Skip to content

Commit

Permalink
Fixes #30368 - Change Candlepin and Pulp 3 CA handling
Browse files Browse the repository at this point in the history
This change makes the Candlepin CA file optional by falling back to the
Foreman CA file. The result is a reduced configuration in most
deployments.

For Pulp the certificate is now read in the same way as Candlepin.
Previously it partly relied on the CA being in the global allowed CA.
This may be an issue in some cases, but in the default deployment it
isn't. Following the general SSL config makes the configuration more
predictable for users. It can also be easier in a containerized setup or
on a system where the admin is not allowed to modify the system CA
certificates. The example config is now also consistent with reality.

The verify_ssl option is dropped from the ping model. This isn't
respected elsewhere and it's misleading to have a valid ping only to
have it fail at runtime.
  • Loading branch information
ekohl committed Jun 27, 2022
1 parent b056c79 commit 48289b6
Show file tree
Hide file tree
Showing 7 changed files with 15 additions and 20 deletions.
2 changes: 1 addition & 1 deletion app/lib/katello/resources/candlepin.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ class CandlepinResource < HttpResource
self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
self.consumer_secret = cfg[:oauth_secret]
self.consumer_key = cfg[:oauth_key]
self.ca_cert_file = cfg[:ca_cert_file]
self.ca_cert_file = ::Cert::Certs.backend_ca_cert_file(:candlepin)

class << self
def process_response(response)
Expand Down
1 change: 0 additions & 1 deletion app/lib/katello/resources/registry.rb
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ def load_class
uri = URI.parse(content_app_url)
self.prefix = "/pulpcore_registry/"
self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
self.ca_cert_file = Setting[:ssl_ca_file]
pulp_primary.pulp3_ssl_configuration(self, :net_http)

self
Expand Down
1 change: 1 addition & 0 deletions app/models/katello/concerns/smart_proxy_extensions.rb
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@ def pulp3_configuration(config_class)
end

def pulp3_ssl_configuration(config, connection_adapter = Faraday.default_adapter)
config.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:pulp)
if connection_adapter == :excon
config.ssl_client_cert = ::Cert::Certs.ssl_client_cert_filename
config.ssl_client_key = ::Cert::Certs.ssl_client_key_filename
Expand Down
4 changes: 1 addition & 3 deletions app/models/katello/ping.rb
Original file line number Diff line number Diff line change
Expand Up @@ -263,12 +263,10 @@ def fetch_proxy(capsule_id)
end

def backend_status(url, backend)
ca_file = SETTINGS[:katello][backend][:ca_cert_file]
ca_file = ::Cert::Certs.backend_ca_cert_file(backend)
request_id = ::Logging.mdc['request']

options = {}
options[:ssl_ca_file] = ca_file unless ca_file.nil?
options[:verify_ssl] = SETTINGS[:katello][backend][:verify_ssl] if SETTINGS[:katello][backend].key?(:verify_ssl)
options[:headers] = { 'Correlation-ID' => request_id } if request_id
client = RestClient::Resource.new("#{url}/status", options)

Expand Down
8 changes: 6 additions & 2 deletions app/services/cert/certs.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ def self.ca_cert
end

def self.candlepin_client_ca_cert
File.read(SETTINGS[:katello][:candlepin][:ca_cert_file])
File.read(backend_ca_cert_file(:candlepin))
end

def self.ssl_client_cert
Expand All @@ -28,10 +28,14 @@ def self.ssl_client_key_filename
Setting[:ssl_priv_key]
end

def self.backend_ca_cert_file(backend)
SETTINGS.dig(:katello, backend, :ca_cert_file) || Setting[:ssl_ca_file]
end

def self.verify_ueber_cert(organization)
ueber_cert = OpenSSL::X509::Certificate.new(self.ueber_cert(organization)[:cert])
cert_store = OpenSSL::X509::Store.new
cert_store.add_file SETTINGS[:katello][:candlepin][:ca_cert_file]
cert_store.add_file backend_ca_cert_file(:candlepin)
organization.regenerate_ueber_cert unless cert_store.verify ueber_cert
end
end
Expand Down
5 changes: 2 additions & 3 deletions app/services/katello/pulp/server.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,11 @@ def self.config(url, user_remote_id)
}
}

if (ca_cert = SETTINGS[:katello][:pulp][:ca_cert_file])
if (ca_cert = ::Cert::Certs.backend_ca_cert_file(:pulp))
runcible_params[:ca_cert_file] = ca_cert
runcible_params[:verify_ssl] = true
end

runcible_params[:verify_ssl] = SETTINGS[:katello][:pulp][:verify_ssl] if SETTINGS[:katello][:pulp].key?(:verify_ssl)

Runcible::Instance.new(runcible_params)
end
end
Expand Down
14 changes: 4 additions & 10 deletions config/katello.yaml.example
Original file line number Diff line number Diff line change
Expand Up @@ -17,22 +17,16 @@
:oauth_key: katello
:oauth_secret: katello

# refers to the candlepin-ca.crt location that is needed
# to connect to candlepin over https.This is not necessary
# if the candlepin server is running on the same machine as katello
# but required if the server is on a different machine.
# In the different machine case the katello host needs to have a
# copy of /etc/candlepin/certs/candlepin-ca.crt copied from
# the candlepin host and the location of the copied file needs to be
# specified here..
# Optional CA file to user to verify HTTPS connections to Candlepin. If not
# specified, Foreman's ssl_ca_file setting is used.
:ca_cert_file:
# :bulk_load_size: 1000
# Setup your pulp environment here
:pulp:
:sync_threads: 4
# refers to the apache certificate
# (typically /etc/pki/tls/certs/localhost.crt) location that is needed
# to connect to pulp over https.
# Optional CA file to user to verify HTTPS connections to Candlepin. If not
# specified, Foreman's ssl_ca_file setting is used.
:ca_cert_file:
:default_login: admin
:sync_KBlimit:
Expand Down

0 comments on commit 48289b6

Please sign in to comment.