Fixes #38297 - Use client certificates for Candlepin events

[ehelms]

What are the changes introduced in this pull request?

This relies upon first getting in theforeman/puppet-certs#490

The Candlepin events use the Foreman client certificates but the default CA since Candlepin runs using localhost certificates generated by the default CA. This means that it can't use the /etc/foreman/proxy_ca.pem certificate in it's current form as it represents the server CA. In the dependent PR, this would move to using a bundle CA combining the default and server CA into the single file allowing it to be used.

In production, the candlepin_events get configured in katello.yaml as:

  :candlepin_events:
    :ssl_cert_file: /etc/foreman/client_cert.pem
    :ssl_key_file: /etc/foreman/client_key.pem
    :ssl_ca_file: /etc/pki/katello/certs/katello-default-ca.crt

If this change goes forward, we would remove this section entirely, and rely upon Foreman core to handle configuration of certificates and reduce the configuration surface area of Katello. It would then follow that we can drop this parameter as well:

  :candlepin:
    :ca_cert_file: /etc/pki/katello/certs/katello-default-ca.crt

Which the code is already prepared to handle (https://github.com/Katello/katello/blob/master/app/services/cert/certs.rb#L31-L33).

What are the testing steps for this pull request?

1. The Packit PR from this change needs to be installed.
2. Install fresh or update install with custom certificates (this can be helpful).
3. The installer PR is needed (Bundle default and server CA certificate and use for Foreman client CA theforeman/puppet-certs#490)

This can either be installed via Forklift, or wait for it to land in the installer before testing this.

[ehelms]

Now that theforeman/puppet-certs#490 has been merged, the CA certificate will contain the default and server certificates. Candlepin communication can then use this instead of the CA certificate deployed for Apache's usage and rely on the Foreman settings.

[ehelms]

As an additional note, this would reduce the needed configuration for Katello to:

:katello:
  :rest_client_timeout: <%= @rest_client_timeout %>

  :candlepin:
    :oauth_key: "<%= @candlepin_oauth_key %>"
    :oauth_secret: "<%= @candlepin_oauth_secret %>"

@ekohl Do you think we could re-use the Foreman oauth key and secret? Or should we keep that separate?

@parthaa Do you think rest_client_timeout could be moved to an application Setting rather than an installer SETTING?

[ekohl]

@ekohl Do you think we could re-use the Foreman oauth key and secret? Or should we keep that separate?

I think we should keep that separate. Those are server side credentials and these are client side credentials.

[ekohl]

Generally 👍 on this, but I can't see why the tests fail. I have a feeling that it's more common in Katello that the tests just exit with rake aborted!. Do we not set up a reporter or something?

[ehelms]

@jeremylenz Mind taking a look? Are the test failures expected?

[ekohl]

@ehelms probably good to create a Redmine issue already

[sjha4]

Commit message is invalid but the other failures are unrelated. The React tests are failing on PF5 upgrades and the ruby failure is from a flaky test.
katello/test/actions/katello/content_view_version/republish_repositories_test.rb#L23 - Failure: test_0001_plans with default values**

[ehelms]

Thanks @sjha4. Added a Redmine.

[sjha4]

Ack..👍🏼
Unrelated React tests are going to stay broken but feel free to merge this.

[ianballou]

Merged since the test failures are unrelated.