Fixes #30316: Move bootstrap RPM generation from puppet-certs

theforeman · Jul 10, 2020 · 3c2b28d · 3c2b28d
1 parent 1a14a1b
commit 3c2b28d
Show file tree

Hide file tree

Showing 7 changed files with 320 additions and 41 deletions.
diff --git a/manifests/bootstrap_rpm.pp b/manifests/bootstrap_rpm.pp
@@ -0,0 +1,66 @@
+# This class builds an RPM containing the bootstrap for a subscription-manager consumer
+# This file is placed in $katello_www_pub_dir.
+# @api private
+class foreman_proxy_content::bootstrap_rpm (
+  Stdlib::Fqdn $hostname = $facts['networking']['fqdn'],
+  String $deployment_url = '/rhsm',
+  Stdlib::Port $rhsm_port = 443,
+  Stdlib::Absolutepath $rhsm_ca_dir = '/etc/rhsm/ca',
+  String $candlepin_cert_rpm_alias_filename = 'katello-ca-consumer-latest.noarch.rpm',
+  Stdlib::Absolutepath $katello_www_pub_dir = '/var/www/html/pub',
+) {
+  include certs
+
+  $katello_server_ca_cert = $certs::katello_server_ca_cert
+  $server_ca_name = $certs::server_ca_name
+  $default_ca_name = $certs::default_ca_name
+  $ca_cert = $certs::ca_cert
+  $server_ca = $certs::server_ca
+
+  $katello_rhsm_setup_script = 'katello-rhsm-consumer'
+  $katello_rhsm_setup_script_location = "/usr/bin/${katello_rhsm_setup_script}"
+
+  $candlepin_consumer_name = "katello-ca-consumer-${hostname}"
+  $candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${hostname}"
+  $candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.'
+
+  include trusted_ca
+  trusted_ca::ca { 'katello_server-host-cert':
+    source  => $katello_server_ca_cert,
+    require => File[$katello_server_ca_cert],
+  }
+
+  include apache
+  file { $katello_www_pub_dir:
+    ensure => directory,
+    owner  => 'apache',
+    group  => 'apache',
+    mode   => '0755',
+  } ->
+  # Placing the CA in the pub dir for trusting by a user in their browser
+  file { "${katello_www_pub_dir}/${server_ca_name}.crt":
+    ensure  => file,
+    source  => $katello_server_ca_cert,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    require => File[$katello_server_ca_cert],
+  } ~>
+  foreman_proxy_content::rhsm_reconfigure_script { "${katello_www_pub_dir}/${katello_rhsm_setup_script}":
+    ca_cert         => $ca_cert,
+    server_ca_cert  => $katello_server_ca_cert,
+    rhsm_ca_dir     => $rhsm_ca_dir,
+    default_ca_name => $default_ca_name,
+    server_ca_name  => $server_ca_name,
+  } ~>
+  certs_bootstrap_rpm { $candlepin_consumer_name:
+    dir              => $katello_www_pub_dir,
+    summary          => $candlepin_consumer_summary,
+    description      => $candlepin_consumer_description,
+    files            => ["${katello_rhsm_setup_script_location}:755=${katello_www_pub_dir}/${katello_rhsm_setup_script}"],
+    bootstrap_script => "/bin/bash ${katello_rhsm_setup_script_location}",
+    postun_script    => file('certs/postun.sh'),
+    alias            => $candlepin_cert_rpm_alias_filename,
+    subscribe        => $server_ca,
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -48,10 +48,6 @@
 #
 # $reverse_proxy_port::                 Reverse proxy listening port
 #
-# $rhsm_hostname::                      The hostname that the RHSM API is rooted at
-#
-# $rhsm_url::                           The URL path that the RHSM API is rooted at
-#
 # $ssl_protocol::                       Apache SSLProtocol configuration to use
 #
 # $qpid_router::                        Configure qpid dispatch router
@@ -131,9 +127,6 @@
   Stdlib::Port $reverse_proxy_port = $foreman_proxy_content::params::reverse_proxy_port,
   Optional[String] $ssl_protocol = $foreman_proxy_content::params::ssl_protocol,
 
-  Optional[String] $rhsm_hostname = $foreman_proxy_content::params::rhsm_hostname,
-  String $rhsm_url = $foreman_proxy_content::params::rhsm_url,
-
   Boolean $qpid_router = $foreman_proxy_content::params::qpid_router,
   Optional[String] $qpid_router_hub_addr = $foreman_proxy_content::params::qpid_router_hub_addr,
   Stdlib::Port $qpid_router_hub_port = $foreman_proxy_content::params::qpid_router_hub_port,
@@ -190,7 +183,7 @@
 
   $rhsm_port = $reverse_proxy_real ? {
     true  => $reverse_proxy_port,
-    false => '443'
+    false => 443
   }
 
   ensure_packages('katello-debug')
@@ -205,11 +198,8 @@
     notify   => Service['foreman-proxy'],
   }
 
