Auto-detect and normalize installer certificates#421
Auto-detect and normalize installer certificates#421ehelms wants to merge 3 commits intotheforeman:masterfrom
Conversation
ehelms
force-pushed
the
installer-certificates-management
branch
5 times, most recently
from
252977b to
28bad69
Compare
ehelms
force-pushed
the
installer-certificates-management
branch
from
28bad69 to
da1cd29
Compare
|
@ehelms could you please rebase this one |
ehelms
force-pushed
the
installer-certificates-management
branch
2 times, most recently
from
e96db39 to
5d8e7a7
Compare
|
|
||
| - name: 'Issue other certificates' | ||
| - name: Issue host certificates | ||
| ansible.builtin.include_tasks: issue.yml |
There was a problem hiding this comment.
This fails for "installer" certs, as the CA password is not properly loaded.
OTOH, I don't see why it would re-generate the installer issued certs to begin with.
| ansible.builtin.file: | ||
| path: "{{ certificates_ca_directory_keys }}" | ||
| state: directory | ||
| mode: '0755' |
There was a problem hiding this comment.
the keys really should not be world readable
|
certs-check is right, "TASK [certificates : Sign server certificate] **********************************" did re-sign the cert, it really should not for "custom" certs, those can't be managed by us. |
evgeni
force-pushed
the
installer-certificates-management
branch
2 times, most recently
from
552ddf4 to
5d317ef
Compare
| ansible.builtin.include_tasks: ca.yml | ||
| when: certificates_ca | ||
| when: | ||
| - certificates_ca |
There was a problem hiding this comment.
At this point, will that ever be false?
| when: certificates_ca | ||
| when: | ||
| - certificates_ca | ||
| - not certificates_installer_ca.stat.exists |
There was a problem hiding this comment.
normalize.yml deletes /root/ssl-build/katello-default-ca.crt after execution, so on the next run of the role not certificates_installer_ca.stat.exists will be true and ca.yml will run -- is that intentional?
There was a problem hiding this comment.
yepp, ran into this in https://github.com/theforeman/foremanctl/actions/runs/24706818357/job/72261872791?pr=421
| - "../../vars/defaults.yml" | ||
| - "../../vars/flavors/{{ flavor }}.yml" | ||
| - "../../vars/{{ certificate_source }}_certificates.yml" | ||
| - "../../vars/default_certificates.yml" |
There was a problem hiding this comment.
arguably, this file now should be just certificates.yml, right?
evgeni
force-pushed
the
installer-certificates-management
branch
2 times, most recently
from
a7444fc to
dfde810
Compare
|
The more I think about it, the more I think and the |
|
I agree I can now pull out the custom certificates to their own PR. And that, installer certificates via migration handling makes more sense as a one time operation. Do you generally agree on the direction of installer certs support? That is should be "converted" so |
|
Custom certificate handling now exists at: #462 |
Yes, as the setup (well, at the very least the CA) need to be fully usable in foremanctl to deploy new proxies etc. |
ehelms
force-pushed
the
installer-certificates-management
branch
from
dfde810 to
93f61e8
Compare
ehelms
force-pushed
the
installer-certificates-management
branch
from
93f61e8 to
0807995
Compare
The default and custom_server certificate vars files defined identical paths since custom certificates are normalized into the same directory structure during deployment. Remove the vars file indirection and use a single certificates.yml for all certificate sources. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a dedicated CI job that exercises the foremanctl migrate workflow: install foreman-installer to create a realistic environment with an answer file and certificates, run foremanctl migrate to convert the answer file to foremanctl parameters, then deploy and test the result. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move foreman-installer certificate normalization into the migrate subcommand so it runs once during migration rather than on every deploy. The migrate_certificates role copies certs from /root/ssl-build/ into /root/certificates/, persists the CA passphrase into parameters.yaml, and backs up the original directory. Detect custom server certificates by comparing the internal CA with the server CA. When they differ, persist certificates_source: custom_server to prevent subsequent deploys from overwriting the custom server cert. Remove the installer certificate source since migrated certs use the default source paths after normalization. Mark certificate path parameters as IGNORE in the answer file migration since the role handles cert files directly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ehelms
force-pushed
the
installer-certificates-management
branch
from
0807995 to
b14f1a8
Compare
2 participants
Summary
Users upgrading from foreman-installer need their existing certificates to continue working.
Previously, foremanctl required
--certificate-source=installerand maintained separatevariable paths pointing to
/root/ssl-build/, meaning it could read installer certificatesbut not manage their lifecycle — no issuing new certificates using the existing CA, and no
path to dropping katello-certs-tools.
This PR embeds migration of the installer certificates into the standard location of the default certificates. When
foremanctl migraterun it will move certificates at/root/ssl-build/, it copies them into/root/certificates/, backs up the original, and manages them natively using OpenSSL.Changes
Test plan