katello icon indicating copy to clipboard operation
katello copied to clipboard

Published 20 hours ago verified publisher icon Katello

Fixes #30368 - Make Candlepin CA file optional

Open ekohl opened this issue 4 years ago • 11 comments

This change makes the Candlepin CA file optional by falling back to the Foreman CA file. The result is a reduced configuration in most deployments.

For Pulp the certificate is now read in the same way as Candlepin. Previously it partly relied on the CA being in the global allowed CA. This may be an issue in some cases, but in the default deployment it isn't. Following the general SSL config makes the configuration more predictable for users. It can also be easier in a containerized setup or on a system where the admin is not allowed to modify the system CA certificates. The example config is now also consistent with reality.

The verify_ssl option is dropped from the ping model. This isn't respected elsewhere and it's misleading to have a valid ping only to have it fail at runtime.

ekohl avatar Jul 10 '20 18:07 ekohl

Issues: #30368

theforeman-bot avatar Jul 10 '20 19:07 theforeman-bot

Related, and based on some discussion with @jlsherrill , today Pulp communication relies on the the CA being trusted by the system (the whole use of trusted_ca module in the installer) and we should switch to doing this explicitly -- https://github.com/Katello/katello/blob/68ff922e84b66df05f2b7c767c0cd8f2a7328611/app/models/katello/concerns/smart_proxy_extensions.rb#L119

ehelms avatar Jul 10 '20 19:07 ehelms

I took a stab at this. In doing so, I found 2 settings that were removed but still had references to them. It then also unifies the certificate handling in the certs service. There are a few more changes, documented in the commit message. Please read it and let me hear your thoughts.

ekohl avatar Nov 19 '20 15:11 ekohl

[test katello]

jturel avatar Mar 08 '21 20:03 jturel

One test failure seems relevant

test_verify_ueber_cert_no_change – Katello::CertsTest

jturel avatar Mar 09 '21 18:03 jturel

Rebased to resolve merge conflict and to get recent tests. I've also split of unrelated work to https://github.com/Katello/katello/pull/9268 since it doesn't impact this PR.

ekohl avatar Apr 07 '21 12:04 ekohl

Haven't tested yet but the test failure definitely seems related

jturel avatar Apr 14 '21 14:04 jturel

Given stabilization is coming soon and my lack of time, I'm afraid we'll have to push this to the next Katello release.

ekohl avatar Apr 20 '21 19:04 ekohl

@ekohl is this PR still valid ? Rebase if so

parthaa avatar Jun 24 '22 19:06 parthaa

@ekohl, this pull request is currently not mergeable. Please rebase against the master branch and push again.

If you have a remote called 'upstream' that points to this repository, you can do this by running:

    $ git pull --rebase upstream master

This message was auto-generated by Foreman's prprocessor

theforeman-bot avatar Jun 24 '22 19:06 theforeman-bot

I've tried to rebase it, but I'm a bit unclear about the current Pulp 2 vs Pulp 3 status. I still see traces of Runcible, but isn't that Pulp 2-only?

I now think this unifies everything. It does mean the system store isn't really used anymore (unless you don't configure anything I think), but that's probably a good thing.

Perhaps @ehelms and @evgeni could also think about what kind of behavior we would prefer to have from a platform point of view.

ekohl avatar Jun 27 '22 11:06 ekohl