We had discussed base64 encoding the cert in the webserver on the way in
and then letting cert guard decode it. While that's not ideal I think
it has some advantages over moving the full auth into the webserver.
What was your motivation for going with that approach over the base64
encoding approach?
On 3/11/20 2:11 PM, Brian Bouterse wrote:
tl;dr: What we have today cannot work with rhsm certificates which
Katello uses. To resolve, we need to have content guard checking moved
to the webserver configs for apache and nginx and not done in
pulp-content as it is today. https://pulp.plan.io/issues/6323
We need to bring the auth to where TLS is terminated because we can't
being the client certs to pulp-content due to invalid header
characters. As is, pulp-certguard cannot work with Katello's cert
types (rhsm certs) so that is driving my changes.
If anyone has major concerns or other ideas please let me know. In the
meantime I'm proceeding moving the authorization to the webserver and
then updating pulp-certguard to work with that. This will make
pulp-certguard's GA tied to pulpcore 3.3.0. Feedback is welcome.
[0]: https://pulp.plan.io/issues/6323
Thanks,
Brian
_______________________________________________
Pulp-dev mailing list
Pulp-dev@redhat.com
https://www.redhat.com/mailman/listinfo/pulp-dev
_______________________________________________
Pulp-dev mailing list
Pulp-dev@redhat.com
https://www.redhat.com/mailman/listinfo/pulp-dev
