Tracker #32381: Communication with services from Foreman application should use a single set of client certificates
Use Foreman client certificates to communicate with Pulp
Find a way to use the Foreman client certificates to communicate with Pulp rather than generating special purpose certificates just to talk to the Pulp API. This would remove the need for https://github.com/theforeman/puppet-certs/blob/master/manifests/pulp_client.pp. Further this will involve finding a way to mimic the special 'admin' common_name in the certificate or configuring Pulp to accept DN users based on certificates.
Refs #32383: Configurable client certificate authentication to Pulp
Allows a user supplied mapping of certificate CN to Pulp user name.
If this is present, set the REMOTE_USER to
a Pulp user defined in the parameter to pass along to Pulp.
This changes from having to generate a client certificate with a valid
user (e.g. admin) as the CN to allowing to use a client certificate generated
with a more standard CN (e.g. FQDN) and act as a user in Pulp suppplied to the
Fixes #32383: Set Pulp to expect Foreman host as the authenticating client
This sets Apache to expect the client certificate to contain as the
common name the hostname of Foreman. This corresponds to using the
Foreman client certificates to talk to Pulp's API which is expected
to contain the hostname of Foreman in the certificate.
#7 Updated by Eric Helms about 1 year ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-foreman_proxy_content|81d47ae10e8528ed46dbe79c6f9d0b6ddc84cdf3.