Skip to content

Flavor: foreman-proxy-content#571

Open
arvind4501 wants to merge 22 commits into
theforeman:masterfrom
arvind4501:flavor/foreman-proxy-content
Open

Flavor: foreman-proxy-content#571
arvind4501 wants to merge 22 commits into
theforeman:masterfrom
arvind4501:flavor/foreman-proxy-content

Conversation

@arvind4501

@arvind4501 arvind4501 commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Why are you introducing these changes? (Problem description, related links)

What are the changes introduced in this pull request?

  • Add deploy-proxy sub-command to deploy proxy specific flavors(ex: foreman-proxy-content)
  • Add proxy specific parameters to deploy-proxy ex: certs tar file and foreman fqdn
  • Make health checks, post-install tasks, and pull-images flavor-aware instead of hardcoded to katello
  • Support certificate extraction from tar bundles on proxy nodes
  • Add httpd vhosts for proxying Pulp content and RHSM requests
  • Add flavor-specific test directories, --flavor pytest option, and proxy CI job
  • Refactor deploy metadata into reusable obsah includes (_foreman, _foreman_proxy, _pulp, _flavors/katello)

How to test this pull request

  • ./foremanctl deploy

  • ./foremanctl certificate-bundle proxy.example.com to generate bundle

  • ./foremanctl deploy-proxy --flavor foreman-proxy-content --certificate-bundle /path-to-tar --foreman-fqdn quadlet.example.com

  • Observe only relevent services are deployed

Steps to reproduce:

  • ./foremanctl deploy-proxy --flavor foreman-proxy-content --certificate-bundle /path-to-tar --foreman-fqdn quadlet.example.com

Checklist

  • Tests added/updated (if applicable)
  • Documentation updated (if applicable)

@arvind4501 arvind4501 marked this pull request as draft June 15, 2026 05:25
Comment thread src/playbooks/deploy/deploy.yaml Outdated
@arvind4501 arvind4501 force-pushed the flavor/foreman-proxy-content branch 5 times, most recently from 019e1bb to b367887 Compare June 15, 2026 15:18
Comment thread src/playbooks/deploy/deploy.yaml Outdated
Comment thread src/playbooks/deploy/deploy.yaml Outdated
Comment thread src/playbooks/deploy/deploy.yaml Outdated
Comment thread src/playbooks/deploy/metadata.obsah.yaml Outdated
Comment thread src/playbooks/deploy/metadata.obsah.yaml Outdated
Comment thread src/playbooks/deploy/metadata.obsah.yaml Outdated
Comment thread src/playbooks/deploy/metadata.obsah.yaml Outdated
Comment thread src/roles/checks/defaults/main.yml Outdated
Comment thread src/roles/foreman_proxy/defaults/main.yaml
Comment thread src/roles/foreman_proxy/defaults/main.yaml Outdated
Comment thread src/roles/httpd/defaults/main.yml Outdated
@ehelms

ehelms commented Jun 15, 2026

Copy link
Copy Markdown
Member

There are definitely some good nuggets of changes that would make for good, go-ahead, stand-alone PRs to get added. This also points to the need for flavor specific parameters that are only shown for a given flavor.

Comment thread src/roles/pulp/defaults/main.yaml Outdated
@arvind4501 arvind4501 requested a review from stejskalleos June 16, 2026 11:45
Comment thread src/playbooks/_foreman_proxy/metadata.obsah.yaml Outdated
Comment thread src/playbooks/_foreman_proxy/metadata.obsah.yaml Outdated
Comment thread src/vars/flavors/foreman-proxy-content.yml
Comment thread Vagrantfile
@ehelms ehelms mentioned this pull request Jun 16, 2026
2 tasks
@arvind4501

arvind4501 commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

I have been facing one issue which i already have a workaround implemented but i wanted to know if we should solve it properly?

so we have a static quadlet target in our playbooks(which may be fine for today as it points to localhost), but in CI and development we need to deploy on different servers not localhost. currently the workaround is to pass a extra var in command and use that to determine the host.

What about exposting a --target obsah option to manage that, but the issue is its visible to users

@arvind4501 arvind4501 force-pushed the flavor/foreman-proxy-content branch from b199850 to 90c6bcf Compare June 16, 2026 16:47
Comment thread src/roles/foreman_proxy/defaults/main.yaml Outdated
Comment thread src/roles/foreman_proxy/defaults/main.yaml
Comment on lines +10 to +17
certificates_bundle:
help: Path to the certificate bundle tar file.
type: AbsolutePath
parameter: --certificate-bundle
persist: false
foreman_name:
parameter: --foreman-fqdn
help: FQDN of the Foreman server this proxy connects to.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I ran foremanctl deploy-proxy without --certificate-bundle or --foreman-fqdn options, it fails with below error, instead i think it should have thrown a validation error that this are mandatory options, right?

[root@foreman-proxy-server ~]# foremanctl deploy-proxy
.
..
TASK [pulp : Configure Foreman Proxy] *********************************************************************************************************************************************************
fatal: [localhost]: FAILED! =>
    changed: false
    msg: |-
        Failed to connect to Foreman server: DocLoadingError: Could not load data from https://foreman-proxy-server.example.com: 503 Server Error: Service Unavailable for url: https://foreman-proxy-server.example.com/apidoc/v2.json
                          - is your server down?

PLAY RECAP ************************************************************************************************************************************************************************************
localhost                  : ok=126  changed=82   unreachable=0    failed=1    skipped=24   rescued=0    ignored=0

@arvind4501 arvind4501 Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that might be concern, looking at https://obsah.readthedocs.io/en/latest/development.html#constraints there is no way to say give these params otherwise deployment won't work currently. but having said that i also expect user to follow steps for deployment for at least first time. i also wonder if we had such validations in foreman-installer?

@arvind4501 arvind4501 Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, we would not want to make --certificate-bundle or --foreman-fqdn options as hard validation to be present each time we do deploy-proxy. for next runs if i want to add any feature i would just do foremanctl deploy-proxy --add-feature bmc and expect it to work without any issue

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tend to agree -- parameters that are required the first time it ever runs but not necessarily after that is tricky. I think we should look into solving that but as a follow up and not in this initial PR. Please file a Github issue with that concern.

Comment on lines +10 to +13
certificates_bundle:
help: Path to the certificate bundle tar file.
type: AbsolutePath
parameter: --certificate-bundle

@Gauravtalreja1 Gauravtalreja1 Jul 1, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I ran foremanctl deploy-proxy with random dir/nonexistnet --certificate-bundle it fails with below error, instead i think it should have thrown a validation error file not exist or with a proper error, right?

[root@foreman-proxy-server ~]# foremanctl deploy-proxy --certificate-bundle ~/mycerts
.
..
TASK [pulp : Configure Foreman Proxy] *********************************************************************************************************************************************************
fatal: [localhost]: FAILED! =>
    changed: false
    msg: |-
        Failed to connect to Foreman server: DocLoadingError: Could not load data from https://foreman-proxy-server.example.com: 503 Server Error: Service Unavailable for url: https://foreman-proxy-server.example.com/apidoc/v2.json
                          - is your server down?

PLAY RECAP ************************************************************************************************************************************************************************************
localhost                  : ok=126  changed=82   unreachable=0    failed=1    skipped=24   rescued=0    ignored=0

@arvind4501 arvind4501 Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think thats the issue of not passing fqdn, rather than certificate bundle. and validation exist for certificate bundle https://github.com/theforeman/foremanctl/pull/571/changes#diff-01885bb15c1a59c6f49bbaa057e4d11075238b4bf9ce1968f4cc4c47de259690R8

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could look into some better pre-install checks that helps fail fast but as a follow up instead of in this PR. From your testing, checks I think we should consider as a follow up:

  • validating certificate bundle actually exists (and possibly that it's valid)
  • that the foreman-fqdn is reachable

@Gauravtalreja1 Gauravtalreja1 Jul 1, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I pass --flavor foreman-proxy-content --foreman-fqdn foreman.example.com along with --certificate-bundle ~/mycerts, the validation works to check if certificate bundle actually exists and deploy-proxy fails with below error, but validation for foreman-fqdn is reachable still makes sense

TASK [certificates : Check path to certificate tar file exists] *******************************************************************************************************************************
ok: [localhost]

TASK [certificates : Fail if path to certificate tar file does not exist] *********************************************************************************************************************
fatal: [localhost]: FAILED! =>
    changed: false
    msg: 'Path to certificate tar file not found: /root/mycerts'

Comment thread src/roles/certificate_bundle/tasks/main.yml
@arvind4501 arvind4501 force-pushed the flavor/foreman-proxy-content branch from 56349d9 to bb71f97 Compare July 2, 2026 06:27
@arvind4501 arvind4501 force-pushed the flavor/foreman-proxy-content branch from bb71f97 to b709d6f Compare July 2, 2026 06:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants