Closed Enucatl closed 1 year ago
I thought maybe the environment wasn't up to date with version 0.6.0 of the module, but it looks like you have it defined in your Puppetfile. Just to sanity check I updated my manifest to include these properties on my vault_cert resource:
# Issue a host certificate from Vault
include vault_secrets::vault_cert
vault_cert { fact('hostname'):
ensure => present,
vault_uri => $vault_cert_uri,
auth_path => 'puppet-pki',
cert_chain_owner => 'lp',
cert_chain_group => 'lp',
cert_chain_mode => '0664',
cert_data => {
'common_name' => fact('fqdn'),
'ip_sans' => [fact('networking.ip')],
'ttl' => '2160h',
},
renewal_threshold => 15,
}
Applying this on one of my systems does update the owner/group/mode of the cert chain file:
# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for cups.home.arpa
Info: Applying configuration version '1664502889'
Notice: /Stage[main]/Profile::Linux/Vault_cert[cups]/cert_chain_owner: cert_chain_owner changed 'root' to 'lp'
Notice: /Stage[main]/Profile::Linux/Vault_cert[cups]/cert_chain_group: cert_chain_group changed 'root' to 'lp'
Notice: /Stage[main]/Profile::Linux/Vault_cert[cups]/cert_chain_mode: cert_chain_mode changed '0644' to '0664'
Notice: Applied catalog in 0.31 seconds
# ls -l /etc/pki/vault-secrets/cups.chain.crt
-rw-rw-r-- 1 lp lp 5368 Sep 10 03:45 /etc/pki/vault-secrets/cups.chain.crt
Removing the certchain(owner|group|mode) properties from the resource reverts the file to default owner/group of root and permissions of 644.
You should be able to verify the custom type with "puppet describe" and see the "cert_chain" properties:
# puppet describe vault_cert | grep cert_chain_
- **cert_chain_file**
- **cert_chain_group**
The group which the cert_chain_file should be owned by
- **cert_chain_mode**
The file mode the cert_chain_file should be written with
- **cert_chain_owner**
The user which the cert_chain_file should be owned by
It's really weird. I can see the properties on the both servers. But if I try to apply the manifest with cert_chain_*
it doesn't work. It even shows on the client that the new code is deployed and contains the new properties.
user@vault:~$ sudo /opt/puppetlabs/puppet/bin/puppet describe vault_cert | grep cert_chain
- **cert_chain**
- **cert_chain_file**
- **cert_chain_group**
The group which the cert_chain_file should be owned by
- **cert_chain_mode**
The file mode the cert_chain_file should be written with
- **cert_chain_owner**
The user which the cert_chain_file should be owned by
- **info_cert_chain**
19:03 user@nuc10i7fnh:~$ sudo /opt/puppetlabs/puppet/bin/puppet describe vault_cert | grep cert_chain
- **cert_chain**
- **cert_chain_file**
- **cert_chain_group**
The group which the cert_chain_file should be owned by
- **cert_chain_mode**
The file mode the cert_chain_file should be written with
- **cert_chain_owner**
The user which the cert_chain_file should be owned by
- **info_cert_chain**
19:03 user@nuc10i7fnh:~$ sudo /opt/puppetlabs/puppet/bin/puppet agent --test
[...]
- newproperty(:ca_chain_group) do
- desc 'The group which the ca_chain_file should be owned by'
+ newproperty(:cert_chain_group) do
+ desc 'The group which the cert_chain_file should be owned by'
defaultto 'root'
end
- newproperty(:ca_chain_mode) do
- desc 'The file mode the ca_chain_file should be written with'
+ newproperty(:cert_chain_mode) do
+ desc 'The file mode the cert_chain_file should be written with'
defaultto '0644'
end
- newproperty(:ca_chain) do
+ newproperty(:cert_chain) do
desc 'Read-only property which contains the value of the CA chain'
newvalues(:auto)
defaultto :auto
def insync?(is)
- is == resource.property(:info_ca_chain).retrieve
+ is == resource.property(:info_cert_chain).retrieve
end
end
- newproperty(:info_ca_chain) do
+ newproperty(:info_cert_chain) do
desc 'Read-only property which contains the value of the CA chain from the info file'
newvalues(:auto)
defaultto :auto
@@ -207,7 +215,7 @@
autorequire(:file) do
[
Facter.value(:vault_cert_dir),
- File.dirname(self[:ca_chain_file]),
+ File.dirname(self[:cert_chain_file]),
File.dirname(self[:cert_file]),
File.dirname(self[:key_file]),
].uniq
@@ -215,7 +223,7 @@
autorequire(:user) do
[
- self[:ca_chain_owner],
+ self[:cert_chain_owner],
self[:cert_owner],
self[:key_owner],
].uniq
@@ -223,7 +231,7 @@
autorequire(:group) do
[
- self[:ca_chain_group],
+ self[:cert_chain_group],
self[:cert_group],
self[:key_group],
].uniq
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/type/vault_cert.rb]/content: content changed '{sha256}c0c2c6584bc24d15381a5ba3cbaee199d3303808af0689f7679d27522e7ad516' to '{sha256}26ddd57f0b37d3e3d91e1297d9b5e44b51b1cc11d7b285468d8eb4443b8b4fef'
[...]
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'cert_chain_owner' (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 73) on Vault_cert[traefik] (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 73) on node nuc10i7fnh.home.arpa
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
ok two days of this. It turns out puppet has a cache of resource types in /etc/puppetlabs/code/environments/production/.resource_types/
that needs to be refreshed with puppet generate types
as it's not automatically updated even if the code changes.
I've been using Puppet Enterprise lately and Code Manager takes care of this for you. I'd forgotten this open source r10k behavior. Glad to hear you got to the bottom of it.
It seems I can´t make the new
cert_chain
parameters work. Am I doing something stupid?Hiera: https://github.com/Enucatl/puppet-control-repo/blob/8f045e270d68ecfc4b2bfe6d8d5514ce22a702eb/data/nodes/nuc10i7fnh.home.arpa.yaml
Manifest: https://github.com/Enucatl/puppet-control-repo/blob/8f045e270d68ecfc4b2bfe6d8d5514ce22a702eb/manifests/site.pp#L76