Problem:
Evaluating Foreman/Katello as a solution to provide security/bugfix updates (tested/approved by our QA) to our product which uses Rocky9 as a base OS.
We want to provide our customers with a repository with the latest tested rpms of Rocky9 security patches and our custom rpms, but only customers with a valid support contract should have access to our repos.
Since we are using Rocky, we are not dealing with any “upstream” subscriptions"
For testing we have some protected repos added to a content view.
New Hosts not registered to foreman can’t access the repos which is good
Hosts registered to foreman and our content view can access the repos, which is also good
But we can’t find a reliable way to remove access to the repositories once a host was registered.
Deleting the host from the foreman UI, still leaves the pki entitlement client certificate intact, it still can pull updates, propably until the certificate expires in one year ?
The lifetime of the entitlement certificates seems to be set fixed to 1 year. Did not find a way to reduce this time.
Expected outcome:
Possibility to revoke access to our repos when the support contract expires, revoke the entitlement client certificate
As a possible workaround, is it possible to limit the lifetime of the entitlement certificate to a shorter time like maybe 1 month ?
Foreman and Proxy versions:
Foreman 3.11.0, Katello 4.13
It’s an interesting idea, but Katello unfortunately does not offer that kind of control over certificates.
Check out “Restricting hosts’ access to content,” which is the documentation’s official recommendations (in order) for the strategies you can use. Managing content
You could possibly achieve something like this with a content view / lifecycle environment structure. I can envision something where you would publish a new content view version that removes the expired content on a monthly basis, perhaps? It would be up to you to design the specifics of that, though.
Thanks for the answer.
Is this a limitation of candlepin itself or katello/foreman ?
I tried to play around with directly with the candlepin api, made it to the swagger docs page, but i don’t know how to authenticate against candlepin to actually use the api
Yeah, Candlepin may be able to do it. But making direct API calls to Candlepin would be totally undocumented and unsupported from a Katello perspective. (in other words, you’d be on your own there.)
candlepin is correctly recording info about revoked host certificates when a host is removed from foreman ui. They even had a functionality to create a CRL to consume, but unfortunately this was removed due to performance/memory issues:
Instead candlepin now offers an api to get serial numbers to of revoked certs.
This could be used in some kind of cron job to generate a CRL (has to be in PEM format) which can then be used in apache to reject access to hosts with revoked certs.
I think Candlepin would revoke the certificate when the host’s Candlepin consumer is removed, which makes sense. But in Foreman/Katello that would only happen when the host is removed.
