Skip to content

Refs #37601 - Refresh/deploy CA cert on hosts#3193

Merged
Lennonka merged 26 commits into
theforeman:masterfrom
Lennonka:refreshing-ca-certs-on-hosts
Sep 6, 2024
Merged

Refs #37601 - Refresh/deploy CA cert on hosts#3193
Lennonka merged 26 commits into
theforeman:masterfrom
Lennonka:refreshing-ca-certs-on-hosts

Conversation

@Lennonka

@Lennonka Lennonka commented Aug 6, 2024

Copy link
Copy Markdown
Contributor

This is for refreshing the self-signed Foreman CA cert on hosts.

Redmine issue: #37601

  • I am okay with my commits getting squashed when you merge this PR.
  • I am familiar with the contributing guidelines.

Please cherry-pick my commits into: N/A

  • Foreman 3.12
  • Foreman 3.11/Katello 4.13
  • Foreman 3.10/Katello 4.12
  • Foreman 3.9/Katello 4.11 (Satellite 6.15; orcharhino 6.8/6.9)
  • Foreman 3.8/Katello 4.10
  • Foreman 3.7/Katello 4.9 (Satellite 6.14)
  • Foreman 3.6/Katello 4.8
  • Foreman 3.5/Katello 4.7 (Satellite 6.13; orcharhino 6.6/6.7)
  • We do not accept PRs for Foreman older than 3.5.

@Lennonka Lennonka force-pushed the refreshing-ca-certs-on-hosts branch from 45d4922 to c0a0590 Compare August 6, 2024 21:42
@github-actions

github-actions Bot commented Aug 6, 2024

Copy link
Copy Markdown

Comment thread guides/common/modules/con_refreshing-ca-certificates-on-hosts.adoc Outdated
Comment thread guides/common/modules/con_refreshing-ca-certificates-on-hosts.adoc Outdated
Comment thread guides/common/modules/proc_deploying-a-ca-certificate-on-a-host-manually.adoc Outdated
Comment thread guides/common/modules/proc_renaming-smart-proxy.adoc Outdated
@Lennonka Lennonka force-pushed the refreshing-ca-certs-on-hosts branch 4 times, most recently from c06e32f to 484a8ab Compare August 8, 2024 18:45
@Lennonka Lennonka changed the title Refs #37601 - Refresh/deploy SSL certs Refs #37601 - Refresh/deploy CA cert on hosts Aug 8, 2024
@Lennonka Lennonka marked this pull request as ready for review August 8, 2024 18:48
@Lennonka Lennonka force-pushed the refreshing-ca-certs-on-hosts branch from 484a8ab to 661e4c0 Compare August 8, 2024 18:55
Comment thread guides/common/modules/con_refreshing-the-ca-certificate-on-hosts.adoc Outdated
@Lennonka Lennonka force-pushed the refreshing-ca-certs-on-hosts branch 2 times, most recently from ff20ab3 to 6b5f7e2 Compare August 8, 2024 19:10
Comment thread guides/common/modules/snip_verification-ca-set-correctly.adoc Outdated
Comment thread guides/common/modules/snip_verification-ca-set-correctly.adoc Outdated
@Lennonka Lennonka requested a review from ekohl August 12, 2024 21:11
@Lennonka Lennonka force-pushed the refreshing-ca-certs-on-hosts branch from 44184de to 2e6e896 Compare August 12, 2024 21:25
@Lennonka

Copy link
Copy Markdown
Contributor Author

Rebased.

Comment thread guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-manually.adoc Outdated
Comment thread guides/common/modules/proc_planning-for-ca-certificate-renewal.adoc Outdated
Co-authored-by: Eric Helms <eric.d.helms@gmail.com>
@Lennonka

Copy link
Copy Markdown
Contributor Author

@ehelms Since you haven't commented on the Planning section, I'm assuming that it's okay.

Comment thread guides/common/assembly_refreshing-the-ca-certificate-on-hosts.adoc
+
[options="nowrap" subs="+quotes,verbatim,attributes"]
----
https://_{foreman-example-com}_/unattended/public/foreman_ca_refresh

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you go this route, you must mention that for isolated hosts this must be retrieved via a Smart Proxy (AKA Capsule) because they may not be able to access Foreman.

It would be better to implement a dedicated REX job template and that the user selects. Then the user doesn't need to input any fields and we can rely on REX to properly transfer the script. Even if the certificate expired (because SSH push mode doesn't need them) and when the host is isolated.

The same goes for the Script REX procedure.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be better to implement a dedicated REX job template and that the user selects. Then the user doesn't need to input any fields and we can rely on REX to properly transfer the script. Even if the certificate expired (because SSH push mode doesn't need them) and when the host is isolated.
The same goes for the Script REX procedure.

Created a tracker to properly track it: https://projects.theforeman.org/issues/37773

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ekohl with our dropping of API access in the reverse proxy, will isolated hosts have access to this endpoint? do we need to add this endpoint to our list of allowed endpoints?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ekohl with our dropping of API access in the reverse proxy, will isolated hosts have access to this endpoint? do we need to add this endpoint to our list of allowed endpoints?

We already have the templates module which proxies the unattended templates (also for kickstarts etc). I think the current API should cover it, but not 100% sure. This needs to be verified.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ekohl Almost. We are missing get "/:kind/:template" do variant to get it working

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pr-processor pr-processor Bot added the Waiting on contributor Requires an action from the author label Aug 29, 2024
@pr-processor pr-processor Bot added Needs re-review and removed Waiting on contributor Requires an action from the author labels Sep 2, 2024
Comment thread guides/common/modules/con_refreshing-the-ca-certificate-on-hosts.adoc Outdated
@Lennonka

Lennonka commented Sep 3, 2024

Copy link
Copy Markdown
Contributor Author

@ShimShtein @ehelms Are we happy now?

@Lennonka

Lennonka commented Sep 4, 2024

Copy link
Copy Markdown
Contributor Author

Unless there are further comments within the next 24 hours, I suggest we merge it.

@maximiliankolb maximiliankolb left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Lena, LGTM.

@Lennonka

Lennonka commented Sep 5, 2024

Copy link
Copy Markdown
Contributor Author

The fact that it's for self-signed CA certs only seemed important, so I've added it to the titles of the Planning module and the assembly.

@maximiliankolb Can you please give it one more go?

@maximiliankolb maximiliankolb left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, still LGTM.

@Lennonka Lennonka merged commit 69b0498 into theforeman:master Sep 6, 2024
@Lennonka Lennonka deleted the refreshing-ca-certs-on-hosts branch September 6, 2024 09:03
Lennonka added a commit that referenced this pull request Sep 6, 2024
Co-authored-by: Maximilian Kolb <mail@maximilian-kolb.de>
Co-authored-by: Shimon Shtein <sshtein@redhat.com>
Co-authored-by: Eric Helms <eric.d.helms@gmail.com>
@Lennonka

Lennonka commented Sep 6, 2024

Copy link
Copy Markdown
Contributor Author

Cherry-picked:

@Lennonka Lennonka mentioned this pull request Oct 2, 2024
10 tasks
.Procedure
. In the {ProjectWebUI}, navigate to *Monitor* > *Jobs*.
. Click *Run Job*.
. From the *Job category* list, select `Commands`.

@apinnick apinnick Nov 4, 2024

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Lennonka I realize that this has already been merged. I found this PR when I was trying to figure out the RN for this feature. UI elements and options should be marked up as bold, not with backticks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

style review done No issues from docs style/grammar perspective

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants