Skip to content

Fixes #33733 - generate key for db encryption #235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ehelms merged 2 commits into from
Oct 20, 2021
Merged

Fixes #33733 - generate key for db encryption #235

ehelms merged 2 commits into from
Oct 20, 2021

Conversation

@jlsherrill
Copy link
Contributor

@jlsherrill jlsherrill commented Oct 20, 2021

No description provided.

@jlsherrill
Copy link
Contributor Author

jlsherrill commented Oct 20, 2021

I'll write a test for this, but wanted to get some initial impressions

evgeni
evgeni reviewed Oct 20, 2021
View reviewed changes
ekohl
ekohl reviewed Oct 20, 2021
View reviewed changes
@jlsherrill jlsherrill force-pushed the 33733 branch 2 times, most recently from 3bae9d6 to ff245a8 Compare October 20, 2021 15:49
@jlsherrill
Copy link
Contributor Author

jlsherrill commented Oct 20, 2021

not sure if there's more to test here, but i added a test

ekohl
ekohl approved these changes Oct 20, 2021
View reviewed changes
@jlsherrill @ekohl
Apply suggestions from code review
cf18512 
Co-authored-by: Ewoud Kohl van Wijngaarden <[email protected]>
@jlsherrill
Copy link
Contributor Author

jlsherrill commented Oct 20, 2021

🟢 i don't have merge access

@ehelms ehelms merged commit 3c02ad4 into theforeman:master Oct 20, 2021
@wbclark
Copy link
Collaborator

wbclark commented Oct 20, 2021

I previously took a stab at this with #205 , using a puppet function to wrap Ruby's SecureRandom.urlsafe_base64(32) rather than relying on an exec and openssl. Longer term if we want to avoid the exec, that idea may be worth revisiting.

@wbclark
Copy link
Collaborator

wbclark commented Oct 20, 2021

Does the file resource require show_diff => false ? Since it manages only attributes other than the file contents

Is the key visible in puppet logs when the exec resource is evaluated?

@ehelms
Copy link
Member

ehelms commented Oct 20, 2021

Does the file resource require show_diff => false ? Since it manages only attributes other than the file contents

Is the key visible in puppet logs when the exec resource is evaluated?

Good question, if I look at the test output:

  Notice: /Stage[main]/Pulpcore::Config/Exec[Create database symmetric key]/returns: executed successfully
  Notice: /Stage[main]/Pulpcore::Config/Exec[Create database symmetric key]: Triggered 'refresh' from 1 event
  Notice: /Stage[main]/Pulpcore::Config/File[/etc/pulp/certs/database_fields.symmetric.key]/group: group changed 'root' to 'pulp'
  Notice: /Stage[main]/Pulpcore::Config/File[/etc/pulp/certs/database_fields.symmetric.key]/mode: mode changed '0644' to '0640'

@jlsherrill
Copy link
Contributor Author

jlsherrill commented Oct 20, 2021

sorry @wbclark didn't realize you had been working on this!

@ekohl
Copy link
Member

ekohl commented Oct 20, 2021

Notice: /Stage[main]/Pulpcore::Config/File[/etc/pulp/certs/database_fields.symmetric.key]/mode: mode changed '0644' to '0640'

This does bring a good point. We should set umask on exec so there isn't a short window where it is world readable.

@ehelms ehelms added the Enhancement New feature or request label Oct 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evgeni evgeni evgeni left review comments

@ekohl ekohl ekohl approved these changes

Assignees

No one assigned

Labels

Enhancement New feature or request Needs testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@jlsherrill @wbclark @ehelms @ekohl @evgeni @theforeman-bot