Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove superfluous --certs-update-server option #3136

Merged
merged 1 commit into from
Jul 17, 2024
Merged

remove superfluous --certs-update-server option #3136

merged 1 commit into from
Jul 17, 2024

Conversation

dschlenk
Copy link
Contributor

This option is both unnecessary and causes the command to fail

  • I am okay with my commits getting squashed when you merge this PR.
  • I am familiar with the contributing guidelines.

Please cherry-pick my commits into:

  • Foreman 3.11/Katello 4.13
  • Foreman 3.10/Katello 4.12
  • Foreman 3.9/Katello 4.11 (Satellite 6.15; orcharhino 6.8/6.9)
  • Foreman 3.8/Katello 4.10
  • Foreman 3.7/Katello 4.9 (Satellite 6.14)
  • Foreman 3.6/Katello 4.8
  • Foreman 3.5/Katello 4.7 (Satellite 6.13; orcharhino 6.6/6.7)
  • We do not accept PRs for Foreman older than 3.5.

@dschlenk
remove superfluous --certs-update-server option
d13b5a9 
This option is both unnecessary and causes the command to fail
@github-actions GitHub Actions
Copy link

The PR preview for d13b5a9 is available at theforeman-foreman-documentation-preview-pr-3136.surge.sh

The following output files are affected by this PR:

show diff

show diff as HTML

@ehelms
Copy link
Member

ehelms commented Jul 16, 2024

@dschlenk Do you have the error handy?

ekohl
ekohl approved these changes Jul 16, 2024
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a specific error message when you see it fail?

Looking at the code (https://github.com/theforeman/foreman-installer/blob/e4fc6826b87177e7629258ea8b0499ebc0b559ea/hooks/pre/20-certs_update.rb#L7-L26) I can imagine it fails if the build directory doesn't exist yet.

Having said that, I've been wanting to get rid of the whole parameter anyway. IMHO our code should detect if it needs an update and behave accordingly. It's always been a hack, but I don't know if our code is now robust enough to not need it anymore.

The way it works is that we force a generation if the update file exists and afterwards remove it:
https://github.com/theforeman/puppet-certs/blob/94b2b3ecf3a2365f8db2ae965c84b3d2462359bc/lib/puppet/provider/katello_ssl_tool.rb#L43
https://github.com/theforeman/puppet-certs/blob/94b2b3ecf3a2365f8db2ae965c84b3d2462359bc/lib/puppet/provider/katello_ssl_tool.rb#L37

It looks like we simply look for the existence of the files, not the actual content.

So I'd say it's safe to drop in this procedure.

And we can make the code more robust: theforeman/foreman-installer#952

@dschlenk
Copy link
Contributor Author

@ehelms yup:

