Katello support syncing a protected repo

Hi all,

I'm wondering if Katello is able to sync a repository that is SSL
protected? I see pulp can do it

https://pulp-rpm-user-guide.readthedocs.io/en/2.5-release/recipes.html

I can't see any options in the GUI or via hammer. Is it worth adding a
feature request?

Thanks :slight_smile:
Dylan

Dylan,

We are able to sync ssl-protected repositories, but at this time it is only
red hat ones where the certs come via a manifest. For custom repositories
(which I imagine is what you mean) we don't have this functionality.

By all means open a feature request!
Foreman (be sure to
choose feature in the Tracker dropdown)

John Mitsch
Red Hat Engineering
(860)-967-7285
irc: jomitsch

··· On Sun, May 15, 2016 at 8:19 PM, Dylan Baars wrote:

Hi all,

I’m wondering if Katello is able to sync a repository that is SSL
protected? I see pulp can do it

https://pulp-rpm-user-guide.readthedocs.io/en/2.5-release/recipes.html

I can’t see any options in the GUI or via hammer. Is it worth adding a
feature request?

Thanks :slight_smile:
Dylan


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Thanks John, I've done added a feature request :slight_smile:
http://projects.theforeman.org/issues/15068

··· On Tue, May 17, 2016 at 6:31 AM, John Mitsch wrote:

Dylan,

We are able to sync ssl-protected repositories, but at this time it is
only red hat ones where the certs come via a manifest. For custom
repositories (which I imagine is what you mean) we don’t have this
functionality.

By all means open a feature request!
Foreman (be sure to
choose feature in the Tracker dropdown)

John Mitsch
Red Hat Engineering
(860)-967-7285
irc: jomitsch

On Sun, May 15, 2016 at 8:19 PM, Dylan Baars baarsd@gmail.com wrote:

Hi all,

I’m wondering if Katello is able to sync a repository that is SSL
protected? I see pulp can do it

https://pulp-rpm-user-guide.readthedocs.io/en/2.5-release/recipes.html

I can’t see any options in the GUI or via hammer. Is it worth adding a
feature request?

Thanks :slight_smile:
Dylan


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/foreman-users/-ZoHAwl1gc0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

So a workaround for this -

install the pulp-admin tools

yum install pulp-admin-client

As per Bug #12841: Cert mismatch for katello 2.4 RC3 in files /etc/httpd/conf.d/pulp.conf and /etc/pulp/server.conf - Katello - Foreman setup to be able to

actually use pulp-admin

This applies to katello 3.0, 2.4 is different - see the issue

cat /etc/pki/katello/certs/pulp-client.crt
/etc/pki/katello/private/pulp-client.key > ~/.pulp/user-cert.pem

Add the repository using pulp-admin

pulp-admin rpm repo create --repo-id=example-repo
–feed=https://rpm.example.com/centos7/x86_64/release
–feed-ca-cert=/etc/yum/certs/example_ca.cert
–feed-cert=/etc/yum/certs/example.cert
–feed-key=/etc/yum/certs/example.key
–serve-http=true
–relative-url example/centos7/x86_64/release

Setup a schedule to sync from the external repo

pulp-admin rpm repo sync schedules create --schedule '2016-05-17T00:00/P7D'

–repo-id "example-repo"

Publish the new repo

pulp-admin rpm repo publish run --repo-id example-repo

With all that done, you can add a new product/repository in Katello and
point it at the above pulp repo - so e.g. the repo above was added with the
following URL
http://katello.server.com/pulp/repos/example-repo/centos7/x86_64/release

I couldn't get Katello to work using a HTTPS URL - does anyone have any
idea why?

> So a workaround for this -
>
> # install the pulp-admin tools
> yum install pulp-admin-client
>
> # As per Bug #12841: Cert mismatch for katello 2.4 RC3 in files /etc/httpd/conf.d/pulp.conf and /etc/pulp/server.conf - Katello - Foreman setup to be able to
> actually use pulp-admin
> # This applies to katello 3.0, 2.4 is different - see the issue
> cat /etc/pki/katello/certs/pulp-client.crt
> /etc/pki/katello/private/pulp-client.key > ~/.pulp/user-cert.pem
>
> # Add the repository using pulp-admin
> pulp-admin rpm repo create --repo-id=example-repo
> --feed=https://rpm.example.com/centos7/x86_64/release
> --feed-ca-cert=/etc/yum/certs/example_ca.cert
> --feed-cert=/etc/yum/certs/example.cert
> --feed-key=/etc/yum/certs/example.key
> --serve-http=true
> --relative-url example/centos7/x86_64/release
>
> # Setup a schedule to sync from the external repo
> pulp-admin rpm repo sync schedules create --schedule
> '2016-05-17T00:00/P7D'
> --repo-id "example-repo"
>
> # Publish the new repo
> pulp-admin rpm repo publish run --repo-id example-repo
>
> With all that done, you can add a new product/repository in Katello and
> point it at the above pulp repo - so e.g. the repo above was added with the
> following URL
> http://katello.server.com/pulp/repos/example-repo/centos7/x86_64/release
>
> I couldn't get Katello to work using a HTTPS URL - does anyone have any
> idea why?
>

See Bug #14916: CDN url is allowed to be "https", which only works for one hostname - Katello - Foreman

··· On Tue, May 17, 2016 at 12:51 AM, Dylan Baars wrote:


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.