Use secretbox to store randomly generated passwords #354
Conversation
|
This should prevent activemq and broker from being restarted on each puppet run if someone doesn't specify passwords for these randomly generated passwords. Users should still set common values in multihost environments. |
|
This reminds me of https://github.com/theforeman/puppet-foreman/blob/master/lib/puppet/parser/functions/cache_data.rb but in a separate module. |
|
In case it's unclear, 👍 from me. |
|
Hmm, perhaps we should petition puppetlabs to add that to stdlib, that function seems really useful and more general than secretbox. |
|
@sdodson I did talk about that other foreman devs but since it stores data on the puppet master it's not compatible with a puppet multi master solution. I do agree such a function would be very good to have in stdlib. |
sdodson
force-pushed
the
use_secretbox
branch
2 times, most recently
from
ca78da0 to
6b65fb1
Compare
|
[test] then we'll merge |
|
Origin Test Results: FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests/3166/) |
|
Is this the same issue you were seeing previously where it was pulling the module info from puppet forge instead of the Modulefile and/or metadata.json? I have a PR outstanding to update the vagrant-openshift plugin (openshift/vagrant-openshift#171) to use the latest puppet from puppetlabs instead of using the one from epel, so maybe that would resolve this issue as well. |
|
@detiber no, as far as I understand it this will make the module (more) usable on continious puppet runs. Currently every puppet run will change the password to a new random string. By storing the result any subsequent run will use the same random password, if that makes sense. |
|
@detiber Yeah looks like installing a local module on puppet 2.7.5 goes to the forge to resolve dependencies. This may be fixed in puppet 3.0.0 or possible 3.4.0. |
|
@ekohl I think he was referring to the test run failure which is because it didn't install sdodson/secretbox |
|
I've tested building and installing with everything up through 3.7.3 and all versions call out to the Forge to get the list of dependencies rather than inspecting what's in the tarball. I'll check puppet jira after lunch for relevant issues. |
|
Ok, my testing was bad the first time around. Using puppet 3.6.0 I can build and install from a tarball that has dependencies that aren't in the latest version published to forge. https://tickets.puppetlabs.com/browse/PUP-1130 deals with this and I'm not sure all the other issues folks have run into in that ticket are resolved, but at least the one we're facing seems to be. |
|
Definitely going to need to build a new ami for origin... @sdodson if you hit me up on Monday I can walk you through it. |
Secretbox is a function that generates a random password on first call and then retrieves those values for subsequent calls. This works in both master and masterless environments. See: https://forge.puppetlabs.com/sdodson/secretbox
sdodson
force-pushed
the
use_secretbox
branch
from
6b65fb1 to
3fb5fac
Compare
|
Evaluated for origin up to 3fb5fac |
Secretbox is a function that generates a random password on first call
and then retrieves those values for subsequent calls. This works in
both master and masterless environments.
See: https://forge.puppetlabs.com/sdodson/secretbox