Foreman Proxy

[stejskalleos]

No description provided.

[ekohl]

Why did you go with a separate playbook instead of a adding a feature?

306b10e and 329bd48 would need to be reverted, but also made optional.

Design wise I'd like to use #188 to specify you want to add a Foreman Proxy (as a feature).

[ehelms]

Why did you go with a separate playbook instead of a adding a feature?

I know I suggested going this route to get started since the feature implementation is not flushed out, and having a dedicated command allows for easy testing and conceptualizing right now. And helps start off with a "clean" split between Foreman and smart-proxy.

[ekohl]

Ok. As long as the Ansible role prepares for extension then we can later include it with proper features support into the main deploy playbook

[shubhamsg199]

Shouldn't we consider configuring the foreman_proxy and its container, during foremanctl deploy time, since it doesn't create default proxy for the foreman deployment yet?

[ehelms]

Take a look at: #279 (comment)

And then, I'd be curious, why do you think deploy should include a foreman-proxy by default?

[shubhamsg199]

I was checking the endpoint we use -> https://satellite.example.com/api/v2/smart_proxies with data {"search": "name=satellite.example.com"} and it returned empty results for the proxy present by default.
Also, I'm curious how we'd handle the external proxy ?

[stejskalleos]

Also, I'm curious how we'd handle the external proxy ?

In future PR, not this one.

[stejskalleos]

I tested the search in UI and it works fine, weird it doesn't work for API.

[stejskalleos]

Be careful, the first proxy is named satellite.example.com-pulp

[stejskalleos]

• Renamed to Foreman Proxy
• Added test

[ekohl]

For configuration it might be time to dust off theforeman/smart-proxy#656 again. Not as something we need to get done before we release it, but keep it in mind.

[ekohl]

IMHO we should always validate certificates. We should have them on the system already.

[evgeni]

On the system yes, but not in the system trust. you'll have to use ca_path parameter to the module (which we currently also don't do for the pulp proxy)

[ekohl]

Follow up issue for foremanctl 3.0?

[evgeni]

Yes, please.

[stejskalleos]

Clarification for the 3.0 ticket:
Do we want to support the ca_path parameter for the Ansible module, or do we want to add the CA to the trusted store?

[evgeni]

ca_path, we should not alter the trust store.

[stejskalleos]

https://issues.redhat.com/browse/SAT-40221

[ekohl]

This is unreliable, since the user may change username & password after installation. The oauth credentials should be reliable.

[evgeni]

Our Ansible collection can't do OAutho tho.

[evgeni]

foremanctl/src/roles/foreman/tasks/main.yaml

Lines 225 to 226 in adfc046

	username: "{{ foreman_initial_admin_username }}"
	password: "{{ foreman_initial_admin_password }}"

has the same issue

[ekohl]

Oh, that's going to be some reliability issue down the line. We should track that somehow.

[stejskalleos]

https://issues.redhat.com/browse/SAT-40212

[ekohl]

Can I, as a user, run this on its own host and foremanctl foreman-proxy --foreman-url https://foreman.example.com or is that fully out of scope for now?

[ekohl]

Do we need this to be done in foremanctl? I see 2 options:

1. Properly templated in foremanctl where the user can enable/disable the module via a variable
2. The container image defaults it to this and we don't override it at all

My preference would be to keep it simple and go for option 2.

[stejskalleos]

Right now the image does not do it by default, so should I move the logic from here to the image?

I can do it, but if we are going to manage the other features and their templates with foremanctl, IMHO, we can keep it as it is.

[evgeni]

I tend to agree. While logging is a tad special (as we're effectively abusing it for the proxy to work at all here), we'll be adding more modules soon, and those will be configurable, so… leave it here as is and (maybe) make it configurable later

[ekohl]

Not a blocking comment, but this is more a forward thinking discussion, but we know it's coming soon so it's best to start thinking about it.

Thinking more about this, how are we going to make it extensible? We know there will be many modules. Just to name a few off the top of my head:

• REX
• DHCP (with a provider, so at least 2 config files)
• DNS (also with a provider)
• TFTP
• Realm

Design wise we may want to split those out into into separate Ansible task files. How are we going to add the secrets? Will we use systemd drop in files to keep the container file here reasonably simple?

[evgeni]

I think /etc/containers/systemd/foreman-proxy.container.d/<feature>.conf makes a lot of sense for this.

[evgeni]

Can I, as a user, run this on its own host and foremanctl foreman-proxy --foreman-url https://foreman.example.com or is that fully out of scope for now?

Right now it's not exposed and I think should belong into a separate PR (especially as it implies having some way to transfer certificate bundles)

[evgeni]

I didn't expect this to work, but it does. Magic.

Is there any benefit over STDOUT (which will also work in the OpenShift case)?

[stejskalleos]

I don't know TBH, not really sure how this smart-proxy -> container -> journal relationship works under the hood, so I'll leave the final decision up to you

[evgeni]

Then I think I'd prefer the plain STDOUT

[ekohl]

Perhaps we can start with journal now and investigate whether Foreman Proxy can learn to autodetect it?

[ekohl]

https://systemd.io/JOURNAL_NATIVE_PROTOCOL/#automatic-protocol-upgrading

[ekohl]

theforeman/smart-proxy#925 is what I was thinking about. Not something we need to sort out right now, but I'm starting to think about ways we can make foreman-proxy itself more container native.

[evgeni]

Two last small things, then we can get this in.

Thanks!