Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-33259

Implement Certificate-Based Authentication for Container Content on Capsule

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Normal Normal
    • 6.18.0
    • None
    • None
    • Implement Certificate-Based Authentication for Container Content on Capsule
    • In Progress
    • False
    • sat-artemis
    • Feature
    • Hide
      .Configure Capsule to distribute Flatpak repositories

      You can now configure Capsule Servers to synchronize and distribute Flatpak repositories to managed hosts using certificate authentication.
      Hosts can add Capsule as a container registry or a Flatpak remote, authenticate with the registry using certificates, and install applications such as Mozilla Firefox directly from the synchronized repositories.
      Lifecycle management of Flatpak and container content is supported only when using certificate authentication.
      Show
      .Configure Capsule to distribute Flatpak repositories You can now configure Capsule Servers to synchronize and distribute Flatpak repositories to managed hosts using certificate authentication. Hosts can add Capsule as a container registry or a Flatpak remote, authenticate with the registry using certificates, and install applications such as Mozilla Firefox directly from the synchronized repositories. Lifecycle management of Flatpak and container content is supported only when using certificate authentication.
    • Done

      Goal:

      • Today we only support basic Username/Password authentication for container content via Capsule registry.
      • The goal of this epic is to allow clients to authenticate and access content using the rhsm consumer certs that we also use for yum content.
      • We will also continue supporting username/pwd auth for clients, new and old.
      • podman has had support for container certs for a while which means podman client is able to serve the certs with the requests to a registry. Flatpak introduces similar support in RHEL 10 which means we can support this for RHEL10 clients.

      Also check this: https://docs.google.com/document/d/1TUj3FKUM-noiAtaqSacIfS2iLC2FY4C0O0mZIkp_6Fg/edit?tab=t.0

      Proposed solution: 

      https://community.theforeman.org/t/enable-cert-authentication-for-container-content-flatpaks/42955 

      1. Allow users to set up cert auth for container content on their clients. This can be done via a remote job/registration template on managed hosts. Investigate using entitlement cert instead of consumer certs.

      2. Enhance proxy registry to be able to support cert auth for clients.

      Acceptance Criteria:

      1. As a registered host, I don't need to podman login to access container repositories on the capsule.
      2. As a registered host, I don't need to podman login to access flatpak index on the capsule.
      3. See: https://issues.redhat.com/browse/SAT-29028 for :
        a) As a registered host, I can only access podman content in my content view environment(s) on the capsule. 
        b) As a registered host, I can only access flatpak content in my content view environment(s) on the capsule.

              rhn-engineering-sajha Samir Jha
              rhn-engineering-sajha Samir Jha
              Vladimír Sedmík Vladimír Sedmík
              Brian Angelica Brian Angelica
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: