Fixes #38478 - Introduce SSH CA certificate support #977
Conversation
|
Only drafting stage. |
adamlazik1
force-pushed
the
ssh-cert-support
branch
7 times, most recently
from
2727578 to
f691cbc
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
f691cbc to
2785acd
Compare
|
I will keep this in draft because there will be four PRs in total that should get merged at roughly the same time, but I do believe that this is now ready for review. |
| rescue | ||
| Rails.logger.info("Unable to fetch CA public key. Using public key authentication instead.") |
There was a problem hiding this comment.
So if the proxy doesn't have the ca_pubkey endpoint, the get will raise and we'll get this warning. If the proxy has that endpoint, but doesn't have a ca_pubkey configured, the get will silently return an empty string, right?
There was a problem hiding this comment.
Right. Looking at it now I don't know why I made it like this, the message makes little sense. I updated it to reflect the behavior of the pubkey api call.
app/models/concerns/foreman_remote_execution/smart_proxy_extensions.rb
Outdated
Show resolved
Hide resolved
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
2785acd to
3299a3e
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
9093a40 to
7707987
Compare
app/models/concerns/foreman_remote_execution/host_extensions.rb
Outdated
Show resolved
Hide resolved
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
7707987 to
a4914f8
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
a4914f8 to
3a29a7b
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
3a29a7b to
96ae1a6
Compare
|
Switching back to draft since the feature got postponed to 3.16 |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
96ae1a6 to
7d39bd4
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
7d39bd4 to
25a85f5
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
25a85f5 to
1e30bac
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
2 times, most recently
from
b757ba9 to
620dc78
Compare
|
/packit build |
|
Account lhellebr has no write access nor is author of PR! |
|
/packit build |
1 similar comment
|
/packit build |
adamruzicka
left a comment
adamruzicka
left a comment
There was a problem hiding this comment.
The N-2 support needs to be handled, otherwise lgtm
| def ca_pubkey | ||
| get('ca_pubkey')&.strip | ||
| rescue => e | ||
| raise ProxyException.new(url, e, N_('Unable to fetch CA public key')) |
There was a problem hiding this comment.
This could be problematic. We should support running with N-2 proxies, which may not have the ca_pubkey endpoint at all. Either we could treat 404s as not an error or have different behaviour based on the version of the proxy.
There was a problem hiding this comment.
Would returning nil instead of throwing exception suffice? Rest of the application logic treats nil as unset CA pubkey and proceeds with the standard pubkey.
There was a problem hiding this comment.
I would prefer not using a catch-all like this to prevent masking real issues.
There was a problem hiding this comment.
CC @lhellebr change of behavior: if capsule does not have the ca_pubkey endpoint due to older version, nil ca_pubkey is returned instead of erroring out.
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
620dc78 to
b528a23
Compare
pr-processor
bot
added
Needs re-review
and removed
Waiting on contributor
Needs re-review
labels
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
b528a23 to
38a2724
Compare
| def ca_pubkey | ||
| get('ca_pubkey')&.strip | ||
| rescue RestClient::ResourceNotFound => e | ||
| Foreman::Logging.exception("Unable to fetch CA public key", e) |
There was a problem hiding this comment.
nitpick:
On my dev setup, this generates roughly 110 lines in the logs which is a bit excessive for a non-error case. I'd be fine with this being silent or just logging a single line
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
38a2724 to
d0139f6
Compare
There was a problem hiding this comment.
Pull request overview
This pull request introduces SSH Certificate Authority (CA) support for Foreman Remote Execution, allowing SSH proxies to use CA-signed certificates for authentication instead of individual public keys.
- Adds database column and API support for storing CA public keys on SmartProxy models
- Implements logic to use CA keys when available and exclude regular SSH keys from proxies with CA configured
- Extends host parameters to include SSH CA keys alongside regular SSH keys with proper merging from both proxies and host-level parameters
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| db/migrate/20250606125543_add_ca_pub_key_to_smart_proxy.rb | Adds ca_pubkey column to smart_proxies table |
| app/views/api/v2/smart_proxies/ca_pubkey.json.rabl | Exposes CA public key via API as remote_execution_ca_pubkey |
| lib/foreman_remote_execution/plugin.rb | Registers the new CA pubkey RABL template extension |
| app/lib/proxy_api/remote_execution_ssh.rb | Implements ca_pubkey API method to fetch CA public key from smart proxy |
| app/models/concerns/foreman_remote_execution/smart_proxy_extensions.rb | Adds ca_pubkey getter and update_ca_pubkey method to SmartProxy model |
| app/models/concerns/foreman_remote_execution/host_extensions.rb | Adds remote_execution_ssh_ca_keys method and modifies key handling to exclude regular keys when CA is configured |
| test/unit/concerns/host_extensions_test.rb | Adds comprehensive test coverage for SSH CA key functionality including parameter merging and proxy behavior |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
af3052e to
faefe6e
Compare
|
Updated based on copilot feedback. |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
faefe6e to
961df7e
Compare
|
Thank you @adamlazik1 ! |
3 participants
No description provided.