Enable katello

[shlomizadok]

File lib/foreman_openscap/helper.rb is now testing if cname is a uuid or a host name.

File app/models/concerns/foreman_openscap/policy_extensions.rb Adds overrides to the Puppet module to use Katello certificates. This is now ideal, as we take to assumption that the host will also have a content host.

@ohadlevy, @ares, @stbenjam - please review as well. (Thanks!)

[stbenjam]

Oh, can you not read the rhsm.conf on the client uploading tool instead of sending them via Puppet?

Depending on when the system was registered these could be different.... at one point, the file wasn't named /etc/rhsm/ca/katello-server-ca.pem.

[ohadlevy]

reading another system config files does not sound ideal either, can the installer / some other thing maintain another config file / links to the ca etc ?

[stbenjam]

Why not? They're authenticating with the RHSM certificates; they should use the canonical source for that information, which is /etc/rhsm/rhsm.conf. katello-agent does the same, although that is more closely linked to rhsm.

For whatever reason, the certificate was renamed from /etc/rhsm/ca/candlepin-local.pem to /etc/rhsm/ca/katello-server-ca.pem, so older clients may have the older cert location.

If you don't read from rhsm.conf, you'd be forcing users to regenerate all of their certificate RPMs and redeploy them with the newer names, or change all of their older clients some other way? I don't think that's a reasonable ask.

The client knows where its certificates are, why is it being sent from the Foreman server anyway?

[ohadlevy]

we still want to support both usage cases (puppet/rhsm certs). setting it via puppet allows the user to override it in a ui for all clients as a configuration directive....the other alternative is to make the client "smarter" but I'm not 100% sure if its required, surely better error messages on the on the client can help too...

[stbenjam]

Maybe you could have a boolean for using the rhsm to upload.

[ohadlevy]

the proxy that runs scap might be configured with puppet certs vs katello certs. also, ATM the evaluation is not done per host (there was a desire not to define the ssl configuration per host in foreman lookup_values/smart class parameters).

[stbenjam]

How would a proxy connected to Katello be using puppet certs??

You all can solve it however you want, but if you hardcode RHSM cert locations, you're going to run into problems. That's my only comment about this PR.

[ohadlevy]

do you happen to know if subscription manager can output its configuration (maybe use it as a fact instead?)

[stbenjam]

subscription-manager config but it's basically just catting /etc/rhsm/rhsm.conf

[stbenjam]

Actually, subscription-manager config may be preferable, because it does the variable substitution you'd have to deal with in rhsm.conf,

repo_ca_cert = /etc/rhsm/ca/katello-server-ca.pem

So, yea, that could be turned into a fact

[shlomizadok]

@stbenjam @ohadlevy @ares, thank you all for the comments and help.
I have remove the hard coded puppet class params overrides.
Instead, I am testing which certificates to use on the puppet module.
Would love if you could take a look and review theforeman/puppet-foreman_scap_client#6 in addition to this PR.
Thanks!

[shlomizadok]

@ares @isimluk, I believe this PR is also ready to merge.

[ohadlevy]

@isimluk ping? any reason not to merge?

[ares]

Thanks @shlomizadok, merging!

[ares]

@shlomizadok actually before merge, could you squash changes in policy_extensions.rb so we don't have one commit adding stuff that is removed in second? I did review of the whole then realized that there are three commits and most of 1st and 2nd neutralize each other :-) I'd probably squash into one as this is one feature as a whole

[shlomizadok]

@ares squashed. Thanks.

[ares]

Merged, thanks!