-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minimal Foreman scenario #518
base: develop
Are you sure you want to change the base?
Conversation
You may also want to set tftp to false until theforeman/puppet-foreman_proxy#602 is merged. |
@@ -11,6 +11,17 @@ | |||
--- | |||
foreman: | |||
configure_epel_repo: false | |||
server_ssl_crl: "" | |||
server_ssl_ca: "/etc/foreman-pki/certs/ca/ca.crt" | |||
server_ssl_chain: "/etc/foreman-pki/certs/ca/ca.crt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like this scheme naming. It implies a single CA but we know that's not true. I'd suggest at least symlinks: /etc/foreman-pki/certs/apache/apache-ca.pem
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is still "custom certificates" to come support wise which is why this is currently this way. It is built around a single CA concept as the intro use case. I'm still contemplating how to handle custom certificates and at what level. I think it would be nice if we could get away with the simple case of supplying a single CA rather than customizing only some certificates but feedback so far is that is not feasible for all use cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we already use bundles of 3 (cert, key, ca) then we can easily support that in the future. If you symlink to the common CA, you still only have a single file. Perhaps we should also have a 4th (chain) for when we have client auth.
I'd also recommend looking at certbot (the Let's Encrypt client). It creates a structure:
- cert.pem (certificate)
- chain.pem (the CA chain, including intermediates)
- fullchain.pem (the full chain - from CA to cert)
- privkey.pem (private key)
It does so for every certificate. Perhaps we should follow the same where the directory indicates the purpose and the file names within the directory are always the same. That way you could create a bundle private-ca
and a bundle public-ca
. Then just symlink apache
to public-ca
and you're done. However, perhaps file permissions will get in the way.
server_ssl_crl: "" | ||
server_ssl_ca: "/etc/foreman-pki/certs/ca/ca.crt" | ||
server_ssl_chain: "/etc/foreman-pki/certs/ca/ca.crt" | ||
server_ssl_cert: "/etc/foreman-pki/certs/apache/apache.crt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd consider using the pem extension since they're pem encoded files.
server_ssl_cert: "/etc/foreman-pki/certs/apache/apache.crt" | |
server_ssl_cert: "/etc/foreman-pki/certs/apache/apache-crt.pem" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tried to research this and look at lots of examples. I landed on that in most cases I could find using the .crt
and .key
extensions appears to be fairly common and what folks care more about than the format especially given PEM is pretty standard.
config/foreman-answers.yaml
Outdated
ssl_ca: "/etc/foreman-pki/certs/ca/ca.crt" | ||
ssl_cert: "/etc/foreman-pki/certs/smart-proxy/smart-proxy.crt" | ||
ssl_key: "/etc/foreman-pki/certs/smart-proxy/smart-proxy.key" | ||
ssldir: "/etc/foreman-pki/certs" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is wrong. ssldir is the Puppet CA SSL directory and only used to configure the Puppet CA cert provider. That's only used with Puppet 5, Puppet 6 uses Puppet's REST API.
You can argue the parameter has a bad name and you'd be right.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You did a great job arguing the bad name for me :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering what we should do. I hope to drop Puppet 5 support when it goes EOL in November. The REST API implementation also works with Puppet 5 but you miss some fields that are only shown in the UI so I think dropping that provider is fine. Then we can drop the parameter.
Given November is Foreman 2.3 or 2.4, I'm not sure renaming it for 2 or 3 releases is worth it.
@@ -11,6 +11,17 @@ | |||
--- | |||
foreman: | |||
configure_epel_repo: false | |||
server_ssl_crl: "" | |||
server_ssl_ca: "/etc/foreman-pki/certs/ca/ca.crt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to be explicit about this: I hope we're not ending up with passing this via answers and this is just so you can iterate quickly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is to help with iterating. Is this asking that in the end these paths are the defaults in the puppet modules?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely, assuming we arrived at an agreed upon file layout I planned to do that. You can see some of my testing code that did this here: https://github.com/theforeman/puppet-foreman/pull/856/files
Tracking current test scenario that results in a successful install for Foreman:
|
This is largely for testing purposes to help find the knobs that need to be tweaked to have a minimal Foreman installation.