Fixes #30368 - Change Candlepin and Pulp 3 CA handling

This change makes the Candlepin CA file optional by falling back to the Foreman CA file. The result is a reduced configuration in most deployments. For Pulp 3 the certificate is now read in the same way as Candlepin. Previously it relies on the CA being in the global allowed CA. This may be an issue in some cases, but in the default deployment it isn't. Following the general SSL config makes the configuration more predictable for users. It can also be easier in a containerized setup or on a system where the admin is not allowed to modify the system CA certificates. In the ping model the verify_ssl option is dropped. This isn't respected elsewhere and it's misleading to have a valid ping only to have it fail at runtime. It also changes Crane's setting from registry_ca_cert_file to crane_ca_cert_file. This follows what's in the example config, unit tests and installer module. The fact it was not working suggests that it was using the system CA store.
Katello · Apr 7, 2021 · d483104 · d483104
1 parent 680cd85
commit d483104
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 22 deletions.
diff --git a/app/lib/katello/resources/candlepin.rb b/app/lib/katello/resources/candlepin.rb
@@ -11,7 +11,7 @@ class CandlepinResource < HttpResource
         self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
         self.consumer_secret = cfg[:oauth_secret]
         self.consumer_key = cfg[:oauth_key]
-        self.ca_cert_file = cfg[:ca_cert_file]
+        self.ca_cert_file = ::Cert::Certs.backend_ca_cert_file(:candlepin)
 
         class << self
           def process_response(response)

diff --git a/app/lib/katello/resources/registry.rb b/app/lib/katello/resources/registry.rb
@@ -33,10 +33,10 @@ def load_class
               registry_url = uri.to_s
 
               # Assume the registry uses the same CA as the Smart Proxy
-              ca_cert_file = Setting[:ssl_ca_file]
+              ca_cert_file = ::Cert::Certs.backend_ca_cert_file(:pulp3)
             elsif (container_config = SETTINGS.dig(:katello, :container_image_registry))
               registry_url = container_config[:crane_url]
-              ca_cert_file = container_config[:registry_ca_cert_file]
+              ca_cert_file = container_config[:crane_ca_cert_file]
             end
 
             fail Errors::ContainerRegistryNotConfigured unless registry_url

diff --git a/app/models/katello/concerns/smart_proxy_extensions.rb b/app/models/katello/concerns/smart_proxy_extensions.rb
@@ -127,6 +127,7 @@ def pulp3_configuration(config_class)
       end
 
       def pulp3_ssl_configuration(config)
+        config.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:pulp3)
         if Faraday.default_adapter == :excon
           config.ssl_client_cert = ::Cert::Certs.ssl_client_cert_filename
           config.ssl_client_key = ::Cert::Certs.ssl_client_key_filename

diff --git a/app/models/katello/ping.rb b/app/models/katello/ping.rb
@@ -254,13 +254,14 @@ def fetch_proxy(capsule_id)
       end
 
       def backend_status(url, backend)
-        ca_file = SETTINGS[:katello][backend][:ca_cert_file]
         request_id = ::Logging.mdc['request']
 
         options = {}
-        options[:ssl_ca_file] = ca_file unless ca_file.nil?
-        options[:verify_ssl] = SETTINGS[:katello][backend][:verify_ssl] if SETTINGS[:katello][backend].key?(:verify_ssl)
+        if (ca_file = ::Cert::Certs.backend_ca_cert_file(backend))
+          options[:ssl_ca_file] = ca_file
+        end
         options[:headers] = { 'Correlation-ID' => request_id } if request_id
+
         client = RestClient::Resource.new("#{url}/status", options)
 
         response = client.get

diff --git a/app/services/cert/certs.rb b/app/services/cert/certs.rb
@@ -24,10 +24,14 @@ def self.ssl_client_key_filename
       Setting['pulp_client_key']
     end
 
+    def self.backend_ca_cert_file(backend)
+      SETTINGS.dig(:katello, backend, :ca_cert_file) || Setting[:ssl_ca_file]
+    end
+
     def self.verify_ueber_cert(organization)
       ueber_cert = OpenSSL::X509::Certificate.new(self.ueber_cert(organization)[:cert])
       cert_store = OpenSSL::X509::Store.new
-      cert_store.add_file SETTINGS[:katello][:candlepin][:ca_cert_file]
+      cert_store.add_file backend_ca_cert_file(:candlepin)
       organization.regenerate_ueber_cert unless cert_store.verify ueber_cert
     end
   end

diff --git a/app/services/katello/pulp/server.rb b/app/services/katello/pulp/server.rb
@@ -22,12 +22,11 @@ def self.config(url, user_remote_id)
           }
         }
 
-        if (ca_cert = SETTINGS[:katello][:pulp][:ca_cert_file])
+        if (ca_cert = ::Cert::Certs.backend_ca_cert_file(:pulp))
           runcible_params[:ca_cert_file] = ca_cert
+          runcible_params[:verify_ssl] = true
         end
 
-        runcible_params[:verify_ssl] = SETTINGS[:katello][:pulp][:verify_ssl] if SETTINGS[:katello][:pulp].key?(:verify_ssl)
-
         Runcible::Instance.new(runcible_params)
       end
     end

diff --git a/config/katello.yaml.example b/config/katello.yaml.example
@@ -23,21 +23,14 @@
   # Setup your candlepin environment here
   :candlepin:
     # refers to the url of the candlepin
-    # example https://localhost:8443/candlepin
     :url: https://localhost:8443/candlepin
 
     # Specify your oauth key and secret used to authenticate between Katello and Candlepin
     :oauth_key: katello
     :oauth_secret: katello
 
-    # refers to the candlepin-ca.crt location that is needed
-    # to connect to candlepin over https.This is not necessary
-    # if the candlepin server is running on the same machine as katello
-    # but required if the server is on a different machine.
-    # In the different machine case the katello host needs to have a
-    # copy of /etc/candlepin/certs/candlepin-ca.crt copied from
-    # the candlepin host and the location of the copied file needs to be
-    # specified here..
+    # Optional CA file to user to verify HTTPS connections to Candlepin. If not
+    # specified, Foreman's ssl_ca_file setting is used.
     :ca_cert_file:
     # :bulk_load_size: 1000
   # Setup your pulp environment here
@@ -48,15 +41,19 @@
 
     :sync_threads: 4
     :bulk_load_size: 100
-    # refers to the apache certificate
-    # (typically /etc/pki/tls/certs/localhost.crt) location that is needed
-    # to connect to pulp over https.
+    # Optional CA file to user to verify HTTPS connections to Pulp. If not
+    # specified, Foreman's ssl_ca_file setting is used.
     :ca_cert_file:
     :default_login: admin
     :sync_KBlimit:
     :upload_chunk_size: 1048575 # upload size in bytes to pulp. see SSLRenegBufferSize in apache
     :skip_checksum_validation: false
 
+  # It is possible to override the CA cert file used to connect. If not
+  # specified, Foreman's ssl_ca_file setting is used.
+  #:pulp3:
+  #  :ca_cert_file:
+
   :qpid:
     :url: amqp:ssl:katello-devel.example.com:5671
     :subscriptions_queue_address: katello_event_queue