search

openshift / puppet-openshift_origin

Puppet module to create OpenShift Brokers and Nodes. Can be used to create a full OpenShift Origin deployment.
http://forge.puppetlabs.com/openshift/openshift_origin
Other
45 stars 128 forks source link

Use secretbox to store randomly generated passwords #354

Open sdodson opened 9 years ago

sdodson commented 9 years ago

Secretbox is a function that generates a random password on first call and then retrieves those values for subsequent calls. This works in both master and masterless environments.

See: https://forge.puppetlabs.com/sdodson/secretbox

sdodson commented 9 years ago

This should prevent activemq and broker from being restarted on each puppet run if someone doesn't specify passwords for these randomly generated passwords. Users should still set common values in multihost environments.

ekohl commented 9 years ago

This reminds me of https://github.com/theforeman/puppet-foreman/blob/master/lib/puppet/parser/functions/cache_data.rb but in a separate module.

ekohl commented 9 years ago

In case it's unclear, :+1: from me.

sdodson commented 9 years ago

Hmm, perhaps we should petition puppetlabs to add that to stdlib, that function seems really useful and more general than secretbox.

ekohl commented 9 years ago

@sdodson I did talk about that other foreman devs but since it stores data on the puppet master it's not compatible with a puppet multi master solution. I do agree such a function would be very good to have in stdlib.

sdodson commented 9 years ago

[test] then we'll merge

openshift-bot commented 9 years ago

Origin Test Results: FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests/3166/)

detiber commented 9 years ago

Is this the same issue you were seeing previously where it was pulling the module info from puppet forge instead of the Modulefile and/or metadata.json?

I have a PR outstanding to update the vagrant-openshift plugin (https://github.com/openshift/vagrant-openshift/pull/171) to use the latest puppet from puppetlabs instead of using the one from epel, so maybe that would resolve this issue as well.

ekohl commented 9 years ago

@detiber no, as far as I understand it this will make the module (more) usable on continious puppet runs. Currently every puppet run will change the password to a new random string. By storing the result any subsequent run will use the same random password, if that makes sense.

sdodson commented 9 years ago

@detiber Yeah looks like installing a local module on puppet 2.7.5 goes to the forge to resolve dependencies. This may be fixed in puppet 3.0.0 or possible 3.4.0.

sdodson commented 9 years ago

@ekohl I think he was referring to the test run failure which is because it didn't install sdodson/secretbox

Preparing to uninstall 'openshift-openshift_origin' ...
Error: Could not uninstall module 'openshift-openshift_origin'
  Module 'openshift-openshift_origin' is not installed
Preparing to install into /etc/puppet/modules ...
Downloading from http://forge.puppetlabs.com ...
Installing -- do not interrupt ...
/etc/puppet/modules
└─┬ openshift-openshift_origin (v4.1.1)
  ├─┬ arioch-keepalived (v1.0.2)
  │ └── puppetlabs-concat (v1.1.2)
  ├── blentz-selinux_types (v0.1.0)
  ├── duritong-sysctl (v0.0.4)
  ├── puppetlabs-haproxy (v1.1.0)
  ├── puppetlabs-ntp (v3.3.0)
  ├── puppetlabs-stdlib (v4.4.0)
  └── rharrison-lokkit (v0.5.0)
Applying openshift puppet recipe
info: Loading facts in /etc/puppet/modules/concat/lib/facter/concat_basedir.rb
info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/pe_version.rb
info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/puppet_vardir.rb
info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/root_home.rb
info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/facter_dot_d.rb
Unknown function secretbox at /etc/puppet/modules/openshift_origin/manifests/init.pp:818 on node openshift.ec2.internal
sdodson commented 9 years ago

I've tested building and installing with everything up through 3.7.3 and all versions call out to the Forge to get the list of dependencies rather than inspecting what's in the tarball. I'll check puppet jira after lunch for relevant issues.

sdodson commented 9 years ago

Ok, my testing was bad the first time around. Using puppet 3.6.0 I can build and install from a tarball that has dependencies that aren't in the latest version published to forge.

https://tickets.puppetlabs.com/browse/PUP-1130 deals with this and I'm not sure all the other issues folks have run into in that ticket are resolved, but at least the one we're facing seems to be.

detiber commented 9 years ago

Definitely going to need to build a new ami for origin... @sdodson if you hit me up on Monday I can walk you through it.

openshift-bot commented 9 years ago

Evaluated for origin up to 3fb5fac7e0c2d1749e1b06dd60cc53889a293e51