Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(PE-36269) ensure CRLs are regenerated when nearing expiration #2788

Merged

Conversation

jonathannewman
Copy link
Contributor

@jonathannewman jonathannewman commented Nov 14, 2023

In the first commit:

This alters the analytics service to explicitly stop the jobs it is running when shutting down. It also adds some simple logging to the startup / shutdown process.

Additionally, an unused dependency in the master_service was removed.

In the second commit:

This adds a new behavior where once a day, puppetserver will check to
see if the crls for both the main crl, and if enabled the infra-crl
are nearing expiration. If one is, the list of expired serial numbers
is collected from the inventory file, and used to prune the CRL list.

The CRL is then regenerated with the (potentially) smaller set of serials.

If the CRLs are not nearing expiration, nothing is done.

Tests are added to demonstrate the CRL behaviors added.

Resolves #2789

This alters the analytics service to explicitly stop the jobs it
is running when shutting down. It also adds some simple logging to
the startup / shutdown process.

Additionally, an unused dependency in the `master_service` was removed.
@jonathannewman jonathannewman changed the title (maint) ensure started scheduled jobs are explicitly stopped (PE-36269) ensure CRLs are regenerated when nearing expiration Nov 14, 2023
@jonathannewman jonathannewman marked this pull request as ready for review November 14, 2023 23:44
@jonathannewman jonathannewman requested a review from a team as a code owner November 14, 2023 23:44
Copy link
Contributor

@steveax steveax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

This adds a new behavior where once a day, puppetserver will check to
see if the crls for both the main crl, and if enabled the infra-crl
are nearing expiration.  If one is, the list of expired serial numbers
is collected from the inventory file, and used to prune the CRL list.

The CRL is then regenerated with the (potentially) smaller set of serials.

If the CRLs are not nearing expiration, nothing is done.

Tests are added to demonstrate the CRL behaviors added.
@justinstoller justinstoller merged commit d47d8b0 into puppetlabs:main Nov 15, 2023
11 checks passed
@jonathannewman jonathannewman deleted the PE-36269/main/regen-crls branch November 15, 2023 20:06
@kenyon
Copy link

kenyon commented Mar 20, 2024

I guess this is in 2023.6.0, but it's not in the release notes. Would be good to get it added. Thanks! https://www.puppet.com/docs/pe/2023.6/release_notes_pe#release_notes_pe_x-6

@jonathannewman
Copy link
Contributor Author

@kenyon Thanks! We will get it added to the release notes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Puppet Server does not update CRLs that are close to expiring
4 participants