-
Notifications
You must be signed in to change notification settings - Fork 37
Flavor: foreman-proxy-content #571
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
a89493b
85072c9
09988ec
721c51c
8f53a4a
cfb7110
8cc63e5
378d740
c03de09
5ad19fc
c26c0cb
fe89b94
0c53914
959a001
5561a98
8e1e2f0
6d28d5e
055918d
a489369
11c0734
157fb88
b709d6f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| --- | ||
| - name: Fetch generated bundle from server | ||
| hosts: | ||
| - quadlet | ||
| become: true | ||
| vars_files: | ||
| - "../../../src/vars/base.yaml" | ||
| - "../../../src/vars/certificates.yml" | ||
| tasks: | ||
| - name: Fetch bundle | ||
| ansible.builtin.fetch: | ||
| src: "{{ certificates_ca_directory }}/bundles/{{ hostname }}.tar.gz" | ||
| dest: "{{ obsah_state_path }}/{{ hostname }}.tar.gz" | ||
| flat: true |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| --- | ||
| help: | | ||
| Fetch a certificate bundle | ||
| variables: | ||
| hostname: | ||
| parameter: hostname | ||
| help: Hostname to fetch the certificate bundle for. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,47 @@ | ||
| # Deployment Design | ||
|
|
||
| ## Deployment Types | ||
|
|
||
| foremanctl supports two deployment types: **server** and **proxy**. Each has its own sub-command, flavor, and set of services. | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @ehelms was exploring whether we could give the external proxy a better name ("node", "capsule", whatever). Additionally the current PR uses "Foreman Proxy", "node" etc rather inconsistently in the docs/help output. |
||
|
|
||
| ### Server | ||
|
|
||
| Deploys a Foreman server. This is the primary deployment type and the default entry point. | ||
|
|
||
|
|
||
| ```bash | ||
| ./foremanctl deploy | ||
| ``` | ||
|
|
||
| ### Proxy | ||
|
|
||
| Deploys a Foreman Proxy node that connects to a Foreman server. | ||
|
|
||
| Before running the proxy deployment, a certificate bundle must be generated on the Foreman server and copied to the proxy VM: | ||
|
|
||
| 1. On the **Foreman server**, generate a certificate bundle for the proxy hostname: | ||
|
|
||
| ```bash | ||
| ./foremanctl certificate-bundle proxy.example.com | ||
| ``` | ||
|
|
||
| This produces a tar archive at a path like `/var/lib/foremanctl/certs/bundles/<hostname>.tar.gz`. | ||
|
|
||
| 2. Copy the bundle to the **proxy VM**: | ||
|
|
||
| ```bash | ||
| scp /var/lib/foremanctl/certs/bundles/proxy.example.com.tar.gz root@proxy.example.com:/root/proxy.example.com.tar.gz | ||
| ``` | ||
|
|
||
| 3. On the **proxy VM**, run the deployment: | ||
|
|
||
| ```bash | ||
| ./foremanctl deploy-proxy \ | ||
| --flavor foreman-proxy-content \ | ||
| --certificate-bundle /root/proxy.example.com.tar.gz \ | ||
| --foreman-fqdn quadlet.example.com | ||
| ``` | ||
|
|
||
| ## Deployment Paths | ||
|
|
||
| ### Happy Path | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| [pytest] | ||
| addopts = ["--import-mode=importlib"] |
|
evgeni marked this conversation as resolved.
|
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| --- | ||
| content/rpm: | ||
| description: RPM content type for Pulp | ||
| internal: true | ||
| dependencies: | ||
| - pulp | ||
| content/deb: | ||
| description: Debian content type for Pulp | ||
| internal: true | ||
| dependencies: | ||
| - pulp | ||
| content/container: | ||
| description: Container content type for Pulp | ||
| internal: true | ||
| dependencies: | ||
| - pulp | ||
| content/ansible: | ||
| description: Ansible content type for Pulp | ||
| internal: true | ||
| dependencies: | ||
| - pulp | ||
| content/python: | ||
| description: Python content type for Pulp | ||
| internal: true | ||
| dependencies: | ||
| - pulp |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| --- | ||
| variables: | ||
| certificates_cnames: | ||
| help: Additional DNS name to include in Subject Alternative Names for certificates. Can be specified multiple times. | ||
| action: append_unique | ||
| type: FQDN | ||
| parameter: --certificate-cname | ||
| certificates_custom_server_certificate: | ||
| help: Path to a custom server certificate to use instead of the auto-generated one. | ||
| type: AbsolutePath | ||
| parameter: --certificate-server-certificate | ||
| persist: false | ||
| certificates_custom_server_key: | ||
| help: Path to the private key for the custom server certificate. | ||
| type: AbsolutePath | ||
| parameter: --certificate-server-key | ||
| persist: false | ||
| certificates_custom_server_ca_certificate: | ||
| help: Path to the CA certificate that signed the custom server certificate. | ||
| type: AbsolutePath | ||
| parameter: --certificate-server-ca-certificate | ||
| persist: false | ||
|
|
||
| constraints: | ||
| required_together: | ||
| - [certificates_custom_server_certificate, certificates_custom_server_key, certificates_custom_server_ca_certificate] |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| include: | ||
| - _pulp | ||
|
evgeni marked this conversation as resolved.
|
||
| - _foreman_proxy | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| --- | ||
| variables: | ||
| external_authentication: | ||
| help: External authentication method to use | ||
| choices: | ||
| - ipa | ||
| - ipa_with_api | ||
| external_authentication_pam_service: | ||
| help: Name of the PAM service to use for IPA authentication | ||
| pulp_import_paths: | ||
| help: Extra file path that Pulp can use for content imports. Argument may be used more than once. | ||
| action: append_unique | ||
| type: AbsolutePath | ||
| parameter: --content-import-path | ||
| pulp_export_paths: | ||
| help: Extra file path that Pulp can use for content exports. Argument may be used more than once. | ||
| action: append_unique | ||
| type: AbsolutePath | ||
| parameter: --content-export-path | ||
|
|
||
| include: | ||
| - _certificate_source | ||
| - _certificate_validity | ||
| - _certificates_custom | ||
| - _database_mode | ||
| - _database_connection | ||
| - _foreman | ||
| - _foreman_proxy | ||
| - _pulp | ||
| - _tuning |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| --- | ||
| variables: | ||
| foreman_initial_admin_username: | ||
| help: Initial username for the admin user. | ||
| parameter: --initial-admin-username | ||
| foreman_initial_admin_password: | ||
| help: Initial password for the admin user. | ||
| parameter: --initial-admin-password | ||
| foreman_initial_organization: | ||
| help: Name of an initial organization. | ||
| parameter: --initial-organization | ||
| foreman_initial_location: | ||
| help: Name of an initial location. | ||
| parameter: --initial-location | ||
| foreman_puma_workers: | ||
| help: Number of workers for Puma. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we have to do this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To simulate deployment on a different box basically
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because since earlier
foremanctl deploywrites its params and they share sameparameters.yamland as obsah resuses existing params, so its good to use a clean empty params file fordeploy-proxyand as evgeni mentioned(i didn't refresh earlier)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is going to be a pain locally. Obviously doesn't block this PR but we either need to namespace this or what I have been feeling is that this should live on the target. I don't think that would break our design to be able to run
foremanctlfrom a remote location. And, the parameters.yaml feels like information that should exist on the machine itself given the level of important information that it stores. Really, the whole directory should.