-  class { 'certs::katello':
-    hostname       => $rhsm_hostname,
-    deployment_url => $rhsm_url,
-    rhsm_port      => $rhsm_port,
-    require        => Class['certs'],
+  class { 'foreman_proxy_content::bootstrap_rpm':
+    rhsm_port => $rhsm_port,
   }
 
   if $pulp or $reverse_proxy_real {

diff --git a/manifests/rhsm_reconfigure_script.pp b/manifests/rhsm_reconfigure_script.pp
@@ -0,0 +1,65 @@
+# @summary Compose RHSM reconfigure script via concats
+# @api private
+define foreman_proxy_content::rhsm_reconfigure_script(
+  Stdlib::Absolutepath $ca_cert,
+  Stdlib::Absolutepath $server_ca_cert,
+  Stdlib::Absolutepath $rhsm_ca_dir,
+  String $default_ca_name,
+  String $server_ca_name,
+) {
+
+  concat { $title:
+    owner => 'root',
+    group => 'root',
+    mode  => '0755',
+  }
+
+  concat::fragment { "${title}+script_start":
+    target  => $title,
+    content => "#!/bin/bash\n\nset -e\n",
+    order   => '01',
+  }
+
+  concat::fragment { "${title}+default_ca_data":
+    target  => $title,
+    content => "read -r -d '' KATELLO_DEFAULT_CA_DATA << EOM || true\n",
+    order   => '02',
+  }
+
+  concat::fragment { "${title}+ca_cert":
+    target => $title,
+    source => $ca_cert,
+    order  => '03',
+  }
+
+  concat::fragment { "${title}+end_ca_cert":
+    target  => $title,
+    content => "\nEOM\n\n",
+    order   => '04',
+  }
+
+  concat::fragment { "${title}+server_ca_data":
+    target  => $title,
+    content => "read -r -d '' KATELLO_SERVER_CA_DATA << EOM || true\n",
+    order   => '05',
+  }
+
+  concat::fragment { "${title}+server_ca_cert":
+    target => $title,
+    source => $server_ca_cert,
+    order  => '06',
+  }
+
+  concat::fragment { "${title}+end_server_ca_cert":
+    target  => $title,
+    content => "\nEOM\n\n",
+    order   => '07',
+  }
+
+  concat::fragment { "${title}+reconfigure":
+    target  => $title,
+    content => template('foreman_proxy_content/bootstrap_rpm/rhsm-katello-reconfigure.erb'),
+    order   => '10',
+  }
+
+}
diff --git a/spec/acceptance/bootstrap_rpm_spec.rb b/spec/acceptance/bootstrap_rpm_spec.rb
@@ -0,0 +1,61 @@
+require 'spec_helper_acceptance'
+
+describe 'bootstrap_rpm' do
+
+  context 'with default params' do
+    let(:pp) do
+      <<-EOS
+      include foreman_proxy_content::bootstrap_rpm
+
+      exec { "yum -y install /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm":
+        path => ['/bin', '/usr/bin'],
+      }
+      EOS
+    end
+
+    it_behaves_like 'a idempotent resource'
+
+    describe file('/var/www/html/pub/katello-rhsm-consumer') do
+      it { should be_file }
+      it { should be_mode 755 }
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'root' }
+    end
+
+    describe file('/var/www/html/pub/katello-ca-consumer-latest.noarch.rpm') do
+      it { should be_link }
+    end
+
+    describe file('/var/www/html/pub/katello-server-ca.crt') do
+      it { should be_file }
+      it { should be_mode 644 }
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'root' }
+    end
+
+    describe command('rpm -qp /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm') do
+      its(:stdout) { should match(/^subscription-manager/) }
+    end
+
+    describe command('rpm -qp /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm --list') do
+      its(:stdout) { should match(/^\/usr\/bin\/katello-rhsm-consumer/) }
+    end
+
+    describe x509_certificate('/etc/rhsm/ca/katello-server-ca.crt') do
+      it { should be_certificate }
+    end
+
+    describe x509_certificate('/etc/rhsm/ca/katello-default-ca.crt') do
+      it { should be_certificate }
+    end
+
+    describe file('/etc/rhsm/rhsm.conf') do
+      its(:content) { should match /repo_ca_cert = %(ca_cert_dir)skatello-server-ca.pem/ }
+      its(:content) { should match /prefix = \/rhsm/ }
+      its(:content) { should match /full_refresh_on_yum = 1/ }
+      its(:content) { should match /package_profile_on_trans = 1/ }
+      its(:content) { should match /hostname = #{facts['networking']['fqdn']}/ }
+      its(:content) { should match /baseurl = https:\/\/#{facts['networking']['fqdn']}\/pulp\/repos/ }
+    end
+  end
+end
diff --git a/spec/classes/foreman_proxy_content_spec.rb b/spec/classes/foreman_proxy_content_spec.rb
@@ -191,34 +191,6 @@ class { 'foreman_proxy::plugin::pulp':
         end
       end
 
-      context 'with rhsm_hostname and rhsm_url' do
-        let(:params) do
-          {
-            rhsm_hostname: 'katello.example.com',
-            rhsm_url: '/abc/rhsm'
-          }
-        end
-
-        let(:pre_condition) do
-          <<-PUPPET
-          include foreman_proxy
-          class { 'foreman_proxy::plugin::pulp':
-            enabled          => false,
-            pulpnode_enabled => false,
-            pulpcore_enabled => true,
-            pulpcore_mirror  => false,
-          }
-          PUPPET
-        end
-
-        it { is_expected.to compile.with_all_deps }
-        it do
-          is_expected.to contain_class('certs::katello')
-            .with_hostname('katello.example.com')
-            .with_deployment_url('/abc/rhsm')
-        end
-      end
-
       context 'with puppet' do
         let(:params) do
           {

diff --git a/spec/setup_acceptance_node.pp b/spec/setup_acceptance_node.pp
@@ -0,0 +1,10 @@
+$major = $facts['os']['release']['major']
+
+# Defaults to staging, for release, use
+# $baseurl = "https://yum.theforeman.org/releases/nightly/el${major}/x86_64/"
+$baseurl = "http://koji.katello.org/releases/yum/foreman-nightly/RHEL/${major}/x86_64/"
+
+yumrepo { 'foreman':
+  baseurl  => $baseurl,
+  gpgcheck => 0,
+}