Skip to content

Fixes #30368 - Make Candlepin CA file optional#8832

Merged
ehelms merged 3 commits into
Katello:masterfrom
ekohl:candlepin-use-ca-file
Oct 28, 2024
Merged

Fixes #30368 - Make Candlepin CA file optional#8832
ehelms merged 3 commits into
Katello:masterfrom
ekohl:candlepin-use-ca-file

Conversation

@ekohl

@ekohl ekohl commented Jul 10, 2020

Copy link
Copy Markdown
Member

This change makes the Candlepin CA file optional by falling back to the Foreman CA file. The result is a reduced configuration in most deployments.

For Pulp the certificate is now read in the same way as Candlepin. Previously it partly relied on the CA being in the global allowed CA. This may be an issue in some cases, but in the default deployment it isn't. Following the general SSL config makes the configuration more predictable for users. It can also be easier in a containerized setup or on a system where the admin is not allowed to modify the system CA certificates. The example config is now also consistent with reality.

The verify_ssl option is dropped from the ping model. This isn't respected elsewhere and it's misleading to have a valid ping only to have it fail at runtime.

@theforeman-bot

Copy link
Copy Markdown

Issues: #30368

@ehelms

ehelms commented Jul 10, 2020

Copy link
Copy Markdown
Member

Related, and based on some discussion with @jlsherrill , today Pulp communication relies on the the CA being trusted by the system (the whole use of trusted_ca module in the installer) and we should switch to doing this explicitly --

def pulp3_configuration(config_class)

@ekohl

ekohl commented Nov 19, 2020

Copy link
Copy Markdown
Member Author

I took a stab at this. In doing so, I found 2 settings that were removed but still had references to them. It then also unifies the certificate handling in the certs service. There are a few more changes, documented in the commit message. Please read it and let me hear your thoughts.

Comment thread app/lib/katello/resources/registry.rb Outdated
Comment thread app/services/cert/certs.rb Outdated
Base automatically changed from master to main January 28, 2021 17:16
Base automatically changed from main to master January 29, 2021 03:46
@jturel

jturel commented Mar 8, 2021

Copy link
Copy Markdown
Member

[test katello]

@jturel jturel self-assigned this Mar 8, 2021
Comment thread app/models/katello/ping.rb Outdated
@jturel

jturel commented Mar 9, 2021

Copy link
Copy Markdown
Member

One test failure seems relevant

test_verify_ueber_cert_no_change – Katello::CertsTest

@ekohl

ekohl commented Apr 7, 2021

Copy link
Copy Markdown
Member Author

Rebased to resolve merge conflict and to get recent tests. I've also split of unrelated work to #9268 since it doesn't impact this PR.

@jturel

jturel commented Apr 14, 2021

Copy link
Copy Markdown
Member

Haven't tested yet but the test failure definitely seems related

@ekohl

ekohl commented Apr 20, 2021

Copy link
Copy Markdown
Member Author

Given stabilization is coming soon and my lack of time, I'm afraid we'll have to push this to the next Katello release.

@parthaa

parthaa commented Jun 24, 2022

Copy link
Copy Markdown
Contributor

@ekohl is this PR still valid ? Rebase if so

@theforeman-bot

Copy link
Copy Markdown

@ekohl, this pull request is currently not mergeable. Please rebase against the master branch and push again.

If you have a remote called 'upstream' that points to this repository, you can do this by running:

    $ git pull --rebase upstream master

This message was auto-generated by Foreman's prprocessor

@ekohl

ekohl commented Jun 27, 2022

Copy link
Copy Markdown
Member Author

I've tried to rebase it, but I'm a bit unclear about the current Pulp 2 vs Pulp 3 status. I still see traces of Runcible, but isn't that Pulp 2-only?

I now think this unifies everything. It does mean the system store isn't really used anymore (unless you don't configure anything I think), but that's probably a good thing.

Perhaps @ehelms and @evgeni could also think about what kind of behavior we would prefer to have from a platform point of view.

Rather than using the default value, this uses the actual value that was
passed in.

Fixes: d6adef8 ("Fixes #34070 - fix container registry with azure plugin")
@ekohl
ekohl force-pushed the candlepin-use-ca-file branch from 48289b6 to b97646c Compare October 25, 2024 12:55
@ekohl

ekohl commented Oct 25, 2024

Copy link
Copy Markdown
Member Author

Inspired by #11190 I rebased this, but I haven't verified it myself.

@evgeni does this resolve the issue you're seeing or does it burn down?

@ekohl
ekohl force-pushed the candlepin-use-ca-file branch from b97646c to daa57eb Compare October 25, 2024 16:14
Comment thread app/lib/katello/http_resource.rb Outdated

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I now see there already is ca_cert_file for this. I don't know what other classes can be passes into pulp3_ssl_configuration so I'm looking for guidance here.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I included a commit to rename it for consistency with other tools and naming for the other ssl_ attrs.

This is more consistent with other classes.
@ekohl
ekohl force-pushed the candlepin-use-ca-file branch from daa57eb to 9213056 Compare October 27, 2024 18:50
This change makes the Candlepin CA file optional by falling back to the
Foreman CA file. The result is a reduced configuration in most
deployments.

For Pulp the certificate is now read in the same way as Candlepin.
Previously it partly relied on the CA being in the global allowed CA.
This may be an issue in some cases, but in the default deployment it
isn't. Following the general SSL config makes the configuration more
predictable for users. It can also be easier in a containerized setup or
on a system where the admin is not allowed to modify the system CA
certificates. The example config is now also consistent with reality.

The verify_ssl option is dropped from the ping model. This isn't
respected elsewhere and it's misleading to have a valid ping only to
have it fail at runtime.
@ekohl
ekohl force-pushed the candlepin-use-ca-file branch from 9213056 to 92b2ded Compare October 28, 2024 11:14
# refers to the apache certificate
# (typically /etc/pki/tls/certs/localhost.crt) location that is needed
# to connect to pulp over https.
# Optional CA file to user to verify HTTPS connections to Candlepin. If not

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Optional CA file to user to verify HTTPS connections to Candlepin. If not
# Optional CA file to user to verify HTTPS connections to Pulp. If not

@ehelms ehelms left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean re-factoring that helps set up future simplifications.

@ehelms
ehelms merged commit ade73b4 into Katello:master Oct 28, 2024
@ekohl
ekohl deleted the candlepin-use-ca-file branch October 28, 2024 16:29
@ekohl

ekohl commented Oct 28, 2024

Copy link
Copy Markdown
Member Author

I had hoped @evgeni could test if this resolves his issue in containers before merging.

@ehelms

ehelms commented Oct 28, 2024

Copy link
Copy Markdown
Member

I had hoped @evgeni could test if this resolves his issue in containers before merging.

I liked the change from a re-factoring stand point. If this doesn't solve his issue, then we can iterate on solving that.

@evgeni

evgeni commented Oct 29, 2024

Copy link
Copy Markdown
Member

theforeman/foremanctl#43 is not failing on SSL errors anymore, so it certainly helped :)

@ekohl

ekohl commented Oct 29, 2024

Copy link
Copy Markdown
Member Author

By looking at puppet-katello I realized I forgot something because of the very long duration of the PR.

While we can remove this line for candlepin, we can't remove this line for candlepin_events.

We can actually simplify that all the way to default to the same client cert credentials that Foreman already uses and make the whole block optional.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants