puppet::HTTP::Client|https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/client.rb] which in opposition to [Puppet::HTTP::Service|https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service.rb], doesn't have a [proper way to handle the extra_headers setting|https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service.rb#L110].

This suppose supposes a problem as I'm redirecting the traffic based on that header. As the header is not present in status requests, the catalog compilation doesn't go through.

For more information on the extra_header setting refer to  [ PUP-9566 |https://tickets . puppetlabs.com/browse/PUP-9566].

David Moreno García

unread,
Aug 12, 2020, 10:04:02 AM8/12/20
to puppe...@googlegroups.com
David Moreno García updated an issue
When using server_list, Puppet 6 adds a [new request|https://github.com/puppetlabs/puppet/blob/eadd5474c26e7d28d90de00b9d7a7545ac10e55d/lib/puppet/http/resolver/server_list.rb#L61] to validate that the server is listening. This request is done by using [Puppet::HTTP::Client|https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/client.rb] which in opposition to [Puppet::HTTP::Service|https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service.rb], doesn't have a [proper way to handle the extra_headers http_extra_headers setting|https://github.com/puppetlabs/puppet/blob/main/lib/puppet/http/service.rb#L110].

This supposes a problem as I'm redirecting the traffic based on that header. As the header is not present in status requests, the catalog compilation doesn't go through.

For more information on the extra_header setting refer to PUP-9566.

Josh Cooper (Jira)

unread,
Aug 17, 2020, 2:10:04 PM8/17/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity

Josh Cooper (Jira)

unread,
Aug 20, 2020, 2:09:04 PM8/20/20
to puppe...@googlegroups.com
Josh Cooper commented on New Feature PUP-10617
 
Re: Request to status endpoint not using extra_headers setting

The compiler service should expose a method for querying the simple status endpoint, and the server_list resolver should call that instead of making a "raw" HTTPS request.

Josh Cooper (Jira)

unread,
Aug 21, 2020, 3:01:08 AM8/21/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Platform Core KANBAN

Josh Cooper (Jira)

unread,
Aug 21, 2020, 3:01:08 AM8/21/20
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (Jira)

unread,
Aug 21, 2020, 3:04:03 AM8/21/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.19.0

Josh Cooper (Jira)

unread,
Aug 21, 2020, 6:41:03 PM8/21/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes: Bug Fix
Release Notes Summary: If http_extra_headers is set, puppet will send those headers for each HTTP request it makes when processing the server_list setting, to determine which server to use.

Josh Cooper (Jira)

unread,
Aug 26, 2020, 12:22:03 PM8/26/20
to puppe...@googlegroups.com
Josh Cooper commented on New Feature PUP-10617

Josh Cooper (Jira)

unread,
Aug 26, 2020, 12:22:03 PM8/26/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Issue Type: New Feature Bug

Josh Cooper (Jira)

unread,
Aug 28, 2020, 3:01:08 PM8/28/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10617
 
Re: Request to status endpoint not using extra_headers setting

This causes failures if server_list is set and you run puppet ssl bootstrap from with an empty ssl directory:

Debug: Loading CA certs
 
Debug: Loading CRLs
 
Debug: Loading/generating private key
 
Debug: Generating and submitting a CSR
 
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
 
Info: Creating a new SSL certificate request for unwed-derelict.delivery.puppetlabs.net
 
Info: Certificate Request fingerprint (SHA256): 15:E8:87:8D:E9:91:D4:D2:F4:00:3F:8C:25:F5:68:8F:EF:5B:0B:25:47:55:B2:5F:FB:93:81:6D:C7:90:19:4F
 
Debug: Resolving service 'ca' using Puppet::HTTP::Resolver::ServerList
 
Error: Failed to initialize SSL: The client certificate is missing from '/etc/puppetlabs/puppet/ssl/certs/unwed-derelict.delivery.puppetlabs.net.pem'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/x509/cert_provider.rb:250:in `load_client_cert'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/ssl_provider.rb:152:in `load_context'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:254:in `block in base_context'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:164:in `lookup'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:54:in `lookup'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:306:in `lookup'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/client.rb:400:in `resolve_ssl_context'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/client.rb:79:in `connect'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/client.rb:305:in `execute_streaming'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/client.rb:129:in `get'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/service/puppetserver.rb:27:in `get_simple_status'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/resolver/server_list.rb:63:in `block in resolve'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/resolver/server_list.rb:57:in `each'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/resolver/server_list.rb:57:in `resolve'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/session.rb:72:in `block in route_to'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/session.rb:70:in `each'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/session.rb:70:in `route_to'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:216:in `next_state'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:472:in `run_step'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:449:in `block in run_machine'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:448:in `loop'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:448:in `run_machine'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:418:in `ensure_client_certificate'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/ssl.rb:143:in `main'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:390:in `run_command'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:735:in `exit_on_fail'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
 
/opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
 
Error: Run `puppet agent -t`
 
Debug: Unable to connect to server from server_list setting: Request to https://gold-quality.delivery.puppetlabs.net:8140/status/v1/simple/master failed after 0.002 seconds: The client certificate is missing from '/etc/puppetlabs/puppet/ssl/certs/unwed-derelict.delivery.puppetlabs.net.pem'
 
Error: Could not select a functional puppet master from server_list: 'gold-quality.delivery.puppetlabs.net'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/resolver/server_list.rb:78:in `resolve'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/session.rb:72:in `block in route_to'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/session.rb:70:in `each'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/http/session.rb:70:in `route_to'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:216:in `next_state'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:472:in `run_step'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:449:in `block in run_machine'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:448:in `loop'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:448:in `run_machine'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:418:in `ensure_client_certificate'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/ssl.rb:143:in `main'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:390:in `run_command'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:735:in `exit_on_fail'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run'
 
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
 
/opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
 
Info: Will try again in 120 seconds.

Josh Cooper (Jira)

unread,
Aug 29, 2020, 2:27:03 PM8/29/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10617

Josh Cooper (Jira)

unread,
Aug 31, 2020, 2:35:02 PM8/31/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10617

Passed in 426e375a4bf0d08de1b84f0439f5259c6a415e11. Waiting PE validation before resolving.

Josh Cooper (Jira)

unread,
Sep 2, 2020, 12:56:02 AM9/2/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10617

Josh Cooper (Jira)

unread,
Sep 3, 2020, 1:30:04 PM9/3/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10617

Passed in 3b720e6e2e. Waiting for PE validation before resolving

Claire Cadman (Jira)

unread,
Oct 12, 2020, 9:20:03 AM10/12/20
to puppe...@googlegroups.com
Claire Cadman updated an issue
 
Change By: Claire Cadman
Labels: doc_reviewed
Reply all
Reply to author
Forward
0 new messages