Fixes #29803 - Move --certs* to hooks/

Author: wbclark

hooks/boot/20-certs_update.rb

@@ -0,0 +1,36 @@
+# Add options around regenerating certificates
+if module_present?('certs')
+  app_option(
+    '--certs-update-server',
+    :flag,
+    "This option will enforce an update of the HTTPS certificates",
+    :default => false
+  )
+  app_option(
+    '--certs-update-server-ca',
+    :flag,
+    "This option will enforce an update of the CA used for HTTPS certificates.",
+    :default => false
+  )
+  app_option(
+    '--certs-update-all',
+    :flag,
+    "This option will enforce an update of all the certificates for given host",
+    :default => false
+  )
+  app_option(
+    '--certs-reset',
+    :flag,
+    "This option will reset any custom certificates and use the self-signed CA " \
+    "instead. Note that any clients will need to be updated with the latest " \
+    "katello-ca-consumer RPM, and any external proxies will need to have the " \
+    "certs updated by generating a new certs tarball.",
+    :default => false
+  )
+  app_option(
+    '--certs-skip-check',
+    :flag,
+    "This option will cause skipping the certificates sanity check. Use with caution",
+    :default => false
+  )
+end

hooks/pre/20-certs_update.rb

@@ -0,0 +1,47 @@
+require 'fileutils'
+require 'English'
+
+if module_enabled?('certs')
+  SSL_BUILD_DIR = param('certs', 'ssl_build_dir').value
+
+  def mark_for_update(cert_name, hostname = nil)
+    path = File.join(*[SSL_BUILD_DIR, hostname, cert_name].compact)
+    if app_value(:noop)
+      puts "Marking certificate #{path} for update (noop)"
+    else
+      puts "Marking certificate #{path} for update"
+      FileUtils.touch("#{path}.update")
+    end
+  end
+
+  if param('foreman_proxy_certs', 'foreman_proxy_fqdn')
+    hostname = param('foreman_proxy_certs', 'foreman_proxy_fqdn').value
+  else
+    hostname = param('certs', 'node_fqdn').value
+  end
+
+  if app_value('certs_update_server')
+    mark_for_update("#{hostname}-apache", hostname)
+    mark_for_update("#{hostname}-foreman-proxy", hostname)
+  end
+
+  if app_value('certs_update_all') || app_value('certs_update_default_ca') || app_value('certs_reset')
+    all_cert_names = Dir.glob(File.join(SSL_BUILD_DIR, hostname, '*.noarch.rpm')).map do |rpm|
+      File.basename(rpm).sub(/-1\.0-\d+\.noarch\.rpm/, '')
+    end.uniq
+
+    all_cert_names.each do |cert_name|
+      mark_for_update(cert_name, hostname)
+    end
+  end
+
+  if app_value('certs_update_server_ca') || app_value('certs_reset')
+    mark_for_update('katello-server-ca')
+  end
+
+  if app_value('certs_reset') && !app_value(:noop)
+    param('certs', 'server_cert').unset_value
+    param('certs', 'server_key').unset_value
+    param('certs', 'server_ca_cert').unset_value
+  end
+end

hooks/pre_commit/20-certs_update.rb

@@ -0,0 +1,18 @@
+if module_enabled?('certs')
+  if app_value('certs_update_server_ca') && !module_enabled?('katello')
+    fail_and_exit("--certs-update-server-ca needs to be used with katello", 101)
+  end
+
+  ca_file   = param('certs', 'server_ca_cert').value
+  cert_file = param('certs', 'server_cert').value
+  key_file  = param('certs', 'server_key').value
+
+  if !app_value('certs_skip_check') && cert_file.to_s != "" &&
+     (app_value('certs_update_server_ca') || app_value('certs_update_server'))
+    check_cmd = %(katello-certs-check -c "#{cert_file}" -k "#{key_file}" -b "#{ca_file}")
+    output = `#{check_cmd} 2>&1`
+    unless $CHILD_STATUS.success?
+      fail_and_exit("Command '#{check_cmd}' exited with #{$CHILD_STATUS.exitstatus}:\n #{output}", 101)
+    end
+  end
+end