Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/roles/httpd/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ httpd_ssl_dir: /etc/pki/httpd
httpd_pulp_api_backend: http://localhost:24817
httpd_pulp_content_backend: http://localhost:24816
httpd_foreman_backend: http://localhost:3000
httpd_pub_dir: /var/www/html/pub
15 changes: 15 additions & 0 deletions src/roles/httpd/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,14 @@
- "{{ httpd_ssl_dir }}/certs"
- "{{ httpd_ssl_dir }}/private"

- name: Create pub directory
ansible.builtin.file:
path: "{{ httpd_pub_dir }}"
state: directory
group: apache
owner: apache
mode: "0755"

- name: Deploy certificates
ansible.builtin.copy:
src: "{{ item.src }}"
Expand All @@ -43,6 +51,13 @@
- src: "{{ httpd_server_key }}"
dest: "private/katello-apache.key"

- name: Copy CA certificate to pub directory for client trust
ansible.builtin.copy:
src: "{{ httpd_server_ca_certificate }}"
dest: "{{ httpd_pub_dir }}/katello-server-ca.crt"
remote_src: true
mode: "0644"
Comment on lines +54 to +59

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

technically this is also available under /unattended/public/foreman_raw_ca without /pub, but lots of code relies on the old location and it's a good example of usage for now.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to configure Apache to proxy that specific request?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Proxy wouldn't work, as rails doesn't know what /pub is. We'd either need to teach it that route or translate at Apache level. Or just ignore it for now.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason I ask is that we also know we need to support /pub/katello-consumer-ca because Anaconda relies on that. It's in RHEL 9 so we can't easily replace that. So long term I think we need to route specific /pub paths to Foreman to render it dynamically. The public templates mechanism in Foreman could be reused for /pub/katello-consumer-ca.

We also deal with it in a follow up.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thoughts on this:-
I think in /pub we have quite a few items from multiple plugins, so ideally it does not make sense to put these things, which is not completely related to foreman, in foreman/rails routes.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think in /pub we have quite a few items from multiple plugins, so ideally it does not make sense to put these things, which is not completely related to foreman, in foreman/rails routes.

I'd like to see a list of those plugins, because no plugin should count on /pub existing. Katello and RH cloud might, but others shouldn't.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the description of SAT-40189, it is mentioned

  • IoP -> For uploading/fetching cvemap.xml
  • Discovery -> Uploading FDI image for PXELess Discovery Workflow
  • Bootdisk -> Uploading Bootdisk image for Bootdisk Workflow
  • katello-ca-consumer -> global registration uses katello-ca-consumer rpm published on /pub

Few other component tests like Repository, ISS, ACS also use /pub during testing.

After looking at these i thought we can keep the pub directory served by apache only.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • IoP is correct
  • Discovery and Bootdisk is not using /pub (but the way tests in robotello are written for it might abuse `/pub)
  • global registration does not use /pub, it embedds all certs itself.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i see that the katello-ca-consumer-latest.noarch.rpm still stays in pub, is that not being used now for registration(doc says (Deprecated) Katello CA Consumer method for registeration is deprecated)?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct. it's still there (for users who have non-default workflows), but unused by the default workflow we offer.


- name: Configure foreman-ssl vhost
ansible.builtin.template:
src: foreman-ssl-vhost.conf.j2
Expand Down
8 changes: 8 additions & 0 deletions src/roles/httpd/templates/foreman-ssl-vhost.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,13 @@
ProxyPassReverse {{ httpd_pulp_api_backend }}/pulp/api/v3
</Location>

Alias /pub {{ httpd_pub_dir }}

<Location /pub>
Options +FollowSymLinks +Indexes
Require all granted
</Location>

ProxyPass /pulp/assets/ {{ httpd_pulp_api_backend }}/pulp/assets/
ProxyPassReverse /pulp/assets/ {{ httpd_pulp_api_backend }}/pulp/assets/

Expand All @@ -68,6 +75,7 @@
ProxyPreserveHost On
ProxyAddHeaders On
ProxyPass /pulp !
ProxyPass /pub !
ProxyPass /icons !
ProxyPass /server-status !
ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900
Expand Down
24 changes: 17 additions & 7 deletions tests/httpd_test.py
Original file line number Diff line number Diff line change
@@ -1,43 +1,53 @@
HTTP_HOST = 'localhost'
HTTP_PORT = 80
HTTPS_PORT = 443

HTTPD_PUB_DIR = '/var/www/html/pub'

def test_httpd_service(server):
httpd = server.service("httpd")
assert httpd.is_running
assert httpd.is_enabled


def test_http_port(server):
httpd = server.addr(HTTP_HOST)
assert httpd.port(HTTP_PORT).is_reachable


def test_https_port(server):
httpd = server.addr(HTTP_HOST)
assert httpd.port(HTTPS_PORT).is_reachable


def test_https_foreman_ping(server, certificates, server_fqdn):
cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/api/v2/ping")
assert cmd.succeeded
assert cmd.stdout == '200'


def test_https_pulp_status(server, certificates, server_fqdn):
cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pulp/api/v3/status/")
assert cmd.succeeded
assert cmd.stdout == '200'


def test_https_pulp_content(server, certificates, server_fqdn):
cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pulp/content/")
assert cmd.succeeded
assert cmd.stdout == '200'


def test_https_pulp_auth(server, certificates, server_fqdn):
cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --write-out '%{{stderr}}%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{server_fqdn}/pulp/api/v3/users/")
assert cmd.succeeded
assert cmd.stderr == '200'

def test_pub_directory_exists(server):
pub_dir = server.file(HTTPD_PUB_DIR)
assert pub_dir.exists
assert pub_dir.is_directory
assert pub_dir.mode == 0o755

def test_pub_directory_accessible(server, certificates, server_fqdn):
cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pub/")
Comment on lines +45 to +46

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if we validating a CA certificate is downloadable which would cover this test already

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We deploy the config with Indexes, which produces a nice directory index here and this step validates it. Otherwise you'd get a 403 on the /pub/ itself.

Comment on lines +45 to +46

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest one more test here which checks the pub dir accessibility from http url

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not until #293 is done.

assert cmd.succeeded
assert cmd.stdout == '200'

def test_pub_ca_certificate_downloadable(server, certificates, server_fqdn):
cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pub/katello-server-ca.crt")
assert cmd.succeeded
assert cmd.stdout == '200'