Prevents spurious clientcert warnings in serverless mode #22
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When there are no clientcerts, Puppet will warn when it creates an `SSLContext` for HTTPS operations. This situation occurs when you run entirely serverless and never generate clientcerts. It's spurious in that case, so we don't actually need to warn about it. This behaviour was added in OpenVoxProject@3f7f830 so that the new HTTP client could download files via HTTPS from the puppetserver (for example, the way that pe_repo) works. To prevent this being a failure when running `puppet apply` in serverless mode, it explicitly marks the clientcerts as optional in https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L98 and https://github.com/OpenVoxProject/puppet/blob/06bc441333c640678c9adb26412c6cb923af7f6b/lib/puppet/ssl/ssl_provider.rb#L103 This goes one step further and sets the output to `INFO` rather than `WARN` when running `puppet apply`. This does have one small edge case. If, 1. You intend to run a standard server/agent setup, and 2. Before ever running `puppet agent -t` you run `puppet apply` for provisioning purposes, and 3. Part of that Puppet run attempts to download a file from the puppetserver Then you will get a certificate validation error and the HTTPS request will fail silently with only an `INFO` message as a hint explaining why. To fix it, you obviously just generate and sign the clientcerts. I think this is an acceptable tradeoff, but would like other opinions. This will need specs before merging. Fixes OpenVoxProject#21
anthonyryan1
reviewed
Mar 4, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When there are no clientcerts, Puppet will warn when it creates an
SSLContextfor HTTPS operations. This situation occurs when you runentirely serverless and never generate clientcerts. It's spurious in
that case, so we don't actually need to warn about it.
This behaviour was added in 3f7f830
so that the new HTTP client could download files via HTTPS from the
puppetserver (for example, the way that pe_repo) works.
To prevent this being a failure when running
puppet applyinserverless mode, it explicitly marks the clientcerts as optional in
puppet/lib/puppet/ssl/ssl_provider.rb
Line 98 in 06bc441
and
puppet/lib/puppet/ssl/ssl_provider.rb
Line 103 in 06bc441
This goes one step further and sets the output to
INFOrather thanWARNwhen running
puppet apply.This does have one small edge case. If,
puppet agent -tyou runpuppet applyforprovisioning purposes, and
puppetserver
Then you will get a certificate validation error and the HTTPS request
will fail silently with only an
INFOmessage as a hint explaining why.To fix it, you obviously just generate and sign the clientcerts.
I think this is an acceptable tradeoff, but would like other opinions.
This will need specs before merging.
Fixes #21