Skip to content

Add FORWARDER_CA_FILE environment variable support#5

Open
jeremylenz wants to merge 3 commits into
theforeman:mainfrom
jeremylenz:add-ca-file-support
Open

Add FORWARDER_CA_FILE environment variable support#5
jeremylenz wants to merge 3 commits into
theforeman:mainfrom
jeremylenz:add-ca-file-support

Conversation

@jeremylenz

Copy link
Copy Markdown

Summary

  • Add optional FORWARDER_CA_FILE environment variable so the worker can load a custom CA certificate for its HTTPS connection to the Foreman server, instead of relying on the system trust store
  • Reuse a single http.Client across requests instead of creating one per Send() call

This unblocks foremanctl#569, which currently adds the Foreman CA to the system trust store — an anti-pattern the team has decided to avoid because it's not inherited by containers, it makes unrelated tools trust the CA, and it creates inconsistency across deployment methods.

When FORWARDER_CA_FILE is set, the worker reads the PEM file and appends it to the system cert pool (with graceful fallback if the system pool is unavailable, e.g. in minimal containers). When unset, behavior is unchanged.

On the foremanctl side, this enables adding the env var to the worker TOML config:

env = [
  ...
  "FORWARDER_CA_FILE={{ foreman_ca_certificate }}"
]

Test plan

Automated

  • make build passes
  • make test passes (4 new tests + 1 existing)
  • make vet passes

Manual testing

Prerequisites: a working cloud connector setup (rhcd + yggdrasil-worker-forwarder) on a Foreman/Satellite server with HTTPS enabled.

Build and install the updated binary

# Clone and build
git clone https://github.com/jeremylenz/yggdrasil-worker-forwarder.git
cd yggdrasil-worker-forwarder
git checkout add-ca-file-support
make build

# Back up the existing binary and replace it
cp /usr/libexec/yggdrasil-worker-forwarder /usr/libexec/yggdrasil-worker-forwarder.bak
cp _build/yggdrasil-worker-forwarder /usr/libexec/yggdrasil-worker-forwarder

# Restart the service to pick up the new binary
systemctl restart rhcd

1. Verify current setup works

# Trigger a cloud connector request and confirm it succeeds
journalctl -u rhcd -f &
curl -k -u admin:changeme https://$(hostname)/api/v2/rh_cloud/cloud_request \
  -X POST -H 'Content-Type: application/json' -d '{"test": true}'
# Check worker logs for successful POST

2. Remove Foreman CA from system trust store

rm /etc/pki/ca-trust/source/anchors/foreman-ca.pem
update-ca-trust
systemctl restart rhcd

3. Confirm the worker now fails TLS verification

journalctl -u rhcd -f &
curl -k -u admin:changeme https://$(hostname)/api/v2/rh_cloud/cloud_request \
  -X POST -H 'Content-Type: application/json' -d '{"test": true}'
# Should see: "failed to send HTTP POST ... x509: certificate signed by unknown authority"

4. Configure FORWARDER_CA_FILE via foremanctl

Deploy the cloud-connector feature using the changes from foremanctl#569, which templates FORWARDER_CA_FILE into the worker TOML config at /etc/rhc/workers/foreman_rh_cloud.toml. Then restart the service:

systemctl restart rhcd

5. Confirm the worker connects successfully again

journalctl -u rhcd -f &
curl -k -u admin:changeme https://$(hostname)/api/v2/rh_cloud/cloud_request \
  -X POST -H 'Content-Type: application/json' -d '{"test": true}'
# Should see successful HTTP POST in logs, no TLS errors

6. Clean up

# Restore the original binary if needed
cp /usr/libexec/yggdrasil-worker-forwarder.bak /usr/libexec/yggdrasil-worker-forwarder
# Either restore the system trust store CA or leave FORWARDER_CA_FILE configured
systemctl restart rhcd

🤖 Generated with Claude Code

Allow the worker to specify a custom CA certificate file path for HTTPS
connections to the Foreman server instead of relying solely on the system
trust store.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
jeremylenz and others added 2 commits July 7, 2026 16:01
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant