Jira (PUP-10720) Update `cadir` default to return the new location post-migration

[Maggie Dreyer (Jira)]

Maggie Dreyer created an issue

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration Issue Type: Task Assignee: Unassigned Created: 2020/10/15 4:00 PM Priority: Normal Reporter: Maggie Dreyer In order to make the transition to the new CA dir location as seamless as possible, we want to put some special logic into the default calculation for the cadir setting in Puppet. If the setting is not configured by the user (default, use lambda): and the files are in the old default spot, warn and prompt users to migrate. Return the old default (/etc/puppetlabs/puppet/ssl/ca) and there are no CA files (new install) or CA files in the new location, return the new location (/etc/puppetlabs/puppetserver/ca). If the setting is configured by the user (custom, use hook (example)): and points to a location within the SSL dir, warn and prompt migration and points to a location outside the SSL dir, use it as-is. Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Maggie Dreyer (Jira)]

Maggie Dreyer updated an issue

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration

Change By: Maggie Dreyer In order to make the transition to the new CA dir location as seamless as possible, we want to put some special logic into the default calculation for the {{cadir}} setting in Puppet , that will make it return the new location after the CA has been migrated, and warn otherwise . If the setting is not configured by the user ([default|https://github.com/puppetlabs/puppet/blob/e0746ca619fac312b86e26b4a1f73db70b146947/lib/puppet/defaults.rb#L1094], use lambda): * and the files are in the old default spot, warn and prompt users to migrate. Return the old default (/etc/puppetlabs/puppet/ssl/ca) * and there are no CA files (new install) or CA files in the new location, return the new location (/etc/puppetlabs/puppetserver/ca). If the setting is configured by the user (custom, use hook ([example)|https://github.com/puppetlabs/puppet/blob/main/lib/puppet/defaults.rb#L133]): * and points to a location within the SSL dir, warn and prompt migration * and points to a location _outside_ the SSL dir, use it as-is.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-10720

Re: Update `cadir` default to return the new location post-migration Looks great! One gotcha with hooks is 1) they may be called multiple times and 2) if the cadir setting is defined in the server section, then by default the hook will only be called if the hook is defined using :call_hook => :on_initialize_and_write. If :call_hook is unspecified, then it will default to :on_write_only, which will only call the hook if the value is set in main. I recently ran into this in PUP-9481.

Add Comment

[Justin Stoller (Jira)]

Justin Stoller updated an issue

Puppet / PUP-10720

Update `cadir` default to return the new location post-migration

Change By: Justin Stoller In order to make the transition to the new CA dir location as seamless as possible, we want to put some special logic into the default calculation for the {{cadir}} setting in Puppet, that will make it return the new location after the CA has been migrated, and warn otherwise.

If the setting is not configured by the user ([default|https://github.com/puppetlabs/puppet/blob/e0746ca619fac312b86e26b4a1f73db70b146947/lib/puppet/defaults.rb#L1094], use lambda): * and the files are in the old default spot, warn and prompt users to migrate. Return the old default (/etc/puppetlabs/puppet/ssl/ca) * and there are no CA files (new install) or CA files in the new location, return the new location (/etc/puppetlabs/puppetserver/ca). If the setting is configured by the user (custom, use hook ([example)|https://github.com/puppetlabs/puppet/blob/main/lib/puppet/defaults.rb#L133]):

* and points to a location within the SSL dir, warn and prompt with a message that encourages migration

* and points to a location _outside_ the SSL dir, use it as-is.

Add Comment

[Justin Stoller (Jira)]

Justin Stoller updated an issue

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration Change By: Justin Stoller

In order to make the transition to the new CA dir location as seamless as possible, we want to put some special logic into the default calculation for the {{cadir}} setting in Puppet, that will make it return the new location after the CA has been migrated, and warn otherwise.

If the setting is not configured by the user ([default|https://github.com/puppetlabs/puppet/blob/e0746ca619fac312b86e26b4a1f73db70b146947/lib/puppet/defaults.rb#L1094], use a Ruby lambda /proc ): * and the files are in the old default spot, warn and prompt with a message that encourages users to migrate. Return the old default (/etc/puppetlabs/puppet/ssl/ca)

* and there are no CA files (new install) or CA files in the new location, return the new location (/etc/puppetlabs/puppetserver/ca). If the setting is configured by the user (custom, use hook ([example)|https://github.com/puppetlabs/puppet/blob/main/lib/puppet/defaults.rb#L133]):

* and points to a location within the SSL dir, warn with a message that encourages migration

* and points to a location _outside_ the SSL dir, use it as-is.

Add Comment

[Justin Stoller (Jira)]

Justin Stoller updated an issue

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration

Change By: Justin Stoller Story Points: 3

Add Comment

[Justin Stoller (Jira)]

Justin Stoller updated an issue

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration

Change By: Justin Stoller Sprint: Froyo 11/02/2020

Add Comment

[Tony Vu (Jira)]

Tony Vu assigned an issue to Tony Vu

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration

Change By: Tony Vu Assignee: Tony Vu

Add Comment

[Justin Stoller (Jira)]

Justin Stoller updated an issue

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration

Change By: Justin Stoller Sprint: Froyo 11/02/2020 , Froyo 11/09/2020

Add Comment

[Maggie Dreyer (Jira)]

Maggie Dreyer updated an issue

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration

Change By: Maggie Dreyer Fix Version/s: PUP 7.0.0

Add Comment

[Tony Vu (Jira)]

Tony Vu updated an issue

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration

Change By: Tony Vu Release Notes: Deprecation Release Notes Summary: Beginning in Puppet 7, the default value for the `cadir` setting will be located in the puppetserver conf directory, specifically at /etc/puppetlabs/puppetserver/ca. Previously, the default location was inside puppet's own ssldir. This change will make it safer to delete the puppet's own `ssldir` without accidentally deleting your CA certificates. The puppetserver ca cli provides a `migrate` command to move the ca directory from the puppet conf to the puppetserver conf. It will leave behind a symlink on the old ca location, pointing to the new location at /etc/puppetlabs/puppetserver/ca. This link will provide backwards compatibility for tools still expecting the cadir to exist in the old location. In a future version of puppet, the cadir setting will be removed entirely.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-10720

Re: Update `cadir` default to return the new location post-migration Merged to main in ad5b16091d. Passed CI in f664d6a216

Add Comment

[Claire Cadman (Jira)]

Claire Cadman updated an issue

Puppet / PUP-10720

Update `cadir` default to return the new location post-migration

Change By: Claire Cadman Labels: doc_reviewed

Add Comment

[Maggie Dreyer (Jira)]

Maggie Dreyer updated an issue

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration

Change By: Maggie Dreyer Release Notes: Deprecation Not Needed

Add Comment

[Maggie Dreyer (Jira)]

Maggie Dreyer updated an issue

Puppet / PUP-10720 Update `cadir` default to return the new location post-migration

Change By: Maggie Dreyer Release Notes Summary: Beginning in Puppet 7, the default value See SERVER-2896 for the `cadir` setting will be located in the puppetserver conf directory, specifically at /etc/puppetlabs/puppetserver/ca release notes . Previously, the default location was inside puppet's own ssldir. This change will make it safer to delete the puppet's own `ssldir` without accidentally deleting your CA certificates.

The puppetserver ca cli provides a `migrate` command to move the ca directory from the puppet conf to the puppetserver conf. It will leave behind a symlink on the old ca location, pointing to the new location at /etc/puppetlabs/puppetserver/ca. This link will provide backwards compatibility for tools still expecting the cadir to exist in the old location. In a future version of puppet, the cadir setting will be removed entirely.

Add Comment