From 579f5df95d76d510b3a705487a1b0cc2a34dd279 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Tue, 18 Feb 2025 12:22:18 +0100 Subject: [PATCH 1/9] use pulp_smart_proxy not smart_proxy_pulp --- roles/foreman/tasks/main.yaml | 2 +- roles/pulp/defaults/main.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/foreman/tasks/main.yaml b/roles/foreman/tasks/main.yaml index 562924d6..af9686ca 100644 --- a/roles/foreman/tasks/main.yaml +++ b/roles/foreman/tasks/main.yaml @@ -144,7 +144,7 @@ - name: Configure Foreman Proxy theforeman.foreman.smart_proxy: name: "{{ ansible_fqdn }}" - url: "https://{{ ansible_fqdn }}:9090" + url: "https://{{ ansible_fqdn }}/pulp/api/v3/smart_proxy" server_url: "http://{{ ansible_fqdn }}:3000" username: admin password: changeme diff --git a/roles/pulp/defaults/main.yaml b/roles/pulp/defaults/main.yaml index 745df33c..5fd89271 100644 --- a/roles/pulp/defaults/main.yaml +++ b/roles/pulp/defaults/main.yaml @@ -1,5 +1,5 @@ --- -pulp_image: quay.io/pulp/pulp-minimal:3.63 +pulp_image: quay.io/evgeni/pulp-smart:latest pulp_api_image: "{{ pulp_image }}" pulp_content_image: "{{ pulp_image }}" pulp_worker_image: "{{ pulp_image }}" From 0ed0805eab73195e80dc4c634770fe293b862c66 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Thu, 20 Feb 2025 11:40:03 +0100 Subject: [PATCH 2/9] configure rhsm url for pulp_smart_proxy --- roles/pulp/defaults/main.yaml | 1 + roles/pulp/templates/settings.py.j2 | 2 ++ 2 files changed, 3 insertions(+) diff --git a/roles/pulp/defaults/main.yaml b/roles/pulp/defaults/main.yaml index 5fd89271..b1ff7e38 100644 --- a/roles/pulp/defaults/main.yaml +++ b/roles/pulp/defaults/main.yaml @@ -14,5 +14,6 @@ pulp_content_container_name: pulp-content pulp_worker_container_name: pulp-worker pulp_content_origin: "http://{{ ansible_fqdn }}:24816" +pulp_rhsm_url: "https://{{ ansible_fqdn }}/rhsm" pulp_enable_analytics: false diff --git a/roles/pulp/templates/settings.py.j2 b/roles/pulp/templates/settings.py.j2 index 10a9de6f..e64e3cca 100644 --- a/roles/pulp/templates/settings.py.j2 +++ b/roles/pulp/templates/settings.py.j2 @@ -18,3 +18,5 @@ AUTHENTICATION_BACKENDS=['pulpcore.app.authentication.PulpNoCreateRemoteUserBack REMOTE_USER_ENVIRON_NAME="HTTP_REMOTE_USER" REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES=('rest_framework.authentication.SessionAuthentication', 'pulpcore.app.authentication.PulpRemoteUserAuthentication') ANALYTICS = {{ pulp_enable_analytics | ternary('True', 'False') }} + +SMART_PROXY_RHSM_URL="{{ pulp_rhsm_url }}" From 704c431926508e83f408d419ac21e47c97dff377 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Thu, 20 Feb 2025 11:42:37 +0100 Subject: [PATCH 3/9] disable foreman_proxy, we don't need it anymore --- playbooks/deploy.yaml | 6 ------ tests/foreman_proxy_test.py | 33 +-------------------------------- 2 files changed, 1 insertion(+), 38 deletions(-) diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index 23dfddff..b7db92d1 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -22,11 +22,6 @@ candlepin_tomcat_certificate: "{{ localhost_certificate }}" candlepin_client_key: "{{ client_key }}" candlepin_client_certificate: "{{ client_certificate }}" - foreman_proxy_ca_certificate: "{{ ca_certificate }}" - foreman_proxy_server_key: "{{ server_key }}" - foreman_proxy_server_certificate: "{{ server_certificate }}" - foreman_proxy_client_key: "{{ client_key }}" - foreman_proxy_client_certificate: "{{ client_certificate }}" foreman_ca_certificate: "{{ ca_certificate }}" foreman_client_key: "{{ client_key }}" foreman_client_certificate: "{{ client_certificate }}" @@ -74,5 +69,4 @@ - candlepin - httpd - pulp - - foreman_proxy - foreman diff --git a/tests/foreman_proxy_test.py b/tests/foreman_proxy_test.py index f0fb5780..d9ab3534 100644 --- a/tests/foreman_proxy_test.py +++ b/tests/foreman_proxy_test.py @@ -7,37 +7,6 @@ FOREMAN_PROXY_PORT = 9090 -@pytest.fixture(scope="module") -def foreman_proxy_version_curl(server): - return server.run(f"curl -k -s -w '%{{stderr}}%{{http_code}}' https://{FOREMAN_PROXY_HOST}:{FOREMAN_PROXY_PORT}/version") - - -@pytest.fixture(scope="module") -def foreman_proxy_features_curl(server, certificates): - return server.run(f"curl -k -s -w '%{{stderr}}%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{FOREMAN_PROXY_HOST}:{FOREMAN_PROXY_PORT}/v2/features") - - -def test_foreman_proxy_service(server): - foreman_proxy = server.service("foreman-proxy") - assert foreman_proxy.is_running - assert foreman_proxy.is_enabled - - def test_foreman_proxy_port(server): foreman_proxy = server.addr(FOREMAN_PROXY_HOST) - assert foreman_proxy.port(FOREMAN_PROXY_PORT).is_reachable - - -def test_foreman_proxy_version(foreman_proxy_version_curl): - assert foreman_proxy_version_curl.succeeded - assert foreman_proxy_version_curl.stderr == '200' - - -def test_foreman_proxy_features(foreman_proxy_features_curl): - assert foreman_proxy_features_curl.succeeded - assert foreman_proxy_features_curl.stderr == '200' - - -def test_pulpcore_feature(foreman_proxy_features_curl): - features = json.loads(foreman_proxy_features_curl.stdout) - assert 'pulpcore' in features.keys() + assert not foreman_proxy.port(FOREMAN_PROXY_PORT).is_reachable From ba839fdefb4dc202fdfafbe7ac0fa5a3ade85cbf Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Thu, 20 Feb 2025 12:16:49 +0100 Subject: [PATCH 4/9] set pulp url --- playbooks/deploy.yaml | 1 + roles/pulp/defaults/main.yaml | 1 + roles/pulp/templates/settings.py.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index b7db92d1..72b83634 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -35,6 +35,7 @@ pulp_db_password: "CHANGEME" pulp_content_origin: "https://{{ ansible_fqdn }}" postgresql_restarted_state: started + pulp_pulp_url: "https://{{ ansible_fqdn }}" postgresql_databases: - name: candlepin owner: candlepin diff --git a/roles/pulp/defaults/main.yaml b/roles/pulp/defaults/main.yaml index b1ff7e38..4717e1b6 100644 --- a/roles/pulp/defaults/main.yaml +++ b/roles/pulp/defaults/main.yaml @@ -15,5 +15,6 @@ pulp_worker_container_name: pulp-worker pulp_content_origin: "http://{{ ansible_fqdn }}:24816" pulp_rhsm_url: "https://{{ ansible_fqdn }}/rhsm" +pulp_pulp_url: "http://{{ ansible_fqdn }}:24817" pulp_enable_analytics: false diff --git a/roles/pulp/templates/settings.py.j2 b/roles/pulp/templates/settings.py.j2 index e64e3cca..d6841f48 100644 --- a/roles/pulp/templates/settings.py.j2 +++ b/roles/pulp/templates/settings.py.j2 @@ -20,3 +20,4 @@ REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES=('rest_framework.authentication.S ANALYTICS = {{ pulp_enable_analytics | ternary('True', 'False') }} SMART_PROXY_RHSM_URL="{{ pulp_rhsm_url }}" +SMART_PROXY_PULP_URL="{{ pulp_pulp_url }}" From c1addbd3aa553247475b70b4a36e1d585402d10a Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Wed, 26 Feb 2025 15:08:27 +0100 Subject: [PATCH 5/9] rename the pulp-only proxy --- roles/foreman/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/foreman/tasks/main.yaml b/roles/foreman/tasks/main.yaml index af9686ca..21aa98e1 100644 --- a/roles/foreman/tasks/main.yaml +++ b/roles/foreman/tasks/main.yaml @@ -143,7 +143,7 @@ - name: Configure Foreman Proxy theforeman.foreman.smart_proxy: - name: "{{ ansible_fqdn }}" + name: "{{ ansible_fqdn }}-pulp" url: "https://{{ ansible_fqdn }}/pulp/api/v3/smart_proxy" server_url: "http://{{ ansible_fqdn }}:3000" username: admin From c431eaf035142fdc83e780cc1b53259a77699c7c Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Mon, 24 Feb 2025 10:43:07 +0100 Subject: [PATCH 6/9] deploy to localhost --- ansible.cfg | 1 - playbooks/deploy.