Feature #7745
Client systems should be able to route all RHSM traffic through a Capsule.
Related issues
Associated revisions
Refs #7745: Support checking for custom header from RHSM proxied requests.
When using a Capsule in isolation, the reverse proxy on the Capsule
must pass through the originating client's certificate via a custom
header; in this case, HTTP_X_RHSM_SSL_CLIENT_CERT.
Refs #7745: Deploy client cert bundle specifically for use by the Capsule.
Note this is a bundle since that is required by the reverse proxy
feature being added to the Capsule.
Fixes #7745: Deploy reverse proxy for RHSM traffic.
Fixes #7745: Deploy reverse proxy for RHSM traffic.
History
#1
Updated by Eric Helms over 8 years ago
- Tracker changed from Bug to Feature
- Subject changed from Access rhsm through a ReverseProxy on Capsules to Client systems should be able to route all RHSM traffic through a Capsule.
- Legacy Backlogs Release (now unused) set to 14
- Triaged changed from No to Yes
#2
Updated by Eric Helms over 8 years ago
- Blocks Tracker #8172: Isolate Client Communication through a Capsule added
#3
Updated by dustin tsang over 8 years ago
https://github.com/Katello/puppet-capsule/pull/22 -- install reverse proxy on capsule
https://github.com/Katello/puppet-katello/pull/38 -- allow cert header pass through katello apache
#4
Updated by dustin tsang over 8 years ago
test scenario
1) install katello like normal
2) generate certs for capsule and copy to capsule like normal
3) using the capsule installer,
bin/capsule-installer --parent-fqdn "kdev.usersys.redhat.com"\
--register-in-foreman "true"\
--foreman-oauth-key "xxxx"\
--foreman-oauth-secret "xxx"\
--pulp-oauth-secret "xx"\
--certs-tar "~/mycerts.tar"\
--puppet "true"\
--puppetca "true"\
—pulp "true" --parent-reverse-proxy "true" --parent-reverse-proxy-port 8443
4) on a new host, rpm -Uvh http://katello/pub/katello-ca-consumer-latest.noarch.rpm
5) update your /etc/rhsm/rhsm.conf
on a separate host with subscription-manager,
[server]
hostname = capsule-hostname
prefix = /rhsm
port = 8443
6) subscription-manager register --organization Default_Organization
#5
Updated by Eric Helms about 8 years ago
- Legacy Backlogs Release (now unused) changed from 14 to 23
#6
Updated by The Foreman Bot about 8 years ago
- Status changed from New to Ready For Testing
- Target version set to 63
- Pull request https://github.com/Katello/katello/pull/4949 added
- Pull request deleted (
)
#7
Updated by Eric Helms about 8 years ago
- Target version changed from 63 to 66
#8
Updated by Anonymous about 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset katello-installer|9885e83ac24c196d71085043abda681d973fe547.
Fixes #7745 - allow client cert header through