[katello] Pulp 2.4 removing CRL support

Mike_McCune · June 23, 2014, 10:12pm

FYI, pulp is going to be removing CRL support in a future build of
2.4.X, the pull request is here:

I spoke with Jeff Ortel who is working on the PR and said I didn't think
that Katello uses any of Pulp's CRL functionality but wanted to throw
this PR to the list to see if anyone else can point out something I may
have missed.

Mike

···

-- Mike McCune mmccune AT redhat.com Red Hat Engineering | Portland, OR Systems Management | 650-254-4248

Bryan_Kearney · June 23, 2014, 10:15pm

So… if candlepin generates a CRL, who is enforcing it? Is apache
configurd to read the CRLand then pass along the request to pulp only if
the cert is valid?

– bk

···

On 06/23/2014 06:12 PM, Mike McCune wrote: > FYI, pulp is going to be removing CRL support in a future build of > 2.4.X, the pull request is here: > > https://github.com/pulp/pulp_rpm/pull/520 > > I spoke with Jeff Ortel who is working on the PR and said I didn't think > that Katello uses any of Pulp's CRL functionality but wanted to throw > this PR to the list to see if anyone else can point out something I may > have missed. > > Mike

Mike_McCune · June 24, 2014, 4:28am

In what use cases does Candlepin, in the context of Katello, issue a
CRL? Not for expiration right? That is in the cert itself, I'd assume.

···

On 06/23/2014 03:15 PM, Bryan Kearney wrote: > So.. if candlepin generates a CRL, who is enforcing it? Is apache > configurd to read the CRLand then pass along the request to pulp only if > the cert is valid? > > -- bk > > > On 06/23/2014 06:12 PM, Mike McCune wrote: >> FYI, pulp is going to be removing CRL support in a future build of >> 2.4.X, the pull request is here: >> >> https://github.com/pulp/pulp_rpm/pull/520 >> >> I spoke with Jeff Ortel who is working on the PR and said I didn't think >> that Katello uses any of Pulp's CRL functionality but wanted to throw >> this PR to the list to see if anyone else can point out something I may >> have missed. >> >> Mike

ohadlevy · June 24, 2014, 6:41am

> In what use cases does Candlepin, in the context of Katello, issue a CRL?
> Not for expiration right? That is in the cert itself, I'd assume.

I would imagine that when you delete a vm/host, its cert should be
invalidated… thats what we currently do for puppet certificates.

Ohad

···

On Tue, Jun 24, 2014 at 7:28 AM, Mike McCune wrote:

On 06/23/2014 03:15 PM, Bryan Kearney wrote:

So… if candlepin generates a CRL, who is enforcing it? Is apache
configurd to read the CRLand then pass along the request to pulp only if
the cert is valid?

– bk

On 06/23/2014 06:12 PM, Mike McCune wrote:

FYI, pulp is going to be removing CRL support in a future build of
2.4.X, the pull request is here:

https://github.com/pulp/pulp_rpm/pull/520

I spoke with Jeff Ortel who is working on the PR and said I didn’t think
that Katello uses any of Pulp’s CRL functionality but wanted to throw
this PR to the list to see if anyone else can point out something I may
have missed.

Mike

–
You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Justin_Sherrill · June 24, 2014, 6:01pm

>
>
>
>
> In what use cases does Candlepin, in the context of Katello, issue
> a CRL? Not for expiration right? That is in the cert itself, I'd
> assume.
>
>
> I would imagine that when you delete a vm/host, its cert should be
> invalidated… thats what we currently do for puppet certificates.
>
Yeah, delete the consumer or remove a subscription from a consumer, i
would assume the cert would be revoked.

-Justin

···

On 06/24/2014 02:41 AM, Ohad Levy wrote: > On Tue, Jun 24, 2014 at 7:28 AM, Mike McCune > wrote:

Ohad

On 06/23/2014 03:15 PM, Bryan Kearney wrote:

    So.. if candlepin generates a CRL, who is enforcing it? Is apache
    configurd to read the CRLand then pass along the request to
    pulp only if
    the cert is valid?

    -- bk


    On 06/23/2014 06:12 PM, Mike McCune wrote:

        FYI, pulp is going to be removing CRL support in a future
        build of
        2.4.X, the pull request is here:

        https://github.com/pulp/pulp_rpm/pull/520

        I spoke with Jeff Ortel who is working on the PR and said
        I didn't think
        that Katello uses any of Pulp's CRL functionality but
        wanted to throw
        this PR to the list to see if anyone else can point out
        something I may
        have missed.

        Mike


-- 
You received this message because you are subscribed to the Google
Groups "foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-dev+unsubscribe@googlegroups.com
<mailto:foreman-dev%2Bunsubscribe@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google
Groups “foreman-dev” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-dev+unsubscribe@googlegroups.com
mailto:foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.