Project

General

Profile

Feature #32383

Tracker #32381: Communication with services from Foreman application should use a single set of client certificates

Use Foreman client certificates to communicate with Pulp

Added by Eric Helms 6 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Helms
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/puppet-foreman_proxy_content/pull/350, https://github.com/theforeman/puppet-pulpcore/pull/186, https://github.com/theforeman/puppet-katello/pull/411, https://github.com/theforeman/puppet-certs/pull/324
Fixed in Releases:
Foreman - 3.0.0
Found in Releases:

Description

Find a way to use the Foreman client certificates to communicate with Pulp rather than generating special purpose certificates just to talk to the Pulp API. This would remove the need for https://github.com/theforeman/puppet-certs/blob/master/manifests/pulp_client.pp. Further this will involve finding a way to mimic the special 'admin' common_name in the certificate or configuring Pulp to accept DN users based on certificates.

Related issues

Blocked by Katello - Feature #32487: Use Foreman client certificates to communicate with Pulp 3 APIClosed

Associated revisions

Revision 1101ab39 (diff)
Added by Eric Helms 6 months ago

Refs #32383: Configurable client certificate authentication to Pulp

Allows a user supplied mapping of certificate CN to Pulp user name.
If this is present, set the REMOTE_USER to
a Pulp user defined in the parameter to pass along to Pulp.
This changes from having to generate a client certificate with a valid
user (e.g. admin) as the CN to allowing to use a client certificate generated
with a more standard CN (e.g. FQDN) and act as a user in Pulp suppplied to the
parameter.

Revision 81d47ae1 (diff)
Added by Eric Helms 6 months ago

Fixes #32383: Set Pulp to expect Foreman host as the authenticating client

This sets Apache to expect the client certificate to contain as the
common name the hostname of Foreman. This corresponds to using the
Foreman client certificates to talk to Pulp's API which is expected
to contain the hostname of Foreman in the certificate.

History

#1 Updated by The Foreman Bot 6 months ago

  • Assignee set to Eric Helms
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-pulpcore/pull/186 added

#2 Updated by The Foreman Bot 6 months ago

  • Pull request https://github.com/theforeman/puppet-foreman_proxy_content/pull/350 added

#3 Updated by The Foreman Bot 6 months ago

  • Pull request https://github.com/theforeman/puppet-katello/pull/411 added

#4 Updated by The Foreman Bot 6 months ago

  • Pull request https://github.com/theforeman/puppet-certs/pull/324 added

#5 Updated by Eric Helms 6 months ago

  • Blocked by Feature #32487: Use Foreman client certificates to communicate with Pulp 3 API added

#6 Updated by The Foreman Bot 6 months ago

  • Fixed in Releases 3.0.0 added

#7 Updated by Eric Helms 6 months ago

  • Status changed from Ready For Testing to Closed

#8 Updated by Amit Upadhye 2 months ago

  • Category set to Foreman modules

Also available in: Atom PDF