Use secretbox to store randomly generated passwords by sdodson · Pull Request #354 · openshift/puppet-openshift_origin

sdodson · 2014-11-19T21:49:05Z

Secretbox is a function that generates a random password on first call
and then retrieves those values for subsequent calls. This works in
both master and masterless environments.

See: https://forge.puppetlabs.com/sdodson/secretbox

sdodson · 2014-11-19T21:51:10Z

This should prevent activemq and broker from being restarted on each puppet run if someone doesn't specify passwords for these randomly generated passwords. Users should still set common values in multihost environments.

ekohl · 2014-11-20T09:51:46Z

This reminds me of https://github.com/theforeman/puppet-foreman/blob/master/lib/puppet/parser/functions/cache_data.rb but in a separate module.

ekohl · 2014-11-20T09:52:56Z

In case it's unclear, 👍 from me.

sdodson · 2014-11-20T13:59:27Z

Hmm, perhaps we should petition puppetlabs to add that to stdlib, that function seems really useful and more general than secretbox.

ekohl · 2014-11-20T14:35:18Z

@sdodson I did talk about that other foreman devs but since it stores data on the puppet master it's not compatible with a puppet multi master solution. I do agree such a function would be very good to have in stdlib.

sdodson · 2014-11-24T15:26:52Z

[test] then we'll merge

openshift-bot · 2014-11-24T15:31:30Z

Origin Test Results: FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests/3166/)

detiber · 2014-11-24T16:25:29Z

Is this the same issue you were seeing previously where it was pulling the module info from puppet forge instead of the Modulefile and/or metadata.json?

I have a PR outstanding to update the vagrant-openshift plugin (openshift/vagrant-openshift#171) to use the latest puppet from puppetlabs instead of using the one from epel, so maybe that would resolve this issue as well.

ekohl · 2014-11-24T16:33:21Z

@detiber no, as far as I understand it this will make the module (more) usable on continious puppet runs. Currently every puppet run will change the password to a new random string. By storing the result any subsequent run will use the same random password, if that makes sense.

sdodson · 2014-11-24T16:35:15Z

@detiber Yeah looks like installing a local module on puppet 2.7.5 goes to the forge to resolve dependencies. This may be fixed in puppet 3.0.0 or possible 3.4.0.

sdodson · 2014-11-24T16:39:06Z

@ekohl I think he was referring to the test run failure which is because it didn't install sdodson/secretbox

Preparing to uninstall 'openshift-openshift_origin' ...
Error: Could not uninstall module 'openshift-openshift_origin'
  Module 'openshift-openshift_origin' is not installed
Preparing to install into /etc/puppet/modules ...
Downloading from http://forge.puppetlabs.com ...
Installing -- do not interrupt ...
/etc/puppet/modules
└─┬ openshift-openshift_origin (v4.1.1)
  ├─┬ arioch-keepalived (v1.0.2)
  │ └── puppetlabs-concat (v1.1.2)
  ├── blentz-selinux_types (v0.1.0)
  ├── duritong-sysctl (v0.0.4)
  ├── puppetlabs-haproxy (v1.1.0)
  ├── puppetlabs-ntp (v3.3.0)
  ├── puppetlabs-stdlib (v4.4.0)
  └── rharrison-lokkit (v0.5.0)
Applying openshift puppet recipe
info: Loading facts in /etc/puppet/modules/concat/lib/facter/concat_basedir.rb
info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/pe_version.rb
info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/puppet_vardir.rb
info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/root_home.rb
info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/facter_dot_d.rb
Unknown function secretbox at /etc/puppet/modules/openshift_origin/manifests/init.pp:818 on node openshift.ec2.internal

sdodson · 2014-11-24T16:59:38Z

I've tested building and installing with everything up through 3.7.3 and all versions call out to the Forge to get the list of dependencies rather than inspecting what's in the tarball. I'll check puppet jira after lunch for relevant issues.

sdodson · 2014-11-24T18:12:56Z

Ok, my testing was bad the first time around. Using puppet 3.6.0 I can build and install from a tarball that has dependencies that aren't in the latest version published to forge.

https://tickets.puppetlabs.com/browse/PUP-1130 deals with this and I'm not sure all the other issues folks have run into in that ticket are resolved, but at least the one we're facing seems to be.

detiber · 2014-11-27T04:32:05Z

Definitely going to need to build a new ami for origin... @sdodson if you hit me up on Monday I can walk you through it.

Secretbox is a function that generates a random password on first call and then retrieves those values for subsequent calls. This works in both master and masterless environments. See: https://forge.puppetlabs.com/sdodson/secretbox

openshift-bot · 2014-12-02T21:16:41Z

Evaluated for origin up to 3fb5fac

sdodson force-pushed the use_secretbox branch 2 times, most recently from ca78da0 to 6b65fb1 Compare November 24, 2014 15:25

Use secretbox to store randomly generated passwords

3fb5fac

Secretbox is a function that generates a random password on first call and then retrieves those values for subsequent calls. This works in both master and masterless environments. See: https://forge.puppetlabs.com/sdodson/secretbox

sdodson force-pushed the use_secretbox branch from 6b65fb1 to 3fb5fac Compare December 2, 2014 19:45

Conversation

sdodson commented Nov 19, 2014

Uh oh!

sdodson commented Nov 19, 2014

Uh oh!

ekohl commented Nov 20, 2014

Uh oh!

ekohl commented Nov 20, 2014

Uh oh!

sdodson commented Nov 20, 2014

Uh oh!

ekohl commented Nov 20, 2014

Uh oh!

sdodson commented Nov 24, 2014

Uh oh!

openshift-bot commented Nov 24, 2014

Uh oh!

detiber commented Nov 24, 2014

Uh oh!

ekohl commented Nov 24, 2014

Uh oh!

sdodson commented Nov 24, 2014

Uh oh!

sdodson commented Nov 24, 2014

Uh oh!

sdodson commented Nov 24, 2014

Uh oh!

sdodson commented Nov 24, 2014

Uh oh!

detiber commented Nov 27, 2014

Uh oh!

openshift-bot commented Dec 2, 2014

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants