Candlepin certificates #16240
Draft
Candlepin certificates #16240
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Complete implementation of Option 6 (Runtime Certificate-Based Authentication) integrating validated proof of concept with production Candlepin. Core Implementation: - CandlepinCertificateManager with full Candlepin API integration - Certificate generation using basic auth (validated working approach) - Secure certificate storage with proper file permissions - Certificate caching and validation with 7-day renewal threshold - Health check functionality for monitoring certificate status Analytics Integration: - Modified ship() function with certificate-first authentication flow - Graceful fallback: Certificate → OIDC → Basic auth - Enhanced error handling and logging for each authentication method - Maintained 100% backward compatibility with existing auth methods Configuration: - Added certificate authentication settings to defaults.py - Configurable certificate directory, renewal threshold, and Candlepin URL - Feature flag for enabling/disabling certificate authentication Security Implementation: - Certificate directory: 0o700 permissions (owner only) - Private keys: 0o600 permissions (secure) - Certificates: 0o644 permissions (readable) - No new credential requirements - reuses existing Red Hat credentials Testing Infrastructure: - Comprehensive test script for certificate generation validation - File storage and permissions verification - Certificate caching and health check testing - Authentication fallback behavior validation Based on validated production evidence: - Consumer UUID: f7bf9738-75ae-4b92-8870-744d9f039672 - Red Hat Candlepin Authority certificates (365-day validity) - Zero customer friction using existing subscription credentials - Ready for immediate AWX environment testing Phase 1 Complete: Core integration ready for testing Next: Phase 2 - Certificate lifecycle management and background renewal 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Comprehensive certificate lifecycle management implementation with automated renewal, monitoring APIs, CLI tools, and AWX integration. Background Certificate Renewal: - renew_analytics_certificates() task with AWX task framework integration - Threshold-based scheduling using is_run_threshold_reached() pattern - Intelligent renewal logic with 7-day expiry threshold - Proper credential management using existing AWX Red Hat credentials - Activity stream integration and timestamp tracking - Comprehensive error handling and logging Enhanced Certificate Management: - get_certificate_info() for comprehensive certificate details - force_certificate_renewal() for administrative operations - Enhanced certificate validation with detailed status reporting - Certificate details extraction using cryptography library - Consumer UUID and organization tracking Configuration Integration: - AUTOMATION_ANALYTICS_CERTIFICATE_CHECK_INTERVAL setting (24 hours default) - AUTOMATION_ANALYTICS_LAST_CERTIFICATE_CHECK timestamp tracking - Integration with AWX settings system and admin UI - Configurable renewal thresholds and check intervals CLI Management Commands: - manage_analytics_certificates command with status/health/renew/generate actions - JSON output option for programmatic integration - Verbose logging and colored status output - Credential handling via command line or AWX settings - Proper error codes and user-friendly messages API Monitoring Endpoints: - /api/v2/analytics/certificate_health/ - Health check for monitoring systems - /api/v2/analytics/certificate_status/ - Detailed certificate information - HTTP status codes: 200 (healthy), 503 (critical issues) - Comprehensive error handling and status reporting - Integration with analytics root view Security and Error Handling: - Secure credential handling using existing AWX frameworks - Comprehensive error handling with proper recovery - Certificate file permissions and directory security - Audit logging for all certificate operations - No credential leakage in error messages Production Features: - Automated daily certificate checks with configurable intervals - Certificate expiry monitoring with threshold-based renewal - Administrative tools for manual certificate management - Monitoring APIs with proper HTTP status codes - Complete integration with AWX settings and task systems Phase 2 completes full certificate lifecycle management: ✅ Automated background renewal with intelligent scheduling ✅ Comprehensive monitoring via APIs and CLI tools ✅ Error handling and recovery mechanisms ✅ Security integration with AWX credential systems ✅ Production-ready deployment capabilities Combined with Phase 1: Complete zero-friction certificate-based authentication for AWX analytics with full lifecycle management and monitoring. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
ISSUE TYPE
COMPONENT NAME
ADDITIONAL INFORMATION