Refs #31878: Use client certificate auth to talk from qpid-dispatch t…

[ehelms]

…o qpid

[ehelms]

Needed in conjunction with theforeman/puppet-katello#384 -- serves to simplify the configuration and setup more and add an additional layer of security by turning auth on for qpidd.

[ehelms]

Moving the new qpid_router_client class declaration inside the hub and connector allow us to configure the generated client certificates differently. For a hub, we want to generate a set of client certificates with a special CN set to qpid_router_katello_agent that matches the ACLs set in puppet-katello (https://github.com/theforeman/puppet-katello/pull/384/files#diff-b39fa0a3b1f98c974d4d7d21d4fb0e2d1292dd442ae605d6063c96b9cd9ed932R1). This allows us to be more specific and identify the difference between when Katello and qpid-dispatch connect to qpid. For example:

  connection                   cproc      cpid   mech       auth                                                           connected  idle  msgIn  msgOut
  =========================================================================================================================================================
  qpid.[::1]:5671-[::1]:35360  -                 EXTERNAL   qpid_router_katello_agent@QPID                                 6s         4s       0      0
  qpid.[::1]:5671-[::1]:35364  -                 EXTERNAL   pipe-katello-server-nightly-centos7.wareagle.example.com@QPID  2s         0s       0      0
  qpid.[::1]:5671-[::1]:35366  qpid-stat  26105  ANONYMOUS  anonymous@QPID                                                 0s         0s       1      0

If both used a client certificate with the hostname, we would not be able to easily tell them apart nor set the ACLs properly.

On a connector style deployment, such as a proxy with content, we want to deploy the client certificates with the hostname (https://github.com/theforeman/puppet-foreman_proxy_content/pull/327/files#diff-a447b8870e696e6842730621455173b0e03529b5d108cc645e379a45daf2fc30R13) because in that case you have a qpid-dispatch connecting to another qpid-dispatch.

[ehelms]

Undertaking this exercise, made me think when we tackle making katello-agent optional and disabled by default we should move the qpid handling out of puppet-katello and into this module to better centralize the connected pieces.

[jturel]

ACK - tested working in conjunction w/ my Katello PR

[ekohl]

This will require a new version of the certs module. We should have a matching update in metadata.json so we know at a module level they are compatible.