PulpCA to "clients"?

[TJM]

In order for the "client" systems to validate the SSL connection to the Pulp Server, the PulpCA needs to be listed in the yumrepo files. How is that handled? Maybe there should be a "custom fact" that exposes the CA Public Cert to puppet so that it can be exported from the pulp server and "imported" on the pulp clients?

How would this normally be handled?

NOTE: I tried to use the Puppet certs, since the puppet CA is already present on all agents, and they already have a signed SSL certificate, but I had trouble making pulp-admin work cleanly (without a bunch of hackery or setting validate_ssl to false). That seems like it would be ideal, but may not work the way Pulp is architected.

[TJM]

Does anybody use https (properly)?

[ekohl]

I missed this due to travel. Usually we deploy this together with Katello which also includes Candlepin. This has its own CA and every client is registered. This allows using SSL connections. pulp-admin can be configured to use a different CA file using ca_file (exposed as $pulp::admin::ca_path) and I expect this would work but I have no experience with this.

[TJM]

Hi @ekohl,

Thanks for your response!

As I mentioned, I was going to try to use the Puppet certs, since every system already had a signed host cert (specifically the pulp server), and the ca.pem is already populated to all hosts too to make it easy to point to in yum.repos.d files. However, that broke the ability to use pulp-admin login since apparently it is trying to sign a certificate for the user? I wasn't quite sure, and didn't really dig too deeply into it.

It appears in my cursory check that candlepin is like a subscription management service? I am not sure if I need or even want a subscription management service. I need to provide local access to software updates, with the ability to control when updates are sync'd (so we can apply updates to non-prod, then a week later to prod and expect that the updates have already been tested). I am not even sure why the hosts need individual certs. The only one that I should have to care about is the pulp server itself, and I could potentially use a 'corpCA' cert for that, but then pulp-admin gets all cranky.

I appreciate any advice you can offer :)

Thanks in advance,
~tommy

[ekohl]

Have you had a look at #138? The workaround is to set ssl_username => ''. We should change the default to that and explicitly set it when we need to but that's a major version bump.

[TJM]

Yes, we have pulp::ssl_username set to false.

#####
# pulp: https://forge.puppet.com/katello/pulp
pulp::ssl_verify_client: optional
pulp::ssl_username: false
pulp::enable_admin: true

#####
# yum: https://forge.puppet.com/puppet/yum
yum::managed_repos:
  - pulp2
  - extras
yum::repos:
  extras:
    enabled: 1

### NOTE: The pulp2 yum repo is defined in osfamily/RedHat.yaml

[ekohl]

I think I'm reaching the limit of my pulp knowledge here. Maybe it's best to reach out to the pulp community for this.

[TJM]

I was thinking of a custom fact that would read the CA certificate into a fact, then I could "export" a "file" resource with the contents of that fact (certificate)... then "realize" it on the agents/clients? ... but that seems rather convoluted too :-/

Is there some way to call Pulp Community over to this thread, context is usually very important for something like this in my experience.

~tommy

[ekohl]

There is a #pulp channel on Freenode where they said pulp-list is the correct place to ask.