search

broadinstitute / puppet-certs

SSL Certificate File Management for Puppet
BSD 3-Clause "New" or "Revised" License
4 stars 6 forks source link

Hiera (deep) merge #42

Closed linuxmail closed 5 years ago

linuxmail commented 5 years ago

hi,

we have to change our main certificate and we found an issue with Hiera.

We have something in comon.yaml for all nodes:

certs::sites:
  'example.com':
    service: false
    dhparam: true
    dhparam_content: "%{hiera('example_dh_2048')}"
    dhparam_file: 'dh_2048.pem'
    ca_name: "thawte_tls_ca_g1"
    ca_cert: true
    ca_content: "%{hiera('thawte_digicert_ca_bundle')}"
    cert_chain: true
    chain_path: '/etc/ssl/private'
    chain_name: "example_chain"
    chain_content: "%{hiera('wildcard_example_cert')}%{hiera('thawte_digicert_ca_bundle')}%{hiera('wildcard_example_key')}"
    cert_content: "%{hiera('wildcard_example_cert')}"
    cert_mode: '0640'
    group: 'ssl-cert'
    key_content: "%{hiera('wildcard_example_key')}"
    key_mode: '0640'
    validate_x509: false

Now we also the same cert on a different path :

certs::sites:
  'pveproxy-ssl':
    service: false
    cert_chain: true
    chain_path: "/etc/pve/nodes/%{::hostname}"
    key_path: "/etc/pve/nodes/%{::hostname}"
    chain_name: "pveproxy-ssl"
    cert_ext: ".pem"
    chain_ext: ".pem"
    ca_ext: ".pem"
    key_mode: '0640'
    cert_mode: '0640'
    owner: 'root'
    group: 'www-data'
    chain_content: "%{hiera('wildcard_example_cert')}%{hiera('thawte_digicert_ca_bundle')}%{hiera('wildcard_example_key')}"
    cert_content: "%{hiera('wildcard_example_cert')}"
    key_content: "%{hiera('wildcard_example_key')}"

Now we get an duplication declaration for /etc/ssl/certs: 

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, Duplicate declaration: File[/etc/ssl/certs] is already declared at (file: /opt/puppet/environments/newmod/modules/certs/manifests/site.pp, line: 340); cannot redeclare (file: /opt/puppet/environments/newmod/modules/certs/manifests/site.pp, line: 340) (file: /opt/puppet/environments/newmod/modules/certs/manifests/site.pp, line: 340, column: 3) (file: /opt/puppet/environments/newmod/modules/certs/manifests/init.pp, line: 202) on node fc-r02-ceph-osd-03

I think, the problem is the merge. Because the node has the comon.eyaml (with the default cert) and also the other one from the role/pmox.yaml. It works, If I remove the certs from the comon.eyaml and put the pveproxy-ssl and example.com in one yaml file. In that case, I have many duplicates in many files, because I can't use the global comon.eyaml for all. Is there a way to get around that problem ?

I tried something like:

  "^certs::.*":
    merge:
      strategy: deep
      merge_hash_arrays: true

but that wasn't working.

cu denny

coreone commented 5 years ago

I believe the issue is the different group between the two different certs. ensure_resource is trying to recreate the directory as the group changes between certs. I think we will need to separate the owner/group for the directories so all sites created can match if the paths match.