Open johannagnarsson opened 2 months ago
@johannagnarsson Thanks for the bug report!
If you find a way to enhance this, please feel free to send our way a PR. This chart is 100% community maintained.
Yes will try to put together a PR for sure! Just wanted to post this first before the PR.
FYI i also bumped into this... i ended up basically fixing by hand aka option 4 - and i also had to initially generate a new server cert as well - aka Step 4 from here: https://www.puppet.com/docs/puppet/7/ssl_regenerate_certificates.html
i would also argue that given that Puppet 6 is now EOL we could likely drop support for legacy folder structures and just import with the proper structures in place which to me looks like
Use Case
Following the process to import generated certs only works if migrating from a legacy puppet ca since all the certs live in
/etc/puppetlabs/puppet/ssl/ca/
. New puppetserver ca cert location is/etc/puppetlabs/puppetserver/ca
with/etc/puppetlabs/puppet/ssl/ca
being a symlink to the new location.The reason it works for the legacy ca is because of this: https://github.com/voxpupuli/container-puppetserver/blob/a84fc0c23e936febb184f9b5c94c2a194be78dd5/puppetserver/docker-entrypoint.d/90-ca.sh#L70
if you tar up
/etc/puppetlabs/puppet/ssl/
on a "new style" puppetserver ca, it will either only include theca
symlink, or dereference it and include theca
folder with all it's contents, but that will cause the referenced script to fail:Running /docker-entrypoint.d/90-ca.sh Error: Existing file at '/etc/puppetlabs/puppetserver/ca' Migration will not overwrite the directory at /etc/puppetlabs/puppetserver/ca. Have you already run this migration tool? Is this a puppet 7 installation? It is likely that you have already successfully run the migration or do not need to run it.
This means that it is impossible to import modern ca via the helm chart.Describe the Solution You Would Like
Adding another configuration option to import puppetserver ca style certs. This seems to the most straight forward solution and should be able to be implemented without breaking any existing functionality.
Describe Alternatives You've Considered
Possible alternatives to this solution could be:
Additional Context
Would love any other alternative solutions!