Design: Document for discussion and planning of certificate handling redesign #354
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ehelms
changed the title
ekohl
approved these changes
Jun 24, 2021
There was a problem hiding this comment.
I'm not entirely use we need separate types for certificate and private_key. We can consider using https://github.com/voxpupuli/puppet-openssl as well but I think we'll find out along the way what works best.
Overall I agree with the plan. If we keep ssl-build we should also consider moving it to /var/lib because /root is a bad place for it.
|
|
||
| #### Problem Statement | ||
|
|
||
| Services almost always need to set some level of ownership on certificates in order to consume them at runtime. This can be as simple as user and group. The certificates used by a service are also often co-located within a directory owned by that service. This creates dependency cycles and burdens when trying to manage the certificates from within puppet-certs. For example, puppet-candlepin needs to install Candlepinand ensure the tomcat user and group exists, as well as the `/etc/candlepin/certs` directory in order for puppet-certs to set the owner and group on the certificates. And, puppet-candlepin needs puppet-certs to have created and deployed the certificates with those correct ownerships before the service can be started. |
There was a problem hiding this comment.
Suggested change
| Services almost always need to set some level of ownership on certificates in order to consume them at runtime. This can be as simple as user and group. The certificates used by a service are also often co-located within a directory owned by that service. This creates dependency cycles and burdens when trying to manage the certificates from within puppet-certs. For example, puppet-candlepin needs to install Candlepinand ensure the tomcat user and group exists, as well as the `/etc/candlepin/certs` directory in order for puppet-certs to set the owner and group on the certificates. And, puppet-candlepin needs puppet-certs to have created and deployed the certificates with those correct ownerships before the service can be started. | |
| Services almost always need to set some level of ownership on certificates in order to consume them at runtime. This can be as simple as user and group. The certificates used by a service are also often co-located within a directory owned by that service. This creates dependency cycles and burdens when trying to manage the certificates from within puppet-certs. For example, puppet-candlepin needs to install Candlepin and ensure the tomcat user and group exists, as well as the `/etc/candlepin/certs` directory in order for puppet-certs to set the owner and group on the certificates. And, puppet-candlepin needs puppet-certs to have created and deployed the certificates with those correct ownerships before the service can be started. |
Take a look at what I added to #348 and my comments at the end. I think this all comes down to how much we want to create an abstraction and how much we want to try to add some 'verifications'. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I thought I would try this method for communicating the design and technical Roadmap of certificate redesign work I am undertaking. I am trying to achieve larger design goals through small, incremental changes and realize that the steps I envision in my head may not be obvious to those reviewing the incoming work.
Thus, I am trying out a pull request with design document that will remain in draft status. I do not intend to merge this ever. I intend this to serve as a communication and reference as well as a place for discussions of key points through the ability to comment on specific lines.
I am sure I missed something that will come out through discussion. I have learned a lot about how all the current code works so if there is an area that is not super clear, or you'd like a deeper exposition of how a part of it works today I'll add that.