Skip to content

Split installation into three distinct phases #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ehelms wants to merge 9 commits into from
Closed

Split installation into three distinct phases #119

ehelms wants to merge 9 commits into from

Conversation

@ehelms
Copy link
Member

@ehelms ehelms commented Mar 13, 2025
edited
Loading

Another look at splitting the installation process into three distinct phases. This does use Ansible, but that's just to help orchestrate and automate for testing purposes. The playbook is split into three sections:

  1. Generate default certificates
  2. Install the server w/ quadlets using foreman-quadlets
  3. Install foreman-proxy using the foreman-installer based on ansible installer foreman-installer#1016

The foreman-proxy is not optional at this point. That would require #81

I rebased this on #105 to have the Pulp smart-proxy and thus make the stand-alone smart-proxy optional.

evgeni
evgeni reviewed Mar 17, 2025
View reviewed changes
playbooks/3-stage-deploy.yaml
package:
name: foreman-proxy

- name: Deploy default certificates
Copy link
Member

@evgeni evgeni Mar 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming this is temporarily, given the current installer can't deal well with "proxy only certs for the internal proxy" scenario, what would be the most elegant way for us to pass those certs on?
Part of me wants to say "the tarball we have for external proxies is nice", but given that we don't need to transfer it across systems, it's not strictly required to be a single file (which adds complexity).
We could set the API to be "a folder with a specified structure" (think like the one in ssl-build), but put it soemwhere like /var/lib/foreman-certs and it either gets fed by foreman-certs cli or the certificates role, and then everyone can just pick up things from there.
For the external proxy we'd then tar things up that resemble the same structure and off we go.

Copy link
Member Author

@ehelms ehelms Mar 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is tricky because there is this unfun orchestration that has to happen as shown here. The certificates need to be deployed to a location with the correct ownership (user/group/mode) access by foreman-proxy. Which means the foreman-proxy RPM needs to be installed or something needs to ensure creation of them.

For foreman-installer based certificates, I proposed fixing that with this class https://github.com/theforeman/puppet-certs/pull/449/files#diff-e6327449f108163297d1ce69ca08f3a4d8013b01d772a4be3aba628b223bd8c5 and adding it to the answers file. This wouldn't solve it for the new certificate generation though.

I was also thinking of adding certificate "management" to puppet-foreman_proxy based on a parameter so that the module could ensure the right user/group and permissions are ensured on the certificates. I tried this idea out like 4 years ago -- theforeman/puppet-foreman_proxy#599

Copy link
Member Author

@ehelms ehelms Mar 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated theforeman/puppet-foreman_proxy#599 idea to our current certificates approach.

@ehelms ehelms closed this May 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evgeni evgeni evgeni left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ehelms @evgeni