search

southalc / vault

Puppet module for use with Hashicorp Vault
8 stars 8 forks source link

Server Error: no parameter named 'cert_chain_owner' #18

Closed Enucatl closed 1 year ago

Enucatl commented 1 year ago

It seems I can´t make the new cert_chain parameters work. Am I doing something stupid?

Hiera: https://github.com/Enucatl/puppet-control-repo/blob/8f045e270d68ecfc4b2bfe6d8d5514ce22a702eb/data/nodes/nuc10i7fnh.home.arpa.yaml

Manifest: https://github.com/Enucatl/puppet-control-repo/blob/8f045e270d68ecfc4b2bfe6d8d5514ce22a702eb/manifests/site.pp#L76

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'cert_chain_owner' (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 76) on Vault_cert[traefik] (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 76)
southalc commented 1 year ago

I thought maybe the environment wasn't up to date with version 0.6.0 of the module, but it looks like you have it defined in your Puppetfile. Just to sanity check I updated my manifest to include these properties on my vault_cert resource:

    # Issue a host certificate from Vault
    include vault_secrets::vault_cert
    vault_cert { fact('hostname'):
      ensure                  => present,
      vault_uri                => $vault_cert_uri,
      auth_path              => 'puppet-pki',
      cert_chain_owner  => 'lp',
      cert_chain_group  => 'lp',
      cert_chain_mode   => '0664',
      cert_data         => {
        'common_name'  => fact('fqdn'),
        'ip_sans'              => [fact('networking.ip')],
        'ttl'                       => '2160h',
      },
      renewal_threshold => 15,
    }

Applying this on one of my systems does update the owner/group/mode of the cert chain file:

# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for cups.home.arpa
Info: Applying configuration version '1664502889'
Notice: /Stage[main]/Profile::Linux/Vault_cert[cups]/cert_chain_owner: cert_chain_owner changed 'root' to 'lp'
Notice: /Stage[main]/Profile::Linux/Vault_cert[cups]/cert_chain_group: cert_chain_group changed 'root' to 'lp'
Notice: /Stage[main]/Profile::Linux/Vault_cert[cups]/cert_chain_mode: cert_chain_mode changed '0644' to '0664'
Notice: Applied catalog in 0.31 seconds

# ls -l /etc/pki/vault-secrets/cups.chain.crt
-rw-rw-r-- 1 lp lp 5368 Sep 10 03:45 /etc/pki/vault-secrets/cups.chain.crt

Removing the certchain(owner|group|mode) properties from the resource reverts the file to default owner/group of root and permissions of 644.

You should be able to verify the custom type with "puppet describe" and see the "cert_chain" properties:

# puppet describe vault_cert | grep cert_chain_
- **cert_chain_file**
- **cert_chain_group**
    The group which the cert_chain_file should be owned by
- **cert_chain_mode**
    The file mode the cert_chain_file should be written with
- **cert_chain_owner**
    The user which the cert_chain_file should be owned by
Enucatl commented 1 year ago

It's really weird. I can see the properties on the both servers. But if I try to apply the manifest with cert_chain_* it doesn't work. It even shows on the client that the new code is deployed and contains the new properties.

user@vault:~$ sudo /opt/puppetlabs/puppet/bin/puppet describe vault_cert | grep cert_chain
- **cert_chain**
- **cert_chain_file**
- **cert_chain_group**
    The group which the cert_chain_file should be owned by
- **cert_chain_mode**
    The file mode the cert_chain_file should be written with
- **cert_chain_owner**
    The user which the cert_chain_file should be owned by
- **info_cert_chain**

19:03 user@nuc10i7fnh:~$ sudo /opt/puppetlabs/puppet/bin/puppet describe vault_cert | grep cert_chain
- **cert_chain**
- **cert_chain_file**
- **cert_chain_group**
    The group which the cert_chain_file should be owned by
- **cert_chain_mode**
    The file mode the cert_chain_file should be written with
- **cert_chain_owner**
    The user which the cert_chain_file should be owned by
- **info_cert_chain**

19:03 user@nuc10i7fnh:~$ sudo /opt/puppetlabs/puppet/bin/puppet agent --test
[...]
-  newproperty(:ca_chain_group) do
-    desc 'The group which the ca_chain_file should be owned by'
+  newproperty(:cert_chain_group) do
+    desc 'The group which the cert_chain_file should be owned by'
     defaultto 'root'
   end

-  newproperty(:ca_chain_mode) do
-    desc 'The file mode the ca_chain_file should be written with'
+  newproperty(:cert_chain_mode) do
+    desc 'The file mode the cert_chain_file should be written with'
     defaultto '0644'
   end

-  newproperty(:ca_chain) do
+  newproperty(:cert_chain) do
     desc 'Read-only property which contains the value of the CA chain'
     newvalues(:auto)
     defaultto :auto

     def insync?(is)
-      is == resource.property(:info_ca_chain).retrieve
+      is == resource.property(:info_cert_chain).retrieve
     end
   end

-  newproperty(:info_ca_chain) do
+  newproperty(:info_cert_chain) do
     desc 'Read-only property which contains the value of the CA chain from the info file'
     newvalues(:auto)
     defaultto :auto
@@ -207,7 +215,7 @@
   autorequire(:file) do
     [
       Facter.value(:vault_cert_dir),
-      File.dirname(self[:ca_chain_file]),
+      File.dirname(self[:cert_chain_file]),
       File.dirname(self[:cert_file]),
       File.dirname(self[:key_file]),
     ].uniq
@@ -215,7 +223,7 @@

   autorequire(:user) do
     [
-      self[:ca_chain_owner],
+      self[:cert_chain_owner],
       self[:cert_owner],
       self[:key_owner],
     ].uniq
@@ -223,7 +231,7 @@

   autorequire(:group) do
     [
-      self[:ca_chain_group],
+      self[:cert_chain_group],
       self[:cert_group],
       self[:key_group],
     ].uniq

Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/type/vault_cert.rb]/content: content changed '{sha256}c0c2c6584bc24d15381a5ba3cbaee199d3303808af0689f7679d27522e7ad516' to '{sha256}26ddd57f0b37d3e3d91e1297d9b5e44b51b1cc11d7b285468d8eb4443b8b4fef'
[...]
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'cert_chain_owner' (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 73) on Vault_cert[traefik] (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 73) on node nuc10i7fnh.home.arpa
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Enucatl commented 1 year ago

ok two days of this. It turns out puppet has a cache of resource types in /etc/puppetlabs/code/environments/production/.resource_types/ that needs to be refreshed with puppet generate types as it's not automatically updated even if the code changes.

southalc commented 1 year ago

I've been using Puppet Enterprise lately and Code Manager takes care of this for you. I'd forgotten this open source r10k behavior. Glad to hear you got to the bottom of it.