pulp_webserver: Add support for TLS configuration #325
Conversation
|
Attached issue: https://pulp.plan.io/issues/6845 Attached issue: https://pulp.plan.io/issues/6847 |
Spredzy
force-pushed
the
add_ssl_support
branch
2 times, most recently
from
0d10467
to
02c96e7
Compare
Spredzy
force-pushed
the
add_ssl_support
branch
3 times, most recently
from
5843eca
to
a91ca59
Compare
There was a problem hiding this comment.
This is a breaking change, because we (by default) disable the api on port 80. I think, this is the behaviour an end use would want. So can you please add a .removal changelog entry?
Since pulp_webserver_disable_https is False by default, i believe our molecule tests are already executing the new code paths. But i would be glad to see some additional tests, that the api (status page) is really accessible via https and that port 80 is redirected there.
Spredzy
force-pushed
the
add_ssl_support
branch
2 times, most recently
from
2238b57
to
3740243
Compare
|
@mdellweg I have a question regarding your last comment - Not surre I fully grasp it.
This doesn't enable api on port 80 per se. (Not more that it was already reachable on port 80 before this PR through nginx proxying). So not sure which removal is required here. For user this change "should" be transparent and if they keep reaching http they will be automatically re-routed to https. Could you provide me with more details on what you meant in the above ? (And thanks for the reviews) |
Spredzy
force-pushed
the
add_ssl_support
branch
2 times, most recently
from
be915c8
to
636cf65
Compare
|
I believe, you need to adjust the |
| describe http('http://localhost/pulp/api/v3/status', | ||
| ssl_verify: false) do | ||
| its('status') { should eq 301 } | ||
| end | ||
| end | ||
|
|
||
| describe http('http://localhost/pulp/api/v3/status', | ||
| ssl_verify: false, max_redirects: 1) do | ||
| its('status') { should eq 200 } | ||
| its('body') { should match /database_connection/ } | ||
| end | ||
| end | ||
|
|
||
| describe http('https://localhost/pulp/api/v3/status', | ||
| ssl_verify: false) do | ||
| its('status') { should eq 200 } | ||
| its('body') { should match /database_connection/ } | ||
| end | ||
| end |
There was a problem hiding this comment.
These will fail due to this bug:
https://pulp.plan.io/issues/6586
It's been bugging me for a while, but other devs do not want privileged containers, so it is non-trivial to fix.
| - name: Generate CA key | ||
| openssl_privatekey: | ||
| path: '{{ pulp_webserver_tls_folder }}/root.key' |
There was a problem hiding this comment.
I'm concerned about what happens with these modules if a user runs the installer, replaces the key files on disk in the same filepaths with their desired keys, and then re-runs the installer:
https://docs.ansible.com/ansible/latest/modules/openssl_privatekey_module.html
Please note that the module regenerates private keys if they don’t match the module’s options. In particular, if you provide another passphrase (or specify none), change the keysize, etc., the private key will be regenerated. If you are concerned that this could overwrite your private key, consider using the backup option.
There was a problem hiding this comment.
In a general approach, I would say don't do that. If this is what you want to do, use the installer to do it and re-run the installer with pulp_webserver_ssl_cert and pulp_webserver_ssl_key. If you don't yet says you want TLS then yes what you have described will happen. But I feel like it is doing it by design, rightfully.
If you think this is wrong. We can condition this whole block into the conditional non-existence off those 2 files.
And add a pulp_webserver_force_regenerate_certificate or something similar if one really really wants to do it.
There was a problem hiding this comment.
I agree. If the keys are managed by ansible, do not even think about messing around by hand.
| - name: Cleanup CSR files | ||
| file: | ||
| path: '{{ pulp_webserver_tls_folder }}/{{ item }}' | ||
| state: absent | ||
| loop: | ||
| - root.csr | ||
| - pulp_webserver.csr |
There was a problem hiding this comment.
This will fail idempotency with the task that generates them above.
There was a problem hiding this comment.
Might be addressed by #325 (comment) based on the option chosen
|
@mdellweg @Spredzy The problem we have this that often Pulp needs to return an absolute URL for certain plugins. So content_origin sets the canonical beginning of the URL, including http or https. So if content_origin is one protocol, and the user accesses on the other protocol, they will be redirected to the other at some point. That said, I thought pulp-api could be accessed at port 80 via the webserver. |
|
And therefore the user should reconfigure her/his clients to the new protocol, but must reset |
Spredzy
force-pushed
the
add_ssl_support
branch
3 times, most recently
from
3ac5c42
to
f4818ee
Compare
Enable HTTPS by default when deploying a new pulp server. One can either specify the value of the certificate and the key. Or, if none available, can have the installer generating them. Support has been added for both nginx and apache. fixes #6845 fixes #6847
|
@mdellweg I have addressed/answered all comments in this PR. I'll let you make this PR cross the finish line. And work out the details. Thanks very much for volunteering for it and hopefully it won't be a nightmare <3 |
|
@mikedep333 To the |
|
Closing in favor of #356 which is an extension of this work. |
Enable HTTPS by default when deploying a new pulp server. One can either
specify the value of the certificate and the key. Or, if none available,
can have the installer generating them.
Support has been added for both nginx and apache.
fixes #6845
fixes #6847