Fixes #29803 - Move --certs* to hooks/ #514
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| # Add options around regenerating certificates | ||
| if module_present?('certs') | ||
| app_option( | ||
| '--certs-update-server', | ||
| :flag, | ||
| "This option will enforce an update of the HTTPS certificates", | ||
| :default => false | ||
| ) | ||
| app_option( | ||
| '--certs-update-server-ca', | ||
| :flag, | ||
| "This option will enforce an update of the CA used for HTTPS certificates.", | ||
| :default => false | ||
| ) | ||
| app_option( | ||
| '--certs-update-all', | ||
| :flag, | ||
| "This option will enforce an update of all the certificates for given host", | ||
| :default => false | ||
| ) | ||
| app_option( | ||
| '--certs-reset', | ||
| :flag, | ||
| "This option will reset any custom certificates and use the self-signed CA " \ | ||
| "instead. Note that any clients will need to be updated with the latest " \ | ||
| "katello-ca-consumer RPM, and any external proxies will need to have the " \ | ||
| "certs updated by generating a new certs tarball.", | ||
| :default => false | ||
| ) | ||
| app_option( | ||
| '--certs-skip-check', | ||
| :flag, | ||
| "This option will cause skipping the certificates sanity check. Use with caution", | ||
| :default => false | ||
| ) | ||
| end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| require 'fileutils' | ||
| require 'English' | ||
|
|
||
| if module_enabled?('certs') | ||
| SSL_BUILD_DIR = param('certs', 'ssl_build_dir').value | ||
|
|
||
| def mark_for_update(cert_name, hostname = nil) | ||
| path = File.join(*[SSL_BUILD_DIR, hostname, cert_name].compact) | ||
| if app_value(:noop) | ||
| puts "Marking certificate #{path} for update (noop)" | ||
| else | ||
| puts "Marking certificate #{path} for update" | ||
| FileUtils.touch("#{path}.update") | ||
| end | ||
| end | ||
|
|
||
| if param('foreman_proxy_certs', 'foreman_proxy_fqdn') | ||
| hostname = param('foreman_proxy_certs', 'foreman_proxy_fqdn').value | ||
| else | ||
| hostname = param('certs', 'node_fqdn').value | ||
| end | ||
|
|
||
| if app_value(:certs_update_server) | ||
| mark_for_update("#{hostname}-apache", hostname) | ||
| mark_for_update("#{hostname}-foreman-proxy", hostname) | ||
| end | ||
|
|
||
| if app_value(:certs_update_all) || app_value(:certs_update_default_ca) || app_value(:certs_reset) | ||
| all_cert_names = Dir.glob(File.join(SSL_BUILD_DIR, hostname, '*.noarch.rpm')).map do |rpm| | ||
| File.basename(rpm).sub(/-1\.0-\d+\.noarch\.rpm/, '') | ||
| end.uniq | ||
|
|
||
| all_cert_names.each do |cert_name| | ||
| mark_for_update(cert_name, hostname) | ||
| end | ||
| end | ||
|
|
||
| if app_value(:certs_update_server_ca) || app_value(:certs_reset) | ||
| mark_for_update('katello-server-ca') | ||
| end | ||
| end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| if module_enabled?('certs') | ||
| if app_value(:certs_update_server_ca) && !module_enabled?('katello') | ||
| fail_and_exit("--certs-update-server-ca needs to be used with katello", 101) | ||
| end | ||
|
|
||
| if app_value(:certs_reset) | ||
| param('certs', 'server_cert').unset_value | ||
| param('certs', 'server_key').unset_value | ||
| param('certs', 'server_ca_cert').unset_value | ||
| end | ||
|
|
||
| ca_file = param('certs', 'server_ca_cert').value | ||
| cert_file = param('certs', 'server_cert').value | ||
| key_file = param('certs', 'server_key').value | ||
|
|
||
| if !app_value(:certs_skip_check) && !cert_file.to_s.empty? && | ||
| (app_value(:certs_update_server_ca) || app_value(:certs_update_server)) | ||
| execute_command(%(katello-certs-check -c "#{cert_file}" -k "#{key_file}" -b "#{ca_file}")) | ||
| end | ||
| end | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| ../../../hooks/boot/20-certs_update.rb | ||
|
Member
There was a problem hiding this comment. I always forget these and what they're exactly supposed to do. It would be great to have some integration tests to make sure the functionality actually does what it's supposed to.
Contributor
Author
There was a problem hiding this comment. I'm working on theforeman/forklift#1208 as a first step towards integration testing of installer PRs. Could we go ahead and merge this, and add tests in a future PR?
Member
There was a problem hiding this comment. Yes, tests can come after. Please file a Redmine issue to not lose track of the need.
Member
There was a problem hiding this comment. I agree they can come later, but I'm wonder how much we actually verified this continues to work. With the rest of the code I'm decently familiar with how it should work but I'm not that familiar with |
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| ../../../hooks/pre/20-certs_update.rb |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../../hooks/pre_commit/20-certs_update.rb |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.