-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refs #37601 - Refresh/deploy CA cert on hosts #3193
Refs #37601 - Refresh/deploy CA cert on hosts #3193
Conversation
45d4922
to
c0a0590
Compare
The PR preview for 3568f89 is available at theforeman-foreman-documentation-preview-pr-3193.surge.sh The following output files are affected by this PR: |
guides/common/modules/con_refreshing-ca-certificates-on-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/con_refreshing-ca-certificates-on-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_deploying-a-ca-certificate-on-a-host-manually.adoc
Outdated
Show resolved
Hide resolved
c06e32f
to
484a8ab
Compare
484a8ab
to
661e4c0
Compare
guides/common/modules/con_refreshing-the-ca-certificate-on-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-manually.adoc
Show resolved
Hide resolved
ff20ab3
to
6b5f7e2
Compare
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-by-using-ansible-rex.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-by-using-script-rex.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-manually.adoc
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-manually.adoc
Show resolved
Hide resolved
Co-authored-by: Maximilian Kolb <[email protected]>
44184de
to
2e6e896
Compare
Rebased. |
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-manually.adoc
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-manually.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-manually.adoc
Show resolved
Hide resolved
guides/common/modules/proc_planning-for-ca-certificate-renewal.adoc
Outdated
Show resolved
Hide resolved
Co-authored-by: Eric Helms <[email protected]>
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-by-using-ansible-rex.adoc
Outdated
Show resolved
Hide resolved
@ehelms Since you haven't commented on the Planning section, I'm assuming that it's okay. |
guides/common/assembly_refreshing-the-ca-certificate-on-hosts.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-by-using-ansible-rex.adoc
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-by-using-ansible-rex.adoc
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-by-using-ansible-rex.adoc
Outdated
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-manually.adoc
Show resolved
Hide resolved
guides/common/modules/proc_deploying-the-ca-certificate-on-a-host-manually.adoc
Show resolved
Hide resolved
+ | ||
[options="nowrap" subs="+quotes,verbatim,attributes"] | ||
---- | ||
https://_{foreman-example-com}_/unattended/public/foreman_ca_refresh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you go this route, you must mention that for isolated hosts this must be retrieved via a Smart Proxy (AKA Capsule) because they may not be able to access Foreman.
It would be better to implement a dedicated REX job template and that the user selects. Then the user doesn't need to input any fields and we can rely on REX to properly transfer the script. Even if the certificate expired (because SSH push mode doesn't need them) and when the host is isolated.
The same goes for the Script REX procedure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to implement a dedicated REX job template and that the user selects. Then the user doesn't need to input any fields and we can rely on REX to properly transfer the script. Even if the certificate expired (because SSH push mode doesn't need them) and when the host is isolated.
The same goes for the Script REX procedure.
Created a tracker to properly track it: https://projects.theforeman.org/issues/37773
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ekohl with our dropping of API access in the reverse proxy, will isolated hosts have access to this endpoint? do we need to add this endpoint to our list of allowed endpoints?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ekohl with our dropping of API access in the reverse proxy, will isolated hosts have access to this endpoint? do we need to add this endpoint to our list of allowed endpoints?
We already have the templates module which proxies the unattended templates (also for kickstarts etc). I think the current API should cover it, but not 100% sure. This needs to be verified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ekohl Almost. We are missing get "/:kind/:template" do
variant to get it working
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
guides/common/modules/con_refreshing-the-ca-certificate-on-hosts.adoc
Outdated
Show resolved
Hide resolved
@ShimShtein @ehelms Are we happy now? |
Unless there are further comments within the next 24 hours, I suggest we merge it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Lena, LGTM.
The fact that it's for self-signed CA certs only seemed important, so I've added it to the titles of the Planning module and the assembly. @maximiliankolb Can you please give it one more go? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, still LGTM.
Co-authored-by: Maximilian Kolb <[email protected]> Co-authored-by: Shimon Shtein <[email protected]> Co-authored-by: Eric Helms <[email protected]>
.Procedure | ||
. In the {ProjectWebUI}, navigate to *Monitor* > *Jobs*. | ||
. Click *Run Job*. | ||
. From the *Job category* list, select `Commands`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is for refreshing the self-signed Foreman CA cert on hosts.
Redmine issue: #37601
Please cherry-pick my commits into: N/A