[MediaWiki-commits] [Gerrit] operations/puppet[production]: salt: use SHA256 master key fingeprint on newer systems

[Faidon Liambotis (Code Review)]

Faidon Liambotis has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/337189 )

Change subject: salt: use SHA256 master key fingeprint on newer systems
......................................................................


salt: use SHA256 master key fingeprint on newer systems

stretch's salt-minion expects master_finger to be a SHA256 fingerprint
rather than an MD5 one. While it's possible to change that with the
hash_type argument, MD5 is cryptographically obsolete and shouldn't be
relied on, so start using a SHA256 fingerprint instead.

Change-Id: Id6315e6ca37234e4bd3c4728b25d35830ef94193
---
M modules/role/manifests/salt/minions.pp
1 file changed, 7 insertions(+), 1 deletion(-)

Approvals:
  Faidon Liambotis: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/role/manifests/salt/minions.pp 
b/modules/role/manifests/salt/minions.pp
index 01d490c..f517428 100644
--- a/modules/role/manifests/salt/minions.pp
+++ b/modules/role/manifests/salt/minions.pp
@@ -15,7 +15,13 @@
         }
     } else {
         $master = 'neodymium.eqiad.wmnet'
-        $master_finger = 'f6:1d:a7:1f:7e:12:10:40:75:d5:73:af:0c:be:7d:7c'
+        if os_version('debian >= stretch') {
+            # stretch's salt-minion uses SHA256 instead of MD5 by default.
+            # while it's possible to set 'hash_type: md5', this is preferrable
+            $master_finger = 
'f6:36:06:73:ca:54:55:c4:68:17:66:13:47:4b:cf:3e:32:71:7a:70:2d:69:b4:e8:3b:f0:d0:ae:d0:4b:4c:f5'
+        } else {
+            $master_finger = 'f6:1d:a7:1f:7e:12:10:40:75:d5:73:af:0c:be:7d:7c'
+        }
     }
     $client_id     = $::fqdn
 

-- 
To view, visit https://gerrit.wikimedia.org/r/337189
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Id6315e6ca37234e4bd3c4728b25d35830ef94193
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits