refs #15931 - allow passing the cname parameter when generating certs #120
Conversation
| @@ -7,11 +7,15 @@ | |||
| # | |||
There was a problem hiding this comment.
This file is not being used anymore.
There was a problem hiding this comment.
Then it should not exist? ;-)
But it was quite handy, as it allowed me to test on a plain Katello 3.2 install.
| @@ -16,6 +16,7 @@ | |||
| $ssl_build_dir = '/root/ssl-build' | |||
|
|
|||
| $node_fqdn = $::fqdn | |||
| $node_cname = [] | |||
There was a problem hiding this comment.
Could we just change this to cname ? The node noemclature was there for pulp nodes and the old node-installer and I think it helps to not use it now.
this enables Kafo to set the subjectAltName of the certificates via --certs-node-cname. The option can be given multiple times to add multple cnames.
…e cli this enables Kafo to set the subjectAltName of the certificates via --foreman-proxy-cname. The option can be given multiple times to add multple cnames.
|
Thanks @evgeni ! |
|
What's missing to fix 1160344? The BZ mentions ability to set the CNAME on certs as alternative way of addressing the issue |
|
@iNecas this only does the katello certs, so missing for 1160344 would be (IMHO):
|
|
My point is, I see this already bringing value to the users, and makes their lives easier when needing this. I would suggest treating the other issues as ones blocked by this, but we could start delivering this sooner, and for earlier releases, this could become a documentation bug. |
|
@evgeni before I open a full Redmine issue, I hit this while testing a smart proxy, do you think its related to this change or something else entirely? |
|
@ehelms possible. is that puppet 3 or puppet 4? |
|
Puppet 4 |
|
@ehelms can you try with 3? I think my test box for that only ever had 3. |
|
@ehelms maybe katello-installer needs a migration? |
|
foreman-proxy-certs-generate doesn't have migrations, the answers are embedded in the script. Maybe certs::params isn't getting loaded somehow? |
| $certs_tar = $certs::params::certs_tar | ||
| $parent_fqdn = $fqdn, | ||
| $foreman_proxy_fqdn = $certs::node_fqdn, | ||
| $foreman_proxy_cname = $certs::cname, |
There was a problem hiding this comment.
Maybe $certs name space isn't loaded when this class is processed in foreman-proxy-certs-generate?
This PR does not completely fix http://projects.theforeman.org/issues/15931 aka https://bugzilla.redhat.com/show_bug.cgi?id=1160344, but it at least allows to actually generate certificates with multiple names in them which would have prevented the mentioned issue.
The
certresource already knows how to handlekatello-ssl-tools--set-cname, so we just have to pass the right value to it. This is done by creating a default[]cname parameter and passing this along to allcertinvocations. Kafo then can override the value via the command line.