Feature #32383
Tracker #32381: Communication with services from Foreman application should use a single set of client certificates
Use Foreman client certificates to communicate with Pulp
Description
Find a way to use the Foreman client certificates to communicate with Pulp rather than generating special purpose certificates just to talk to the Pulp API. This would remove the need for https://github.com/theforeman/puppet-certs/blob/master/manifests/pulp_client.pp. Further this will involve finding a way to mimic the special 'admin' common_name in the certificate or configuring Pulp to accept DN users based on certificates.
Related issues
Associated revisions
Fixes #32383: Set Pulp to expect Foreman host as the authenticating client
This sets Apache to expect the client certificate to contain as the
common name the hostname of Foreman. This corresponds to using the
Foreman client certificates to talk to Pulp's API which is expected
to contain the hostname of Foreman in the certificate.
History
#1
Updated by The Foreman Bot about 1 year ago
- Assignee set to Eric Helms
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/puppet-pulpcore/pull/186 added
#2
Updated by The Foreman Bot about 1 year ago
- Pull request https://github.com/theforeman/puppet-foreman_proxy_content/pull/350 added
#3
Updated by The Foreman Bot about 1 year ago
- Pull request https://github.com/theforeman/puppet-katello/pull/411 added
#4
Updated by The Foreman Bot about 1 year ago
- Pull request https://github.com/theforeman/puppet-certs/pull/324 added
#5
Updated by Eric Helms about 1 year ago
- Blocked by Feature #32487: Use Foreman client certificates to communicate with Pulp 3 API added
#6
Updated by The Foreman Bot about 1 year ago
- Fixed in Releases 3.0.0 added
#7
Updated by Eric Helms about 1 year ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-foreman_proxy_content|81d47ae10e8528ed46dbe79c6f9d0b6ddc84cdf3.
#8
Updated by Amit Upadhye 9 months ago
- Category set to Foreman modules
Refs #32383: Configurable client certificate authentication to Pulp
Allows a user supplied mapping of certificate CN to Pulp user name.
If this is present, set the REMOTE_USER to
a Pulp user defined in the parameter to pass along to Pulp.
This changes from having to generate a client certificate with a valid
user (e.g. admin) as the CN to allowing to use a client certificate generated
with a more standard CN (e.g. FQDN) and act as a user in Pulp suppplied to the
parameter.