-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable katello #96
Enable katello #96
Conversation
certificate_param.override = true | ||
case override_parameter | ||
when CA_FILE_PARAMETER | ||
certificate_param.default_value = '/etc/rhsm/ca/katello-server-ca.pem' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, can you not read the rhsm.conf on the client uploading tool instead of sending them via Puppet?
Depending on when the system was registered these could be different.... at one point, the file wasn't named /etc/rhsm/ca/katello-server-ca.pem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reading another system config files does not sound ideal either, can the installer / some other thing maintain another config file / links to the ca etc ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not? They're authenticating with the RHSM certificates; they should use the canonical source for that information, which is /etc/rhsm/rhsm.conf
. katello-agent does the same, although that is more closely linked to rhsm.
For whatever reason, the certificate was renamed from /etc/rhsm/ca/candlepin-local.pem
to /etc/rhsm/ca/katello-server-ca.pem
, so older clients may have the older cert location.
If you don't read from rhsm.conf, you'd be forcing users to regenerate all of their certificate RPMs and redeploy them with the newer names, or change all of their older clients some other way? I don't think that's a reasonable ask.
The client knows where its certificates are, why is it being sent from the Foreman server anyway?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe you could have a boolean for using the rhsm to upload.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How would a proxy connected to Katello be using puppet certs??
You all can solve it however you want, but if you hardcode RHSM cert locations, you're going to run into problems. That's my only comment about this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
subscription-manager config
but it's basically just catting /etc/rhsm/rhsm.conf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, subscription-manager config may be preferable, because it does the variable substitution you'd have to deal with in rhsm.conf,
repo_ca_cert = /etc/rhsm/ca/katello-server-ca.pem
So, yea, that could be turned into a fact
5aeab4e
to
ea910d4
Compare
@stbenjam @ohadlevy @ares, thank you all for the comments and help. |
@isimluk ping? any reason not to merge? |
Thanks @shlomizadok, merging! |
@shlomizadok actually before merge, could you squash changes in policy_extensions.rb so we don't have one commit adding stuff that is removed in second? I did review of the whole then realized that there are three commits and most of 1st and 2nd neutralize each other :-) I'd probably squash into one as this is one feature as a whole |
ea910d4
to
ecd86b7
Compare
@ares squashed. Thanks. |
Merged, thanks! |
File
lib/foreman_openscap/helper.rb
is now testing if cname is a uuid or a host name.File
app/models/concerns/foreman_openscap/policy_extensions.rb
Adds overrides to the Puppet module to use Katello certificates. This is now ideal, as we take to assumption that the host will also have a content host.@ohadlevy, @ares, @stbenjam - please review as well. (Thanks!)