Closed daviddob closed 5 years ago
cf-gitbot
commented
6 years ago We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.
The labels on this github issue will be updated when the story is started.
ljfranklin
commented
6 years ago @daviddob if OpsMgr added an API endpoint support adding your own cert to the OpsMgr VM, we'd love to support that workflow via om. But the process outlined in those docs feels super hacky and I'd feel uncomfortable supporting a workflow where a CLI ssh'es into your server as a privileged user, messes with some files, and restarts system services. Could you open an issue with OpsMgr around adding a first-class API endpoint to support this workflow? I'm also tired of the SSL warning message every time I visit the OpsMgr UI :)
daviddob
commented
6 years ago I agree it feels super hacky, wanted to reduce that a bit. I agree with the approach you outlined as that would be the best case scenario. Ill reach out to the ops-manager team, if you could ping them about this internally as well id appreciate it.
jtarchie
commented
6 years ago The Step 1 "SSH into Operations Manager" is probably tricky to implement. As different deployments of OpsMan can have different networking setups.
Are you able to programmatically determine the correct ssh command to run?
daviddob
commented
6 years ago If this route was feasible I was planning to have flags and/or env vars to supply proxy, ports, user, passwd, private key, etc to the command to update the cert. As far as I know the cert location itself and commands to restart tempest haven't changed even across major versions 1.x to 2.x
zachgersh
commented
6 years ago As @ljfranklin points out - this sort of goes against the ethos of what the om prime directive is - simplify interaction with the ops manager API. It feels like the right approach here would be to ask ops manager to add this ability to the API that they are exposing, everyone gets a nice implementation that way.
ljfranklin
commented
6 years ago Good news! Looks like OpsMgr 2.2 adds a PUT /api/v0/settings/ssl_certificate endpoint. Adding a command to om to update this cert sounds super useful. Our team's backlog is pretty full right now, but we'd be happy to accept a PR for this.
mcwumbly
commented
6 years ago (I've been using "pr welcome" label so switched it over for consistency... they basically mean the same thing).
daviddob
commented
6 years ago Ill take a look at implementing that in the near future if I find some free time, thanks for the update.
daviddob
commented
6 years ago Any updates on this front? PR was submitted about a month ago and haven't heard anything regarding it.
ljfranklin
commented
6 years ago @daviddob sorry about that, we've been in the process of shifting some of the maintenance responsibilities of this project over to the pcf-automation team. This looks to have gotten lost in the shuffle. @jtarchie @kcboyle would someone from your team have bandwidth to review the PR?
daviddob
commented
6 years ago All good, I figured things got busy on your end and should check in.
fredwangwang
commented
5 years ago closing, already merged in https://github.com/pivotal-cf/om/pull/232
Would a PR allowing the om-cli to update the tempest cert on the Opsman VM be considered? The current process is outlined here in the documentation, however the process involves manually replacing a file via SSH. This process could be automated and added to the om-cli to SSH in and replace the cert using either a SSH-User and Pass or SSH-PrivateKey. This would allow pcf-pipelines or other automation to add the correct certificate and cut down on mistakes and time when deploying a new environment.