candlepin: use own certs for qpid

[timogoebel]

The qpid_ssl_cert and qpid_ssl_key parameters for candlepin are just to set up an exchange.

This can be done with candlepin's qpid certificates and removed the dependency for qpid's certificates.

[ekohl]

It looks good and I think you're right, but the tests are failing.

[timogoebel]

Tests currently fail, because ::katello::qpid_client isn't in the catalog anymore. I'm curious, if ::katello::qpid_client is just needed by something else or it's just unneeded clutter.

[timogoebel]

I have a feeling, that actually the katello rails application needs to have include ::katello::qpid_client. I'll continue looking into this and update the PR accordingly.

[timogoebel]

Yeah, my expectation was correct: The Katello rails app needs katello::qpid_client to work properly. You can see this in /var/log/foreman/dynflow_executor.output:

Starting dynflow with the following options: {:foreman_root=>"/usr/share/foreman", :process_name=>"dynflow_executor", :pid_dir=>"/usr/share/foreman/tmp/pids", :log_dir=>"/usr/share/foreman/log", :wait_attempts=>300, :wait_sleep=>1, :executors_count=>1, :memory_limit=>0, :memory_init_delay=>7200, :memory_polling_interval=>60}
Everything ready for world: 42678733-a5ff-4ee1-a860-f2dca3bec4bd
terminate called after throwing an instance of 'qpid::types::Exception'
  what():  Failed to initialise SSL: Failed: NSS error [-8015] (/builddir/build/BUILD/qpid-cpp-1.36.0/src/qpid/sys/ssl/util.cpp:100) (/builddir/build/BUILD/qpid-cpp-1.36.0/src/qpid/client/SslConnector.cpp:149)

[timogoebel]

This is still missing a notify from Class['certs::qpid'] ~> Service['foreman-tasks'].

[ekohl]

Shouldn't qpid_client be sufficient? Or can we make it sufficient?

[timogoebel]

Well, certs::qpid_client just rolls out certificates for the qpid-config tool. certs::qpid rolls out the whole nss certstore. We need the latter for the app.
::katello::qpid_client does include include ::certs::qpid, so this is here just for completeness' sake.

[ekohl]

If we're not using it in this class then I'd consider it an implementation detail of qpid_client, but it might even be better to just include qpid::client in this class rather than split it off if there's just 1 use of it.

[timogoebel]

I left this in now, as it's required for the notify of foreman-tasks.

[ekohl]

This is still missing a notify from Class['certs::qpid'] ~> Service['foreman-tasks'].

With theforeman/puppet-foreman#530 that'll be nicely wrapped in foreman::service

[timogoebel]

@ekohl: Added the notify and a test for it so it works with the current implementation of puppet-foreman.

[ekohl]

I'll likely revisit the notifications when the foreman PR is merged

[ekohl]

Thanks!