-
Epic
-
Resolution: Done
-
Blocker
-
None
-
Flatpak Support for Provisioning: Implement Certificate-Based Authentication for Container Content
-
In Progress
-
3.16
-
False
-
-
-
sat-artemis
-
None
-
None
-
None
Goal:
- Today we only support basic Username/Password authentication for container content via Satellite registry.
- The goal of this epic is to allow clients to authenticate and access content using the rhsm consumer certs that we also use for yum content.
- We will also continue supporting username/pwd auth for clients, new and old.
- podman has had support for container certs for a while which means podman client is able to serve the certs with the requests to a registry. Flatpak introduces similar support in RHEL 10 which means we can support this for RHEL10 clients.
Also check this: https://docs.google.com/document/d/1TUj3FKUM-noiAtaqSacIfS2iLC2FY4C0O0mZIkp_6Fg/edit?tab=t.0
Proposed solution:
https://community.theforeman.org/t/enable-cert-authentication-for-container-content-flatpaks/42955
1. Allow users to set up cert auth for container content on their clients. This can be done via a remote job/registration template on managed hosts. Investigate using entitlement cert instead of consumer certs.
2. Enhance katello registry to be able to authenticate client requests.
3. Enhance proxy registry to be able to support cert auth for clients.
4. To support anattended installs:
a) Katello_rhsm_consumer script will be enhanced to `flatpak remote add satellite-hostname` and create the container cert directory and place the katello-server_ca.cert in it.
b) Anaconda will then place the consumer certs in the same directory, i.e: /etc/containers/certs.d/sat_hostname
Ex: /etc/containers/certs.d/centos9-katello-devel2.sajha.example.com/
Acceptance Criteria:
- As a user, I can easily setup certs in the /etc/containers/certs.d/centos9-katello-devel2.sajha.example.com/ directory:
a) Global registration
b) REX template
c) Provisioning template * - As a registered host, I don't need to podman login to access container repositories on satellite server.
- As a registered host, I don't need to podman login to access flatpak index on satellite server.
- As a registered host, I can only access podman content in my content view environment(s) on satellite server.
- As a registered host, I can only access flatpak content in my content view environment(s) on satellite server.
- As a registered host, I don't need to podman login to access container repositories on the capsule.
- As a registered host, I don't need to podman login to access flatpak index on the capsule.
- See: https://issues.redhat.com/browse/SAT-29028 for :
a) As a registered host, I can only access podman content in my content view environment(s) on the capsule.
b) As a registered host, I can only access flatpak content in my content view environment(s) on the capsule.
- is related to
-
SAT-33259 Implement Certificate-Based Authentication for Container Content on Capsule
-
- Release Pending
-
- relates to
-
RHEL-85004 Avoid the need of `podman login` when accessing Red Hat Flatpak Registry
-
- In Progress
-