This will be a larger than average RFC as it intends to cover every functional and conceptual area that needs attention to normalize Katello as a plugin within the Foreman ecosystem.
Katello and Foreman use different default certificate infrastructures which can prove difficult to reconcile when trying to add Katello to Foreman. Further, other forces such as optiona Puppet are driving a need for a base, default certificate setup for Foreman.
Katello does not support nested organizations, not only disabling them but throwing an error if they are enabled. The reason for this is the way that Katello maps Foreman organizations to Candlepin organizations one to one. Object scoping in Katello is locked to an organization. Manifest’s and subscriptions are tied to a single organization. Some possible solutions:
- Mark organizations as “subscription” organizations and only allow certain operations on those organizations; or root organization is the only one tied to a Candlepin organization
- Drop nested organizations all together from Foreman
- Allow any organization to import a manifest but scope the subscriptions to only that organization; sub-orgs would not see parent subscriptions
Foreman Proxy vs. Foreman Proxy with Content
Moved to it’s own RFC
Port discrepancy of smart proxy
Katello defaults smart-proxy to port 9090 since Candlepin uses 8443. Smart proxies by default use 8443 for HTTPS. Adding Katello to an existing Foreman today would require changing a users Smart Proxy port on the server. As well, for external proxies, Katello deploys the smart-proxy on 9090 because an Apache reverse proxy is deployed to 8443.
- Move Candlepin to new port by default (e.g 9443) Redmine Issue
- Use 8443 by default for smart proxy HTTPS port everywhere Redmine Issue
- Move external Apache reverse proxy to 443 Redmine Issue
Convert reverse proxy on foreman proxy with content to registration gateway with smart proxy feature
Katello deploys a reverse proxy on external Foreman Proxies to allow hosts to register via subscription-manager through the proxy and get content such as GPG keys served by the main server.
- Elevate the reverse proxy deployed to a smart-proxy feature
- Allows detection of reverse proxy within the smart-proxy UI and knowledge of which proxies have reverse proxies deployed
Split up foreman-proxy-content
Moved to a Redmine Tracker
There is a broader development thread around changes to the installer that can be found here. There are some changes that can target bringing Foreman and Katello together within the installer ecosystem outlined here. Within our installer there are effectively two major scenarios: Foreman and Katello (forman-proxy-content scenario effectively belongs to Katello). We see a split between how those scenarios are handled from hooks to migrations.
Moved to a Redmine Tracker
Moved to a Redmine Issue