Add rex cockpit integration support #748
Conversation
This adds --foreman-plugin-remote-execution-cockpit boolean option to add support for cockpit installation. It enables foreman-cockpit.service (comming from rubygem-foreman_remote_execution-cockpit package), that provides the backend service for the cockpit tunel, and configures the settings and authentication for the whole setup to work.
manifests/plugin/remote_execution.pp
Outdated
| # $cockpit:: Install cockpit support | ||
| # | ||
| class foreman::plugin::remote_execution ( | ||
| Boolean $cockpit = $::foreman::plugin::remote_execution::params::cockpit, |
There was a problem hiding this comment.
It's ok not to inherit if it's a trivial parameter.
manifests/plugin/remote_execution.pp
Outdated
| } | ||
| } | ||
|
|
||
| package { $cockpit_package: |
There was a problem hiding this comment.
You can replace this with foreman::plugin { 'remote_execution-cockpit': } and drop the whole package name determination.
manifests/plugin/remote_execution.pp
Outdated
| service { 'foreman-cockpit': | ||
| ensure => running, | ||
| enable => true, | ||
| hasstatus => true, |
There was a problem hiding this comment.
This defaults to true since puppet 2.7 and can be dropped:
| hasstatus => true, |
manifests/plugin/remote_execution.pp
Outdated
| ensure => running, | ||
| enable => true, | ||
| hasstatus => true, | ||
| hasrestart => true, |
There was a problem hiding this comment.
Same here
| hasrestart => true, |
| ssl_content => template('foreman/cockpit-apache-ssl.conf.erb'), | ||
| } | ||
|
|
||
| foreman_config_entry { 'remote_execution_cockpit_url': |
There was a problem hiding this comment.
Why does this need to be configured? Isn't this the default and can we rely on that?
There was a problem hiding this comment.
The default config is null and it actually determines whether the cockpit integration is enabled or not.
There was a problem hiding this comment.
Since /webcon is repeated a few times, perhaps this should be a variable? Doesn't have to be a class parameter but it's a good way to show that they're the same thing.
| ### File managed with puppet ### | ||
|
|
||
| <Location /webcon> | ||
| LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so |
There was a problem hiding this comment.
Please don't use LoadModule this way. In the class you should include apache::mod::proxy_wstunnel.
|
|
||
| <Location /webcon> | ||
| LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so | ||
| LoadModule proxy_http_module modules/mod_proxy_http.so |
There was a problem hiding this comment.
Same here with include apache::mod::proxy_http
Co-Authored-By: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Co-Authored-By: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
|
Ready for review again |
| @@ -0,0 +1,11 @@ | |||
| ### File managed with puppet ### | |||
|
|
|||
| <Location /<%= scope.lookupvar("cockpit_subpath") %>> | |||
There was a problem hiding this comment.
It's in the local scope so this is sufficient:
| <Location /<%= scope.lookupvar("cockpit_subpath") %>> | |
| <Location /<%= @cockpit_subpath %>> |
|
|
||
| RewriteEngine On | ||
| RewriteCond %{HTTP:Upgrade} =websocket [NC] | ||
| RewriteRule /<%= scope.lookupvar("cockpit_subpath") %>/(.*) ws://127.0.0.1:9999/<%= scope.lookupvar("cockpit_subpath") %>/$1 [P] |
There was a problem hiding this comment.
| RewriteRule /<%= scope.lookupvar("cockpit_subpath") %>/(.*) ws://127.0.0.1:9999/<%= scope.lookupvar("cockpit_subpath") %>/$1 [P] | |
| RewriteRule /<%= @cockpit_subpath %>/(.*) ws://127.0.0.1:9999/<%= @cockpit_subpath %>/$1 [P] |
| RewriteCond %{HTTP:Upgrade} =websocket [NC] | ||
| RewriteRule /<%= scope.lookupvar("cockpit_subpath") %>/(.*) ws://127.0.0.1:9999/<%= scope.lookupvar("cockpit_subpath") %>/$1 [P] | ||
| RewriteCond %{HTTP:Upgrade} !=websocket [NC] | ||
| RewriteRule /<%= scope.lookupvar("cockpit_subpath") %>/(.*) http://127.0.0.1:9999/<%= scope.lookupvar("cockpit_subpath") %>/$1 [P] |
There was a problem hiding this comment.
| RewriteRule /<%= scope.lookupvar("cockpit_subpath") %>/(.*) http://127.0.0.1:9999/<%= scope.lookupvar("cockpit_subpath") %>/$1 [P] | |
| RewriteRule /<%= @cockpit_subpath %>/(.*) http://127.0.0.1:9999/<%= @cockpit_subpath %>/$1 [P] |
| @@ -0,0 +1,14 @@ | |||
| [WebService] | |||
| LoginTitle = Foreman Cockpit | |||
| UrlRoot = /<%= scope.lookupvar("cockpit_subpath") %>/ | |||
There was a problem hiding this comment.
| UrlRoot = /<%= scope.lookupvar("cockpit_subpath") %>/ | |
| UrlRoot = /<%= @cockpit_subpath %>/ |
| include ::foreman::plugin::tasks | ||
| include apache::mod::proxy_wstunnel |
There was a problem hiding this comment.
Can you move this into the if $cockpit block?
| $cockpit_subpath = 'webcon' | ||
|
|
||
| if $cockpit { | ||
| if $::osfamily != 'RedHat' { |
There was a problem hiding this comment.
I'm a bit on the fence about this. Is there a reason why it can't work on Debian?
| enable => true, | ||
| } | ||
|
|
||
| file { '/etc/foreman/cockpit/cockpit.conf': |
There was a problem hiding this comment.
If the package creates /etc/foreman/cockpit then it also needs a require on Foreman::Plugin['remote_execution-cockpit']. Otherwise you need to ensure the directory exists.
|
Unfortunately, my focus has already shifted quite far from this PR, therefore I would suggest someone else to pick this up to finish the comments. @ekohl with you Puppet experience, it seems like it might be quite low hanging fruit for you to shape it the way you need? Otherwise, reaching to @ares to try to find another set of hands for this one. It could be good also for actually sharing some knowledge about this functionality. |
|
Not sure if this helps, but I was able with @adamruzicka help to install theforeman/foreman-packaging#3816 and patch it with this PR and cockpit seems to work correctly. Hopefully this will be merged soon, as this is last step from developer side of work, for now. |
| @@ -0,0 +1,4 @@ | |||
| :foreman_url: <%= scope.lookupvar("foreman::foreman_url") %> | |||
| :ssl_ca_file: <%= scope.lookupvar("foreman::client_ssl_ca") %> | |||
There was a problem hiding this comment.
I'm picking this up, but why are these needed? From reading the docs this appears to be to connect back to Foreman. It's not guarantees these certs actually work for that. When connecting to Foreman itself you should use the server CA.
Since you're moving away from Foreman, should I pick this up with @adamruzicka?
There was a problem hiding this comment.
ack on that, it should probably be the server ca
There was a problem hiding this comment.
Thanks for taking over this.
|
Replaced by #760 |
This adds --foreman-plugin-remote-execution-cockpit boolean option to
add support for cockpit installation.
It enables foreman-cockpit.service (comming from
rubygem-foreman_remote_execution-cockpit package), that provides the
backend service for the cockpit tunel, and configures the settings
and authentication for the whole setup to work.
Requires:
When testing, SELinux needs to be disabled for now, as there are rules missing
for the foreman-cockpit service to work in enforcing mode.