Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop certs and ensure ownership of keys #351

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 24 additions & 20 deletions manifests/application.pp
Original file line number Diff line number Diff line change
@@ -21,31 +21,38 @@
Boolean $use_pulp_2_for_docker = false,
Boolean $use_pulp_2_for_yum = false,
Stdlib::Absolutepath $repo_export_dir = '/var/lib/pulp/katello-export',
Stdlib::Absolutepath $pulp_client_ca_cert = '/etc/foreman-pki/certs/ca/ca.crt',
Stdlib::Absolutepath $pulp_client_cert = '/etc/foreman-pki/certs/foreman/foreman-to-pulp.crt',
Stdlib::Absolutepath $pulp_client_key = '/etc/foreman-pki/certs/foreman/foreman-to-pulp.key',
Stdlib::Absolutepath $candlepin_ca_cert = '/etc/foreman-pki/certs/ca/ca.crt',
Stdlib::Absolutepath $candlepin_events_ssl_cert = '/etc/foreman-pki/certs/foreman/foreman-to-candlepin.crt',
Stdlib::Absolutepath $candlepin_events_ssl_key = '/etc/foreman-pki/certs/foreman/foreman-to-candlepin.key',
Stdlib::Absolutepath $crane_ca_cert = '/etc/foreman-pki/certs/ca/ca.crt',
) {
include foreman
include certs
include certs::apache
include certs::candlepin
include certs::foreman
include certs::pulp_client
include katello::params
include foreman::plugin::tasks

foreman_config_entry { 'pulp_client_cert':
value => $certs::pulp_client::client_cert,
ignore_missing => false,
require => [Class['certs::pulp_client'], Foreman::Rake['db:seed']],
file { $candlepin_events_ssl_key:
group => $foreman::group,
mode => '0640',
}
Comment on lines +36 to 39
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also reuse the Foreman client cert, at least by default? Perhaps it needs application changes, but it makes the application easier.


file { $pulp_client_key:
group => $foreman::group,
mode => '0640',
} ~>
foreman_config_entry { 'pulp_client_cert':
value => $pulp_client_cert,
ignore_missing => false,
require => Foreman::Rake['db:seed'],
} ~>
foreman_config_entry { 'pulp_client_key':
value => $certs::pulp_client::client_key,
value => $pulp_client_key,
ignore_missing => false,
require => [Class['certs::pulp_client'], Foreman::Rake['db:seed']],
require => Foreman::Rake['db:seed'],
}
Comment on lines +41 to 54
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a thought: can we configure Pulp 3 to use the internal CA for client auth just like we do with Foreman? That way we can use the same Foreman setting to connect to Smart Proxies and simplifies the application overall.

Perhaps @jlsherrill can share his thoughts as well.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pulp client certificates use a CN of pulp to identify the user who is authenticating. There might be room to switch this to whatever the full DN of the client certificates is. We have client certificates needed for Candlepin Artemis connection as well, and this follows the DN style: https://github.com/theforeman/puppet-certs/blob/master/manifests/candlepin.pp#L32

In the newer certificate setup, I have simplified a lot of this down to really just setting CN since the rest of the attributes are largely arbitrary crap we were putting in there.

So I think this could work, if Pulp/Django will allow a "hostname" for a user.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we only allow a single user (pulp) or are there more? If there's just 1, we can let Apache validate and statically pass it to the backend.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


include foreman::plugin::tasks

Class['certs', 'certs::ca', 'certs::apache'] ~> Class['apache::service']

# Used in katello.yaml.erb
$enable_ostree = $katello::params::enable_ostree
$enable_yum = $katello::params::enable_yum
@@ -54,15 +61,12 @@
$enable_docker = $katello::params::enable_docker
$enable_deb = $katello::params::enable_deb
$pulp_url = $katello::params::pulp_url
$pulp_ca_cert = $certs::katello_server_ca_cert # TODO: certs::apache::...

$candlepin_url = $katello::params::candlepin_url
$candlepin_oauth_key = $katello::params::candlepin_oauth_key
$candlepin_oauth_secret = $katello::params::candlepin_oauth_secret
$candlepin_ca_cert = $certs::ca_cert
$candlepin_events_ssl_cert = $certs::candlepin::client_cert
$candlepin_events_ssl_key = $certs::candlepin::client_key

$crane_url = $katello::params::crane_url
$crane_ca_cert = $certs::katello_server_ca_cert
$postgresql_evr_package = $katello::params::postgresql_evr_package
$manage_db = $foreman::db_manage

26 changes: 13 additions & 13 deletions manifests/candlepin.pp
Original file line number Diff line number Diff line change
@@ -26,25 +26,26 @@
Boolean $db_ssl = false,
Boolean $db_ssl_verify = true,
Boolean $manage_db = true,
Stdlib::Absolutepath $ca_cert = '/etc/foreman-pki/certs/candlepin/ca.crt',
Stdlib::Absolutepath $ca_key = '/etc/foreman-pki/certs/candlepin/ca.key',
Stdlib::Absolutepath $keystore_file = '/etc/foreman-pki/certs/tomcat/keystore',
Stdlib::Absolutepath $keystore_password_file = '/etc/foreman-pki/certs/tomcat/password',
Stdlib::Absolutepath $truststore_file = '/etc/foreman-pki/certs/artemis/truststore',
Stdlib::Absolutepath $truststore_password_file = '/etc/foreman-pki/certs/artemis/password',
) {
include certs
include katello::params

class { 'certs::candlepin':
hostname => $katello::params::candlepin_host,
}

class { 'candlepin':
host => $katello::params::candlepin_host,
user_groups => $certs::candlepin::group,
oauth_key => $katello::params::candlepin_oauth_key,
oauth_secret => $katello::params::candlepin_oauth_secret,
ca_key => $certs::candlepin::ca_key,
ca_cert => $certs::candlepin::ca_cert,
keystore_file => $certs::candlepin::keystore,
keystore_password => $certs::candlepin::keystore_password,
truststore_password => $certs::candlepin::keystore_password,
artemis_client_dn => $certs::candlepin::artemis_client_dn,
ca_key => $ca_key,
ca_cert => $ca_cert,
keystore_file => $keystore_file,
keystore_password => file($keystore_password_file),
truststore_file => $truststore_file,
truststore_password => file($truststore_password_file),
artemis_client_dn => "CN=${katello::params::candlepin_host}",
enable_basic_auth => false,
consumer_system_name_pattern => '.+',
adapter_module => 'org.candlepin.katello.KatelloModule',
@@ -56,7 +57,6 @@
db_ssl => $db_ssl,
db_ssl_verify => $db_ssl_verify,
manage_db => $manage_db,
subscribe => Class['certs', 'certs::candlepin'],
} ->
anchor { 'katello::candlepin': } # lint:ignore:anchor_resource

2 changes: 1 addition & 1 deletion templates/katello.yaml.erb
Original file line number Diff line number Diff line change
@@ -25,7 +25,7 @@

:pulp:
:url: <%= @pulp_url %>
:ca_cert_file: <%= @pulp_ca_cert %>
:ca_cert_file: <%= @pulp_client_ca_cert %>

:use_pulp_2_for_content_type:
:docker: <%= @use_pulp_2_for_docker %>