/usr/share/ruby/fileutils.rb:1150:in `initialize': No such file or directory @ rb_sysopen - /root/ssl-build/<fqdn>/<fqdn>-apache.update (Errno::ENOENT)
        from /usr/share/ruby/fileutils.rb:1150:in `open'
        from /usr/share/ruby/fileutils.rb:1150:in `rescue in block in touch'
        from /usr/share/ruby/fileutils.rb:1146:in `block in touch'
        from /usr/share/ruby/fileutils.rb:1144:in `each'
        from /usr/share/ruby/fileutils.rb:1144:in `touch'
        from /usr/share/foreman-installer/katello-certs/hooks/pre/20-certs_update.rb:13:in `mark_for_update'
        from /usr/share/foreman-installer/katello-certs/hooks/pre/20-certs_update.rb:24:in `block (4 levels) in load'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hooking.rb:36:in `instance_eval'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hooking.rb:36:in `block (4 levels) in load'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hook_context.rb:19:in `instance_eval'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hook_context.rb:19:in `execute'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hooking.rb:67:in `block in execute'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hooking.rb:65:in `each'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hooking.rb:65:in `execute'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/kafo_configure.rb:488:in `run_installation'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/kafo_configure.rb:220:in `execute'
        from /usr/share/gems/gems/clamp-1.3.2/lib/clamp/command.rb:66:in `run'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/kafo_configure.rb:184:in `run'
        from /usr/share/gems/gems/clamp-1.3.2/lib/clamp/command.rb:140:in `run'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/kafo_configure.rb:54:in `run'
        from /usr/sbin/foreman-proxy-certs-generate:54:in `<main>'
/usr/share/ruby/fileutils.rb:1147:in `utime': No such file or directory @ apply2files - /root/ssl-build/<fqdn>/<fqdn>.com-apache.update (Errno::ENOENT)
        from /usr/share/ruby/fileutils.rb:1147:in `block in touch'
        from /usr/share/ruby/fileutils.rb:1144:in `each'
        from /usr/share/ruby/fileutils.rb:1144:in `touch'
        from /usr/share/foreman-installer/katello-certs/hooks/pre/20-certs_update.rb:13:in `mark_for_update'
        from /usr/share/foreman-installer/katello-certs/hooks/pre/20-certs_update.rb:24:in `block (4 levels) in load'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hooking.rb:36:in `instance_eval'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hooking.rb:36:in `block (4 levels) in load'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hook_context.rb:19:in `instance_eval'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hook_context.rb:19:in `execute'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hooking.rb:67:in `block in execute'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hooking.rb:65:in `each'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/hooking.rb:65:in `execute'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/kafo_configure.rb:488:in `run_installation'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/kafo_configure.rb:220:in `execute'
        from /usr/share/gems/gems/clamp-1.3.2/lib/clamp/command.rb:66:in `run'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/kafo_configure.rb:184:in `run'
        from /usr/share/gems/gems/clamp-1.3.2/lib/clamp/command.rb:140:in `run'
        from /usr/share/gems/gems/kafo-7.4.0/lib/kafo/kafo_configure.rb:54:in `run'
        from /usr/sbin/foreman-proxy-certs-generate:54:in `<main>'

FWIW the instructions for a default TLS certificate do not have this option in the corresponding command. The help text for the option is This option will enforce an update of the HTTPS certificates (default: false) which doesn't seem to be something that would be needed if the goal is just building the tarball that the smart proxy will use.

@ehelms
Copy link
Member

ehelms commented Jul 16, 2024

If we drop this option, and the certs do change, I'm not convinced the new certificates will get deployed into the bundle. I think that is why we always had that option included, to make sure it always ensures the latest version of the custom SSL certificates gets laid down and thus in the bundle.

@dschlenk
Copy link
Contributor Author

@ehelms the command in the certificate renewal section retains the option.
https://github.com/dschlenk/foreman-documentation/blob/d13b5a9874801be79eb98ba657e7a5a873e7b287/guides/common/modules/proc_renewing-a-custom-ssl-certificate-on-smart-proxy.adoc?plain=1#L29C1-L29C24

maximiliankolb
maximiliankolb approved these changes Jul 17, 2024
View reviewed changes
Copy link
Contributor

@maximiliankolb maximiliankolb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution; diff LGTM.

@maximiliankolb maximiliankolb merged commit bc36214 into theforeman:master Jul 17, 2024
7 of 8 checks passed
maximiliankolb pushed a commit that referenced this pull request Jul 17, 2024
@dschlenk @maximiliankolb
Remove superfluous "--certs-update-server" option (#3136)
f53b9f2 
This option is both unnecessary and causes the command to fail.

(cherry picked from commit bc36214)
maximiliankolb pushed a commit that referenced this pull request Jul 17, 2024
@dschlenk @maximiliankolb
Remove superfluous "--certs-update-server" option (#3136)
63deb1f 
This option is both unnecessary and causes the command to fail.

(cherry picked from commit bc36214)
maximiliankolb pushed a commit that referenced this pull request Jul 17, 2024
@dschlenk @maximiliankolb
Remove superfluous "--certs-update-server" option (#3136)
85876cc 
This option is both unnecessary and causes the command to fail.

(cherry picked from commit bc36214)
@maximiliankolb
Copy link
Contributor

Merged to "master" and cherry-picked:
9fe90a4..f53b9f2 3.11 -> 3.11
93baffd..63deb1f 3.10 -> 3.10
6800b51..85876cc 3.9 -> 3.9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maximiliankolb maximiliankolb maximiliankolb approved these changes

@ehelms ehelms ehelms approved these changes

@ekohl ekohl ekohl approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dschlenk @ehelms @maximiliankolb @ekohl