[WIP] Add a split katello nightly pipeline

[ekohl]

Needs theforeman/puppet-katello#209 and theforeman/puppet-service_wait#28 and even then it's still a WIP.

[ekohl]

@timogoebel I'm now running into the problem that the app VM doesn't trust the certs from the services VM. @Klaas- mentioned you also looked into this.

[timogoebel]

Yes. I'll share our work with you tomorrow. Basically we created a central ca server that generated rpms that we copied to the other servers. One limitation is, that the certs module just has classes and no defined types. That lead to some duplicate declarations.

[ehelms]

We need the three above this or else the services box won't have a proxy running on it (which is required).

[ekohl]

Good point, hadn't reached a point yet where I could actually use the service.

[ekohl]

It does mean we have a dependency cycle: smart proxy wants to register to foreman, foreman isn't provisioned yet but needs Candlepin in turn. Deploying a server with Candlepin means we have to fix the CRL in Pulp. A simple crl-updater script might be sufficient.

[timogoebel]

@ekohl: You can find our approach in this gist: https://gist.github.com/timogoebel/e4d26249d2b993fd4f084d65cacbed52
Might be an interesting read. I think it's obvious that this is very, very WIP code.

[ekohl]

@timogoebel interesting approach. Generally my goal is very similar but I want a more automated way for the certificates. Some minor improvements:

You can move https://gist.github.com/timogoebel/e4d26249d2b993fd4f084d65cacbed52#file-gui-pp-L125-L129 into an else block so other nodes simply can't execute cron.

https://gist.github.com/timogoebel/e4d26249d2b993fd4f084d65cacbed52#file-qpid-pp-L24-L25 is fixed if you upgrade to katello-qpid 3.1.0.

[sean797]

Leaving the certificate issues to one side for a moment, (which can be resolved with theforeman/puppet-certs#160 but we're not sure if they should be) there are some oauth key & secrets that need to be the same across nodes. (theforeman/puppet-katello#212) I would like to propose we look into merging #516 and extend https://github.com/sean797/ansible-role-foreman_installer to ensure they are the same. It already does a very similar thing for oauth options when deploying a Smart Proxy. https://github.com/sean797/ansible-role-foreman_installer/blob/master/tasks/katello-proxy-certs.yml#L125-L127

[sean797]

This should also include --no-enable-foreman-proxy --no-enable-foreman-proxy-content --no-enable-foreman-proxy-plugin-pulp. Though I don't think its currently possible to deploy Katello without a integrated foreman-proxy, I'll test it in the next couple of days.

If foreman-proxy is running on one machine (app) and Pulp on another (service) actions like a manifest refresh will fail as pulp_url is created using the foreman-proxies hostname.

https://github.com/Katello/katello/blob/master/app/models/katello/ping.rb#L101-L102
https://github.com/Katello/katello/blob/master/app/lib/katello/capsule_content.rb#L134-L136

[sean797]

@timogoebel @ekohl @ehelms I've created Katello/katello-installer#628 which allows us to generate a certs_tar for the "app" node, the idea is you run this on the "services" node, copy the tar file and run the installer with the tar on the "app" node.

This fixes the certs issues, is everyone happy with this approach?

[sean797]

--katello-manage-foreman-application

[sean797]

--katello-manage-foreman-application

[sean797]

I think this needs to be tomcat, or candlepin won't start and will error with

 Error injecting constructor, java.io.FileNotFoundException: /etc/pki/katello/private/katello-default-ca.key (Permission denied)

[ehelms]

This PR have been open for over a year. @ekohl Do you want to keep this open for future updates ?

[ekohl]

While I'd love to finish this, I'm going to close it for now. There have been many changes in the roles and playbooks that it'll be faster to rewrite this when it's ready.