Conversation
evgeni
force-pushed
the
proxy-features
branch
from
7100b9a to
c81b6c2
Compare
| name: foreman-proxy | ||
| state: restarted | ||
|
|
||
| - name: Refresh Foreman Proxy |
There was a problem hiding this comment.
This gets executed too early on fresh installs. Damn.
There was a problem hiding this comment.
Now i wonder why is refreshing feature needed at the first place?
There was a problem hiding this comment.
Foreman stores the list of features a Proxy has in its database, when the configuration of a proxy changes, you need to "refresh" that data.
And as we're deploying without REX first in the tests, we need to refresh once we enabled REX.
evgeni
force-pushed
the
proxy-features
branch
from
4b3451c to
64f8540
Compare
| name: foreman-proxy-remote_execution_ssh-ssh-key | ||
| path: /root/foreman-proxy-ssh | ||
| notify: | ||
| - Restart Foreman Proxy | ||
| - Refresh Foreman Proxy | ||
|
|
||
| - name: Create SSH Pub podman secret | ||
| containers.podman.podman_secret: | ||
| state: present | ||
| name: foreman-proxy-remote_execution_ssh-ssh-pub | ||
| path: /root/foreman-proxy-ssh.pub |
There was a problem hiding this comment.
These two tasks can be consolidated into a loop to create the SSH key/pub secrets, which will also ensure the handler runs only once, OR just run the handler when SSH secrets are mounted to the container
There was a problem hiding this comment.
Handlers run only once, no matter how often they are notified.
| - name: Create SSH Key podman secret | ||
| containers.podman.podman_secret: | ||
| state: present | ||
| name: foreman-proxy-remote_execution_ssh-ssh-key |
There was a problem hiding this comment.
| name: foreman-proxy-remote_execution_ssh-ssh-key | |
| name: foreman-proxy-remote_execution_ssh-key |
evgeni
force-pushed
the
proxy-features
branch
from
922ca79 to
d103cc6
Compare
evgeni
force-pushed
the
proxy-features
branch
4 times, most recently
from
6d74c47 to
3ee17bd
Compare
|
theforeman/smart_proxy_remote_execution_ssh#128 dropped ssh-async mode , would you include this patch to keep the config file in sync 0001-Adjust-sp-rex-ssh-config-file-to-async-ssh-removal.patch ? |
evgeni
force-pushed
the
proxy-features
branch
from
3ee17bd to
194332a
Compare
|
theforeman/smart_proxy_remote_execution_ssh#126 added new settings for SSH certs, here is a patch that adds the new settings: diff --git a/src/roles/foreman_proxy/templates/settings.d/remote_execution_ssh.yml.j2 b/src/roles/foreman_proxy/templates/settings.d/remote_execution_ssh.yml.j2
index b7d6402..76ad344 100644
--- a/src/roles/foreman_proxy/templates/settings.d/remote_execution_ssh.yml.j2
+++ b/src/roles/foreman_proxy/templates/settings.d/remote_execution_ssh.yml.j2
@@ -11,6 +11,15 @@
# Mode of operation, one of ssh, pull, pull-mqtt
:mode: ssh
+# Enables the use of SSH certificate for smart proxy authentication
+# The file should contain an SSH CA public key that the SSH public key of smart proxy is signed by
+# :ssh_user_ca_public_key_file:
+
+# Enables the use of SSH host certificates for host authentication
+# The file should contain a list of trusted SSH CA authorities that the host certs can be signed by
+# Example file content: @cert-authority * <SSH CA public key>
+# :ssh_ca_known_hosts_file:
+
# Defines how often (in seconds) should the runner check
# for new data leave empty to use the runner's default
# :runner_refresh_interval: 1 |
evgeni
force-pushed
the
proxy-features
branch
from
194332a to
caf8416
Compare
|
@adamlazik1 thanks, applied |
|
What remains to be done here until this can be undrafted? |
evgeni
force-pushed
the
proxy-features
branch
from
eaf7e75 to
53daace
Compare
evgeni
force-pushed
the
proxy-features
branch
3 times, most recently
from
c6bc7ff to
f309355
Compare
evgeni
force-pushed
the
proxy-features
branch
from
f309355 to
4e4c695
Compare
This PR was my PoC to figure out what we need to put into our feature metadata (see #372). This PR also has two dependencies that can be reviewed/merged independently:
Once those are settled (and the "temp" commits dropped), we can continue here. |
|
So, while adding feature |
|
This is actually an oversight of the implementation in this PR. |
| - name: Configure features | ||
| ansible.builtin.include_tasks: feature.yaml | ||
| vars: | ||
| feature_enabled: "true" |
There was a problem hiding this comment.
Are we limiting this feature_enabled to true and false, as i see it can have http, https etc as well?
There was a problem hiding this comment.
It can, but given that we only configure a https port right now, it's kinda pointless to differentiate.
Yes, that should work, but if i understand correctly the design is to keep known features list limited to what user asked for(like a user said i want feature A and B then A, B should be in the known feature list). but the extra dependencies features are something user never touch. so then should we technically put dependencies in that known feature list, i am bit confused here? Also from a broder view removing a feature or disabling a feature is completely distinct thing, as removing should remove configs,(maybe binaries too), and disabling should just update the config. but here removing feature just disables 😕 |
No, I think we still need to map out those dependency features as features, just sometimes ones that we don't show the user (in #372 I introduce an Our metadata lists all known features (and thus all known foreman proxy plugins). Which right now means Now the user says "give me If the user now decides to disable
We can't remove binaries, they are baked into the container. |
evgeni
force-pushed
the
proxy-features
branch
from
341de61 to
f56e7f0
Compare
evgeni
force-pushed
the
proxy-features
branch
from
f56e7f0 to
9f7bd3f
Compare
| foreman_proxy_base_feautures: | ||
| - logs |
|
I've split out a few smaller changes in own PRs to make them easier to review: |
evgeni
force-pushed
the
proxy-features
branch
from
9f7bd3f to
3f6990a
Compare
evgeni
force-pushed
the
proxy-features
branch
from
3f6990a to
f90800c
Compare
this is suboptimal, as it means we do an additional restart, but it ensures the refresh works
evgeni
force-pushed
the
proxy-features
branch
from
f90800c to
cd5f9bb
Compare
5 participants
No description provided.