Defined ca_file must exist or Puppet runs fail

[benjamin-robertson]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.25.1
• Ruby: 2.5.9
• Distribution: Ubuntu 20.04
• Module version: 4.3

How to reproduce (e.g Puppet code you use)

Specify a custom CA file for an internal CA. Which does not exist. (Maybe Puppet hasn't created it yet)

gitlab_ci_runner::ca_file: "/etc/ssl/certs/mycoolca.pem"

This error will also been seen if the Gitlab instance is running an untrusted CA.

What are you seeing

The following error is displayed. This is confusing to users and does not allow the Puppet run to continue as the deferred function failing stops the entire run.

root@ip-172-31-5-231:/home/ubuntu# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Error: Failed to apply catalog: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
root@ip-172-31-5-231:/home/ubuntu# 

What behaviour did you expect instead

The deferred function should check to confirm if the file exists when ca_file is specified. If it does not it should return an empty token string.

Something like this

        if ca_file != nil
          if !File.exist?(ca_file)
            return 'CA file doesn\'t exist, not creating authtoken'
          end
        end

Any additional information you'd like to impart

I haven't tested this on any other platforms but I assume it would affect them all.

We should check for the existence of the ca_file on disk in the register_to_file.rb. If it doesn't exist we should return an empty token and assume the Puppet run will configure it. Failing the entire run is not optimal as it prevents users from running Puppet.