Hi, fellow devs,
TLDR: Autosign needs re-work. If we follow the RFC approach, we will potentially lose some features. I’d like to get an opinion on that.
A couple of time ago Shimon opened an RFC to rework the way we currently handle PuppetCA in core.
PuppetCA is required to issue certificates for hosts so they can get a puppet catalog and do a puppet run. Right now, we just write the hostname in a file via the PuppetCA smart proxy to allow PuppetCA to issue a certificate for that host. After the host leaves the build state, we remove that entry. To limit the time auto signing is possible, we just create the auto sign entry in unattended controller when a host retrieves the provisioning template.
While this generally works well, we have had a lot of hard to debug problems with this approach.
Hosts don’t get their provisioning template when a call to the PuppetCA smart proxy fails. Some calls are very slow if you rebuild a host a couple of times.
We often see that hosts don’t get a valid certificate and don’t install correctly. This is incredibly hard to debug. And the user doesn’t get notified about this.
As most of you know, our development schedule is mostly pain-driven. So I decided to implement the RFC.
The basic idea is to have PuppetCA do a callback to Foreman. Foreman receives the full CSR and can make a decision if the host is allowed to install. When a host enters build mode, a one time token is generated and placed on the host during provisioning. When the host requests a certificate, the token will be incorporated into the CSR and Foreman can verify and eventually invalidate the token. So this greatly improves security and is not coupled to template rendering. Please see the RFC for more details.
This approach is generally very good in my opinion, but it has some drawbacks we should be aware of.
We’d have to remove the “list autosign entries” feature at the smart proxies page. We could replace this via a new page that lists all hosts that are allowed to autosign. In my opinion, this would greatly improve the user experience. For better visibility, we’d also like to contribute a feature that tracks failed/rejected auto sign attempts at a later point (maybe via a UI notification, not sure yet).
We’d have to remove the “add autosign entry” feature at the smart proxies page. This means, that a user can not add a new host to Foreman via fact upload and use naive auto signing. The certificate would have to be signed manually (that should still be possible) on the PuppetCA. We could also add the ability to define custom auto sign entries in Foreman. Foreman would then also accept certificate requests for hosts that don’t have a valid token but are whitelisted. But I don’t think, this is required in the first place.
Any comments? Is somebody against removing the features? Can we safely proceed with this effort?