search

puppetlabs / puppetserver

Server automation framework and application
https://tickets.puppetlabs.com/browse/SERVER
Apache License 2.0
292 stars 236 forks source link

(PE-36269) ensure CRLs are regenerated when nearing expiration #2788

Closed jonathannewman closed 11 months ago

jonathannewman commented 11 months ago

In the first commit:

This alters the analytics service to explicitly stop the jobs it is running when shutting down. It also adds some simple logging to the startup / shutdown process.

Additionally, an unused dependency in the master_service was removed.

In the second commit:

This adds a new behavior where once a day, puppetserver will check to see if the crls for both the main crl, and if enabled the infra-crl are nearing expiration. If one is, the list of expired serial numbers is collected from the inventory file, and used to prune the CRL list.

The CRL is then regenerated with the (potentially) smaller set of serials.

If the CRLs are not nearing expiration, nothing is done.

Tests are added to demonstrate the CRL behaviors added.

Resolves #2789

kenyon commented 7 months ago

I guess this is in 2023.6.0, but it's not in the release notes. Would be good to get it added. Thanks! https://www.puppet.com/docs/pe/2023.6/release_notes_pe#release_notes_pe_x-6

jonathannewman commented 7 months ago

@kenyon Thanks! We will get it added to the release notes.