Closed anthonysomerset closed 2 months ago
when i generate config without cert import - cert generated is puppet.puppettest.svc.cluster.local.pem (assuming its namespace specific) - this might be specific to AKS though will need more data points for other environments
however i have a fix for the test that will be slightly more generic which i will open a PR for
@anthonysomerset Thank you! Wanna become one of the official maintainers?
I have no objections but only if you sure! - i just needed to fix use cases specific to my scenario :)
i do want to look at making the restic compoent support azure blob storage as well ;)
I was hitting this bug too! Thanks for fixing it :)
Describe the Bug
I am raising this as a bug because i have only been testing one scenario here and may need some other testing/data points to validate as well as to come up with a solution.
My Scenario is AKS + External Postgres (for PuppetDB)
I am importing my pre-existing infra certs and CA from legacy on prem into AKS and running multiMasters enabled.
with the default init-configmap that gets generated the check_for_masters.sh script waits indefinitely because
/etc/puppetlabs/puppet/ssl/certs/puppet.pem
is not present. it appears at least in my scenario the file that gets generated is/etc/puppetlabs/puppet/ssl/certs/puppet.puppet.svc.cluster.local.pem
I can work around the issue by executing a bash shell in the init container and then kill the script and allow it to proceed or by editing the configmap to update the
PUPPET_SSL_CERT_PEM
variable and triggering restart on the deployment at which point everything proceeds as normalI don't know if its a unique to my setup thing or if the cert is always in the FQDN format and the script never worked or what.
i did try touching an empty puppet.pem file however while this makes the default configmap work it will cause the main puppetserver container to fail at the 99-log-config.sh step - https://github.com/voxpupuli/container-puppetserver/blob/main/puppetserver/docker-entrypoint.d/99-log-config.sh because the command is only expecting one non ca.pem file present and then openssl borks because the input is broken
Expected Behavior
check_for_masters.sh should check for correct cert file and pass without issue if it is present
Steps to Reproduce
Steps to reproduce the behavior: I am not sure if this is simply using multiMaster or alternateServerNames or the pregenerated import or a combination of all 3 - i have a suspicion that its the first 2.
here is a snippet of my values- domain changed to protect the innocent :D
Additional Context
I haven't yet created a PR here - I would be curious to find out the different possible puppserver cert names that could get generated because i think the script may need to take into account possible variations first to cover all potential scenarios - for example maybe we should attempt to read the certname field out of the puppet config and interpret correct file name from that?