Skip to content

Commit

Permalink
Fixes #30368 - Change Candlepin and Pulp 3 CA handling
Browse files Browse the repository at this point in the history
This change makes the Candlepin CA file optional by falling back to the
Foreman CA file. The result is a reduced configuration in most
deployments.

For Pulp 3 the certificate is now read in the same way as Candlepin.
Previously it relies on the CA being in the global allowed CA. This may
be an issue in some cases, but in the default deployment it isn't.
Following the general SSL config makes the configuration more
predictable for users. It can also be easier in a containerized setup or
on a system where the admin is not allowed to modify the system CA
certificates.

In the ping model the verify_ssl option is dropped. This isn't respected
elsewhere and it's misleading to have a valid ping only to have it fail
at runtime.

It also changes Crane's setting from registry_ca_cert_file to
crane_ca_cert_file. This follows what's in the example config, unit
tests and installer module. The fact it was not working suggests that it
was using the system CA store.
  • Loading branch information
ekohl committed Nov 19, 2020
1 parent 201d530 commit 8ef3711
Show file tree
Hide file tree
Showing 7 changed files with 25 additions and 22 deletions.
2 changes: 1 addition & 1 deletion app/lib/katello/resources/candlepin.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ class CandlepinResource < HttpResource
self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
self.consumer_secret = cfg[:oauth_secret]
self.consumer_key = cfg[:oauth_key]
self.ca_cert_file = cfg[:ca_cert_file]
self.ca_cert_file = ::Cert::Certs.backend_ca_cert_file(:candlepin)

class << self
def process_response(response)
Expand Down
4 changes: 2 additions & 2 deletions app/lib/katello/resources/registry.rb
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,10 @@ def load_class
registry_url = uri.to_s

# Assume the registry uses the same CA as the Smart Proxy
ca_cert_file = Setting[:ssl_ca_file]
ca_cert_file = ::Cert::Certs.backend_ca_cert_file(:pulp3)
elsif (container_config = SETTINGS.dig(:katello, :container_image_registry))
registry_url = container_config[:crane_url]
ca_cert_file = container_config[:registry_ca_cert_file]
ca_cert_file = container_config[:crane_ca_cert_file]
end

fail Errors::ContainerRegistryNotConfigured unless registry_url
Expand Down
1 change: 1 addition & 0 deletions app/models/katello/concerns/smart_proxy_extensions.rb
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@ def pulp3_configuration(config_class)
end

def pulp3_ssl_configuration(config)
config.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:pulp3)
if Faraday.default_adapter == :excon
config.ssl_client_cert = ::Cert::Certs.ssl_client_cert_filename
config.ssl_client_key = ::Cert::Certs.ssl_client_key_filename
Expand Down
7 changes: 4 additions & 3 deletions app/models/katello/ping.rb
Original file line number Diff line number Diff line change
Expand Up @@ -226,10 +226,11 @@ def fetch_proxy(capsule_id)
end

def backend_status(url, backend)
ca_file = SETTINGS[:katello][backend][:ca_cert_file]
options = {}
options[:ssl_ca_file] = ca_file unless ca_file.nil?
options[:verify_ssl] = SETTINGS[:katello][backend][:verify_ssl] if SETTINGS[:katello][backend].key?(:verify_ssl)
if (ca_file = ::Cert::Certs.backend_ca_cert_file(backend))
options[:ssl_ca_file] = ca_file
end

client = RestClient::Resource.new("#{url}/status", options)

response = client.get
Expand Down
6 changes: 5 additions & 1 deletion app/services/cert/certs.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,14 @@ def self.ssl_client_key_filename
Setting['pulp_client_key']
end

def self.backend_ca_cert_file(backend)
SETTINGS.dig(:katello, backend, :ca_cert_file) || Setting[:ssl_ca_file]
end

def self.verify_ueber_cert(organization)
ueber_cert = OpenSSL::X509::Certificate.new(self.ueber_cert(organization)[:cert])
cert_store = OpenSSL::X509::Store.new
cert_store.add_file SETTINGS[:katello][:candlepin][:ca_cert_file]
cert_store.add_file backend_ca_cert_file(:candlepin)
organization.regenerate_ueber_cert unless cert_store.verify ueber_cert
end
end
Expand Down
5 changes: 2 additions & 3 deletions app/services/katello/pulp/server.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,11 @@ def self.config(url, user_remote_id)
}
}

if (ca_cert = SETTINGS[:katello][:pulp][:ca_cert_file])
if (ca_cert = ::Cert::Certs.backend_ca_cert_file(:pulp))
runcible_params[:ca_cert_file] = ca_cert
runcible_params[:verify_ssl] = true
end

runcible_params[:verify_ssl] = SETTINGS[:katello][:pulp][:verify_ssl] if SETTINGS[:katello][:pulp].key?(:verify_ssl)

Runcible::Instance.new(runcible_params)
end
end
Expand Down
22 changes: 10 additions & 12 deletions config/katello.yaml.example
Original file line number Diff line number Diff line change
Expand Up @@ -24,21 +24,14 @@
# Setup your candlepin environment here
:candlepin:
# refers to the url of the candlepin
# example https://localhost:8443/candlepin
:url: https://localhost:8443/candlepin

# Specify your oauth key and secret used to authenticate between Katello and Candlepin
:oauth_key: katello
:oauth_secret: katello

# refers to the candlepin-ca.crt location that is needed
# to connect to candlepin over https.This is not necessary
# if the candlepin server is running on the same machine as katello
# but required if the server is on a different machine.
# In the different machine case the katello host needs to have a
# copy of /etc/candlepin/certs/candlepin-ca.crt copied from
# the candlepin host and the location of the copied file needs to be
# specified here..
# Optional CA file to user to verify HTTPS connections to Candlepin. If not
# specified, Foreman's ssl_ca_file setting is used.
:ca_cert_file:
# :bulk_load_size: 1000
# Setup your pulp environment here
Expand All @@ -49,15 +42,20 @@

:sync_threads: 4
:bulk_load_size: 100
# refers to the apache certificate
# (typically /etc/pki/tls/certs/localhost.crt) location that is needed
# to connect to pulp over https.
# Optional CA file to user to verify HTTPS connections to Pulp. If not
# specified, Foreman's ssl_ca_file setting is used.
:ca_cert_file:
:default_login: admin
:sync_KBlimit:
:upload_chunk_size: 1048575 # upload size in bytes to pulp. see SSLRenegBufferSize in apache
:skip_checksum_validation: false

# It is possible to override the CA cert file used to connect. If not
# specified, Foreman's ssl_ca_file setting is used.
# Generally not recommended to set this.
#:pulp3:
# :ca_cert_file:

:qpid:
:url: amqp:ssl:katello-devel.example.com:5671
:subscriptions_queue_address: katello_event_queue
Expand Down

0 comments on commit 8ef3711

Please sign in to comment.