Skip to content

Proxy features: REX #309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
evgeni wants to merge 19 commits into
base: master
Choose a base branch
from
Draft

Proxy features: REX #309

evgeni wants to merge 19 commits into from

Conversation

@evgeni
Copy link
Member

@evgeni evgeni commented Nov 19, 2025

No description provided.

evgeni
evgeni commented Nov 19, 2025
View reviewed changes
evgeni
evgeni commented Nov 19, 2025
View reviewed changes
src/roles/foreman_proxy/handlers/main.yml
name: foreman-proxy
state: restarted

- name: Refresh Foreman Proxy
Copy link
Member Author

@evgeni evgeni Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This gets executed too early on fresh installs. Damn.

evgeni
evgeni commented Nov 19, 2025
View reviewed changes
Gauravtalreja1
Gauravtalreja1 reviewed Nov 20, 2025
View reviewed changes
src/roles/foreman_proxy/tasks/feature/remote_execution_ssh.yaml
Comment on lines +9 to +19
name: foreman-proxy-remote_execution_ssh-ssh-key
path: /root/foreman-proxy-ssh
notify:
- Restart Foreman Proxy
- Refresh Foreman Proxy

- name: Create SSH Pub podman secret
containers.podman.podman_secret:
state: present
name: foreman-proxy-remote_execution_ssh-ssh-pub
path: /root/foreman-proxy-ssh.pub
Copy link

@Gauravtalreja1 Gauravtalreja1 Nov 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two tasks can be consolidated into a loop to create the SSH key/pub secrets, which will also ensure the handler runs only once, OR just run the handler when SSH secrets are mounted to the container

Copy link
Member Author

@evgeni evgeni Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Handlers run only once, no matter how often they are notified.

Gauravtalreja1
Gauravtalreja1 reviewed Nov 20, 2025
View reviewed changes
src/roles/foreman_proxy/tasks/feature/remote_execution_ssh.yaml
- name: Create SSH Key podman secret
containers.podman.podman_secret:
state: present
name: foreman-proxy-remote_execution_ssh-ssh-key
Copy link

@Gauravtalreja1 Gauravtalreja1 Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name: foreman-proxy-remote_execution_ssh-ssh-key
name: foreman-proxy-remote_execution_ssh-key

@evgeni evgeni force-pushed the proxy-features branch 4 times, most recently from 6d74c47 to 3ee17bd Compare December 3, 2025 10:37
@adamruzicka
Copy link
Contributor

adamruzicka commented Dec 3, 2025

theforeman/smart_proxy_remote_execution_ssh#128 dropped ssh-async mode , would you include this patch to keep the config file in sync 0001-Adjust-sp-rex-ssh-config-file-to-async-ssh-removal.patch ?

@adamlazik1
Copy link

adamlazik1 commented Jan 5, 2026

theforeman/smart_proxy_remote_execution_ssh#126 added new settings for SSH certs, here is a patch that adds the new settings:

diff --git a/src/roles/foreman_proxy/templates/settings.d/remote_execution_ssh.yml.j2 b/src/roles/foreman_proxy/templates/settings.d/remote_execution_ssh.yml.j2
index b7d6402..76ad344 100644
--- a/src/roles/foreman_proxy/templates/settings.d/remote_execution_ssh.yml.j2
+++ b/src/roles/foreman_proxy/templates/settings.d/remote_execution_ssh.yml.j2
@@ -11,6 +11,15 @@
 # Mode of operation, one of ssh, pull, pull-mqtt
 :mode: ssh
 
+# Enables the use of SSH certificate for smart proxy authentication
+# The file should contain an SSH CA public key that the SSH public key of smart proxy is signed by
+# :ssh_user_ca_public_key_file:
+
+# Enables the use of SSH host certificates for host authentication
+# The file should contain a list of trusted SSH CA authorities that the host certs can be signed by
+# Example file content: @cert-authority * <SSH CA public key>
+# :ssh_ca_known_hosts_file:
+
 # Defines how often (in seconds) should the runner check
 # for new data leave empty to use the runner's default
 # :runner_refresh_interval: 1

@evgeni
Copy link
Member Author

evgeni commented Jan 12, 2026

@adamlazik1 thanks, applied

@adamruzicka
Copy link
Contributor

adamruzicka commented Jan 12, 2026

What remains to be done here until this can be undrafted?

@pablomh pablomh mentioned this pull request Jan 13, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Gauravtalreja1 Gauravtalreja1 Gauravtalreja1 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@evgeni @adamruzicka @adamlazik1 @Gauravtalreja1