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index 5417da8c..ec01ee87 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,6 +1,5 @@ [defaults] host_key_checking = False -inventory = vagrant.py stdout_callback=debug stderr_callback=debug roles_path = ~/.ansible/roles:./roles diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index 72b83634..fb511cb9 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -1,7 +1,7 @@ --- - name: Setup quadlet demo machine hosts: - - quadlet + - localhost become: true vars_files: - "../vars/{{ certificate_source }}_certificates.yml" From 9b4168a2c4c8281e57b0b854512818e5436981a1 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Fri, 7 Mar 2025 11:07:23 +0100 Subject: [PATCH 7/9] is this an ansible based installer?! --- playbooks/deploy.yaml | 11 +++++++++++ requirements.yml | 1 + roles/foreman_certs/tasks/main.yml | 3 +++ 3 files changed, 15 insertions(+) create mode 100644 roles/foreman_certs/tasks/main.yml diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index fb511cb9..a6115281 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -58,6 +58,8 @@ - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 } - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 } roles: + - role: foreman_certs + when: "certificate_source == 'installer'" - role: certificates when: "certificate_source == 'default'" - role: certificate_checks @@ -71,3 +73,12 @@ - httpd - pulp - foreman + - role: theforeman.operations.installer + vars: + foreman_installer_scenario: katello + foreman_installer_package: foreman-installer-katello + foreman_installer_options: + - '--foreman-proxy-oauth-consumer-key {{ foreman_oauth_consumer_key }}' + - '--foreman-proxy-oauth-consumer-secret {{ foreman_oauth_consumer_secret }}' + - '--tuning development' + when: "certificate_source == 'installer'" diff --git a/requirements.yml b/requirements.yml index 809ce19a..8618d42f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -6,6 +6,7 @@ collections: - name: containers.podman version: ">=1.14.0" - name: theforeman.foreman + - name: theforeman.operations - name: https://github.com/theforeman/forklift type: git diff --git a/roles/foreman_certs/tasks/main.yml b/roles/foreman_certs/tasks/main.yml new file mode 100644 index 00000000..3be8fed4 --- /dev/null +++ b/roles/foreman_certs/tasks/main.yml @@ -0,0 +1,3 @@ +# utilize https://github.com/theforeman/foreman-installer/pull/935 +- name: Generate certs + ansible.builtin.command: foreman-certs --apache true --foreman true --candlepin true --foreman-proxy true From badcc0bd474b09ece478f66aaab036d192badd1a Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Tue, 11 Mar 2025 14:04:02 -0400 Subject: [PATCH 8/9] Set postgres handler to started to prevent restarts --- playbooks/deploy.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index a6115281..c5b8a910 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -36,6 +36,7 @@ pulp_content_origin: "https://{{ ansible_fqdn }}" postgresql_restarted_state: started pulp_pulp_url: "https://{{ ansible_fqdn }}" + postgresql_restarted_state: started postgresql_databases: - name: candlepin owner: candlepin From 5588299abd0137477c06eca6591bfb9684f4f86f Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Wed, 12 Mar 2025 17:07:33 -0400 Subject: [PATCH 9/9] Split installation into three distinct phases Signed-off-by: Eric D. Helms --- .github/workflows/test.yml | 2 +- ansible.cfg | 1 + playbooks/3-stage-deploy.yaml | 143 ++++++++++++++++++++++++++++++++++ tests/foreman_proxy_test.py | 28 ++++++- vars/default_certificates.yml | 1 + vars/images.yml | 2 +- 6 files changed, 174 insertions(+), 3 deletions(-) create mode 100644 playbooks/3-stage-deploy.yaml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 35a66f7b..1b7daf17 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -61,6 +61,6 @@ jobs: ansible-playbook playbooks/images.yaml - name: Run deployment run: | - ansible-playbook playbooks/deploy.yaml + ansible-playbook playbooks/3-stage-deploy.yaml - name: Run tests run: ./run_tests diff --git a/ansible.cfg b/ansible.cfg index ec01ee87..5417da8c 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,6 @@ [defaults] host_key_checking = False +inventory = vagrant.py stdout_callback=debug stderr_callback=debug roles_path = ~/.ansible/roles:./roles diff --git a/playbooks/3-stage-deploy.yaml b/playbooks/3-stage-deploy.yaml new file mode 100644 index 00000000..04e297fc --- /dev/null +++ b/playbooks/3-stage-deploy.yaml @@ -0,0 +1,143 @@ +- name: Generate certificates + become: true + hosts: + - quadlet + vars_files: + - "../vars/{{ certificate_source }}_certificates.yml" + vars: + certificate_source: default + certificates_hostnames: + - "{{ ansible_fqdn }}" + - localhost + certificates_ca_password: "CHANGEME" + roles: + - role: certificates + when: "certificate_source == 'default'" + - role: certificate_checks + vars: + certificate_checks_certificate: "{{ server_certificate }}" + certificate_checks_key: "{{ server_key }}" + certificate_checks_ca: "{{ ca_certificate }}" + +- name: Install server + become: true + hosts: + - quadlet + vars_files: + - "../vars/{{ certificate_source }}_certificates.yml" + - "../vars/images.yml" + vars: + certificate_source: default + candlepin_db_password: "CHANGEME" + candlepin_keystore_password: "CHANGEME" + candlepin_oauth_secret: "CHANGEME" + candlepin_ca_key_password: "{{ ca_key_password }}" + candlepin_ca_key: "{{ ca_key }}" + candlepin_ca_certificate: "{{ ca_certificate }}" + candlepin_tomcat_key: "{{ localhost_key }}" + candlepin_tomcat_certificate: "{{ localhost_certificate }}" + candlepin_client_key: "{{ client_key }}" + candlepin_client_certificate: "{{ client_certificate }}" + foreman_ca_certificate: "{{ ca_certificate }}" + foreman_client_key: "{{ client_key }}" + foreman_client_certificate: "{{ client_certificate }}" + foreman_db_password: "CHANGEME" + foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456 + foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456 + httpd_server_ca_certificate: "{{ ca_certificate }}" + httpd_client_ca_certificate: "{{ ca_certificate }}" + httpd_server_certificate: "{{ server_certificate }}" + httpd_server_key: "{{ server_key }}" + pulp_db_password: "CHANGEME" + pulp_content_origin: "https://{{ ansible_fqdn }}" + pulp_pulp_url: "https://{{ ansible_fqdn }}" + postgresql_restarted_state: started + postgresql_databases: + - name: candlepin + owner: candlepin + - name: foreman + owner: foreman + - name: pulp + owner: pulp + postgresql_users: + - name: candlepin + password: "{{ candlepin_db_password }}" + - name: foreman + password: "{{ foreman_db_password }}" + - name: pulp + password: "{{ pulp_db_password }}" + postgresql_hba_entries: + - { type: local, database: all, user: postgres, auth_method: ident } + - { type: local, database: all, user: all, auth_method: ident } + - { type: host, database: all, user: postgres, address: '127.0.0.1/32', auth_method: md5 } + - { type: host, database: all, user: postgres, address: '0.0.0.0/0', auth_method: reject } + - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 } + - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 } + roles: + - geerlingguy.postgresql + - redis + - candlepin + - httpd + - pulp + - foreman + +- name: Install smart-proxy + become: true + hosts: + - quadlet + vars_files: + - "../vars/{{ certificate_source }}_certificates.yml" + vars: + certificate_source: default + foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456 + foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456 + pre_tasks: + - name: Enable foreman-installer PR 1016 Copr repo + community.general.copr: + host: copr.fedorainfracloud.org + state: enabled + name: packit/theforeman-foreman-installer-1016 + chroot: rhel-9-x86_64 + + - ansible.builtin.include_role: + name: theforeman.operations.puppet_repositories + vars: + foreman_puppet_repositories_version: "8" + + - ansible.builtin.include_role: + name: theforeman.operations.foreman_repositories + vars: + foreman_repositories_version: nightly + foreman_repositories_katello_version: nightly + + - name: Install foreman-proxy + package: + name: foreman-proxy + + - name: Deploy default certificates + ansible.builtin.copy: + src: "{{ item.value }}" + dest: "{{ item.key }}" + remote_src: true + owner: foreman-proxy + group: foreman-proxy + mode: 440 + loop: "{{ certs | dict2items }}" + vars: + certs: + '/etc/foreman-proxy/foreman_ssl_ca.pem': "{{ ca_certificate }}" + '/etc/foreman-proxy/foreman_ssl_cert.pem': "{{ client_certificate }}" + '/etc/foreman-proxy/foreman_ssl_key.pem': "{{ client_key }}" + '/etc/foreman-proxy/ssl_ca.pem': "{{ ca_certificate }}" + '/etc/foreman-proxy/ssl_cert.pem': "{{ server_certificate }}" + '/etc/foreman-proxy/ssl_key.pem': "{{ server_key }}" + roles: + - role: theforeman.operations.installer + vars: + foreman_installer_scenario: katello + foreman_installer_package: foreman-installer-katello + foreman_installer_options: + - '--foreman-proxy-oauth-consumer-key {{ foreman_oauth_consumer_key }}' + - '--foreman-proxy-oauth-consumer-secret {{ foreman_oauth_consumer_secret }}' + - '--no-enable-katello' + - '--tuning development' diff --git a/tests/foreman_proxy_test.py b/tests/foreman_proxy_test.py index d9ab3534..420614c7 100644 --- a/tests/foreman_proxy_test.py +++ b/tests/foreman_proxy_test.py @@ -7,6 +7,32 @@ FOREMAN_PROXY_PORT = 9090 +@pytest.fixture(scope="module") +def foreman_proxy_version_curl(server): + return server.run(f"curl -k -s -w '%{{stderr}}%{{http_code}}' https://{FOREMAN_PROXY_HOST}:{FOREMAN_PROXY_PORT}/version") + + +@pytest.fixture(scope="module") +def foreman_proxy_features_curl(server, certificates): + return server.run(f"curl -k -s -w '%{{stderr}}%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{FOREMAN_PROXY_HOST}:{FOREMAN_PROXY_PORT}/v2/features") + + +def test_foreman_proxy_service(server): + foreman_proxy = server.service("foreman-proxy") + assert foreman_proxy.is_running + assert foreman_proxy.is_enabled + + def test_foreman_proxy_port(server): foreman_proxy = server.addr(FOREMAN_PROXY_HOST) - assert not foreman_proxy.port(FOREMAN_PROXY_PORT).is_reachable + assert foreman_proxy.port(FOREMAN_PROXY_PORT).is_reachable + + +def test_foreman_proxy_version(foreman_proxy_version_curl): + assert foreman_proxy_version_curl.succeeded + assert foreman_proxy_version_curl.stderr == '200' + + +def test_foreman_proxy_features(foreman_proxy_features_curl): + assert foreman_proxy_features_curl.succeeded + assert foreman_proxy_features_curl.stderr == '200' diff --git a/vars/default_certificates.yml b/vars/default_certificates.yml index a20083f0..ca36a8a0 100644 --- a/vars/default_certificates.yml +++ b/vars/default_certificates.yml @@ -1,4 +1,5 @@ --- +certificates_ca_directory: "/root/certificates" ca_key_password: "{{ certificates_ca_directory }}/private/ca.pwd" ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt" ca_key: "{{ certificates_ca_directory }}/private/ca.key" diff --git a/vars/images.yml b/vars/images.yml index 8d71583c..e6a5e20e 100644 --- a/vars/images.yml +++ b/vars/images.yml @@ -4,7 +4,7 @@ foreman_container_image: "quay.io/evgeni/foreman-rpm" foreman_container_tag: "nightly" foreman_proxy_container_image: "quay.io/evgeni/foreman-proxy-rpm" foreman_proxy_container_tag: "nightly" -pulp_image: quay.io/pulp/pulp-minimal:3.63 +pulp_image: quay.io/evgeni/pulp-smart:latest redis_image: quay.io/sclorg/redis-6-c9s:latest images: