New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] x509_v2 certificate_managed is passing newline stripped data to append_certs #66464
Comments
Without knowledge about the specifics of your setup, I suspect the title does not describe the problem correctly. It should probably be An initial reaction: It's generally recommended to dump data (especially strings that can contain newlines) by passing it through the # ...
- append_certs:
- {{ pillar['cacerts']['int_ca'] | json }}
- {{ pillar['cacerts']['root_ca'] | json }} Otherwise, the rendered YAML can become garbled/invalid (+ you might open yourself up to a template injection attack, depending on the source of the data). Since your template seems to render fine (when I skip
and strips anything that's not in between If the certificates in the pillar are read from a YAML file, they should be defined like: cacerts:
int_ca: |
-----BEGIN CERTIFICATE-----
MII...
...
-----END CERTIFICATE-----
root_ca: |
-----BEGIN CERTIFICATE-----
MII...
...
-----END CERTIFICATE----- |
My pillar data is defined just like that, with the multline What's weird is when I patch When I do |
That's weird. Does I can attest that the previous |
I'll try and get a minimum reproducible setup going for debugging. It may be related somehow to this x509.certificate_managed state being inside a macro as well. |
Awesome. Yes, that's a likely culprit.
Lines 134 to 150 in cf6c1e1
If omitted, the resulting YAML should be unparsable:
|
Description
x509_v2 certificate_managed append_certs parameter is stripping newlines from PEM certificates.
When using the below state the minion will throw a invalid index error in
salt/utils/x509.py:814
because thepems = split_pems(cert)
is receiving PEM pillar data with its newlines replaced with spaces. On the master split_pems receives proper pillar data with the newlines included. But the minion seems to have newlines replaced with spaces.For now as a workaround I've just changed the append_certs to run the pillar data into base64_encode which works.
Setup
Versions Report
Both master and minion are Arch Linux on 3007.0
The text was updated successfully, but these errors were encountered: