-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
6.18.0
-
False
-
sat-artemis
-
None
-
None
-
None
-
None
Likely not a regression.
Description of problem:
When testing a custom CDN that is actually a Red Hat CDN but one other than cdn.redhat.com, `hammer organization configure-cdn --custom-cdn-auth-enabled=true ...` does not pass CDN certificates from the Product into the Pulp remote. This causes repo syncing to fail with 403s.
How reproducible:
100%
Is this issue a regression from an earlier version:
No.
Steps to Reproduce:
1. Import a stage manifest
2.
hammer content-credential create --organization-id 1 --name "RH CA" --content-type cert --path /etc/rhsm/ca/redhat-uep.pem
3.
hammer organization configure-cdn --custom-cdn-auth-enabled=true --id 1 --type custom_cdn --url https://cdn.stage.redhat.com --ssl-ca-credential-id 1
4. Sync a repo
5. Check sync results
Actual behavior:
Sync fails
Expected behavior:
Sync works
Business Impact / Additional info:
To fix:
diff --git a/app/services/katello/pulp3/repository.rb b/app/services/katello/pulp3/repository.rb index 4fe53b8190..649795cda3 100644 --- a/app/services/katello/pulp3/repository.rb +++ b/app/services/katello/pulp3/repository.rb @@ -507,10 +507,16 @@ module Katello client_key: root.product.key, ca_cert: Katello::Repository.feed_ca_cert(root.url), } - elsif root.redhat? && root.cdn_configuration.custom_cdn? + elsif root.redhat? && root.cdn_configuration.custom_cdn? && !root.cdn_configuration.custom_cdn_auth_enabled? options = { ca_cert: root.cdn_configuration.ssl_ca, } + elsif root.redhat? && root.cdn_configuration.custom_cdn? && root.cdn_configuration.custom_cdn_auth_enabled? + options = { + client_cert: root.product.certificate, + client_key: root.product.key, + ca_cert: root.cdn_configuration.ssl_ca, + } elsif root.redhat? && root.cdn_configuration.network_sync? options = { client_cert: root.cdn_configuration.ssl_cert,