Page MenuHomeMiraheze
Create Task
Maniphest T1924

Move SSL certificates from puppet - puppet-users
Closed, ResolvedPublic
Actions

Description

Discussed on IRC, certs are taking too much time to be done as current ops are busy.

The whole cert system would need to be moved from the puppet repo to another repo. As well, puppet1 would need to be restricted to just editing certs.

I could take the role of "puppet-admin"/ "cert-admin" and therefore facilitate and expedite cert enabling.

Related Objects

Event Timeline

Reception123 created this task.Jun 18 2017, 15:11
Herald added subscribers: revi, Southparkfan, Brynda1231, NDKilla. · View Herald TranscriptJun 18 2017, 15:11
Reception123 assigned this task to NDKilla.EditedJun 18 2017, 17:35

Thanks to @John I've done all the "public" repository work as you can see at https://github.com/miraheze/ssl and https://github.com/miraheze/puppet/pull/451 + https://github.com/miraheze/puppet/pull/452

Now the rest is up to @NDKilla
<JohnLewis> he [NDKilla] has to make a brand new private repo, store it somewhere, have a live version in /etc/puppet/
<JohnLewis> he'd [NDKilla] need to put the git cloned repo in/home/ probably or somewhere else since /etc/puppet should be off limits
<JohnLewis> you [Reception123] shouldn't have the ability to do anything in /etc/puppet

John added a comment.Jun 18 2017, 17:41

+ puppet-admins implies sudo, so puppet-users or so would be the name of any group.

Reception123 renamed this task from Move SSL certificates from puppet - puppet-admins to Move SSL certificates from puppet - puppet-users.Jun 18 2017, 17:49
Reception123 added a project: Site Reliability Engineering.Jun 18 2017, 18:12
Reception123 moved this task from Radar to Access on the Site Reliability Engineering board.
Southparkfan added a comment.Jun 19 2017, 17:01

Can you explain how giving you an account on puppet1 without any sudo privileges allows you to add private keys?

(show the exact steps that can be performed without sudo)

Reception123 added a comment.Jun 19 2017, 17:31

Unfortunately I'm not sure myself, but according to @John it is possible to restrict access to only that, so he should probably explain the exact process.
<JohnLewis> No, still have to be puppet1 but you can lock it down a lot

Reception123 added a comment.Jun 19 2017, 17:40

@Southparkfan According to @John, this depends on how the git repo is set up.
"make this new repo, then give privileges for that repo"
The exact steps would be normal git steps, git add . git commit and git push

<JohnLewis> if its on a repo you can edit. if not, you need to be able to sudo git as a suer

Reception123 added a comment.Jun 26 2017, 05:18

Things have been moved to the new directories only we have encountered some issues on the way.

A blocker is me not being able to actually access any private keys from mw1, as that is limited to root since it's in root/acme-tiny.

There are two possible solutions: either to make the private key output when the cert is being generated, or to confirm process at T1923, and with root I'll be able to copy the key directly from there.

Second issue is operations only: T1949

Reception123 mentioned this in T1923: Ensure consistent log access across servers.Jun 26 2017, 05:18
Reception123 added a comment.Jun 26 2017, 16:58

https://github.com/miraheze/puppet/pull/456 made for above

Reception123 added a comment.Jun 28 2017, 05:26

Update on the situation: Outputing certs on mw1 now works, but the new issue is that puppet on puppet1 is failing, and therefore any changes made to the puppet repo are not being pulled correctly, and pushing changes from /home/puppet-users/ssl-keys to /etc/puppet/ssl-keys is also not working.

Reception123 closed this task as Resolved.Jul 1 2017, 07:32

Everything works as expected now.