Bug 1114083

Summary: [RFE] Capsule should support running behind a proxy
Product: Red Hat Satellite Reporter: Corey Welton <cwelton>
Component: Foreman ProxyAssignee: Eric Helms <ehelms>
Status: CLOSED WONTFIX QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact: David O'Brien <daobrien>
Priority: unspecified    
Version: 6.0.3CC: bbuckingham, bkearney, daobrien, jsherril, mmccune, mmurray, xdmoon
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-16 18:26:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Corey Welton 2014-06-27 16:41:49 UTC 
Description of problem:
Similar to bug# 1083818, we probably need proxy config flags for capsule-installer.

Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140626.1


Steps to Reproduce:
1. katello-installer --help|grep proxy
2. capsule-installer --help|grep proxy
3. view results

Actual results:
[root@qeblade6 ~]# katello-installer --help|grep proxy
    --capsule-foreman-proxy-port  Port on which will foreman proxy listen (default: 9090)
    --capsule-realm-keytab        Kerberos keytab path to authenticate realm updates (default: "/etc/foreman-proxy/freeipa.keytab")
    --capsule-realm-principal     Kerberos principal for realm updates (default: "realm-proxy")
    --capsule-register-in-foreman  Register proxy back in Foreman (default: true)
    --katello-proxy-password      Proxy password for authentication (default: nil)
    --katello-proxy-port          Port the proxy is running on (default: nil)
    --katello-proxy-url           URL of the proxy server (default: nil)
    --katello-proxy-username      Proxy username for authentication (default: nil)

[root@cloud-qe-22 ~]# capsule-installer --help |grep proxy
    --foreman-proxy-port          Port on which will foreman proxy listen (default: 9090)
    --realm-keytab                Kerberos keytab path to authenticate realm updates (default: "/etc/foreman-proxy/freeipa.keytab")
    --realm-principal             Kerberos principal for realm updates (default: "realm-proxy")
    --register-in-foreman         Register proxy back in Foreman (default: true)


Expected results:
capsule-installer should have proxy flags too, perhaps

Additional info:
WORKAROUND: Sync capsule stuff on a satellite and install from there.  it seems unlikely a customer would need to proxy on their internal network?  Product Management feedback welcome.  In any case, though, installing capsule from content synced onto a satellite is a known entity and works pretty well.
Comment 2 Mike McCune 2014-08-14 14:04:31 UTC 
WORKAROUND:

The user can manually configure the Pulp proxy settings if they have a http proxy between their Capsule and their Satellite.
Comment 3 Mike McCune 2014-08-27 01:38:09 UTC 
WORKAROUND2 WITH MORE DETAIL:

The capsule can be configured to use a specific proxy for all repositories by adding the following settings to the following files:

/etc/pulp/server/plugins.conf.d/iso_importer.json
/etc/pulp/server/plugins.conf.d/puppet_importer.json
/etc/pulp/server/plugins.conf.d/yum_importer.json


{
 "proxy_host" : "<url>",
 "proxy_port" : <port>,
 "proxy_username" : "<username>",
 "proxy_password" : "<password>"
}

Note:

These are a JSON files, so care must be taken when editing these fields.  The file must also contain *ALL* the above values even if the proxy does not require a username or password.  If it does not require a username or password just use:

 "proxy_username" : "",
 "proxy_password" : ""

Once these files are created in the above location the user must restart all capsule related services
Comment 5 Eric Helms 2014-10-29 12:56:52 UTC 
Support for this requires a full feature implementation. If we were to provide proxy options for a Capsule for just the Pulp part, and a user were to lockdown their Capsule's communication to only outbound port 80 they could break other functionality. I have outlined this feature here - http://projects.theforeman.org/projects/katello/wiki/CapsuleCommunication
Comment 6 Mike McCune 2014-10-31 16:02:43 UTC 
Note: Even with the WORKAROUND in comment #3 if the user's capsule has restricted communications between the Capsule and the Satellite the settings outlined in #3 are not sufficient to have a proxy sit between the Capsule and the Satellite.

See comment #5 for more information.
Comment 7 Justin Sherrill 2015-03-20 14:37:16 UTC 
My vote is to close this as WONT_FIX IMHO.  The whole premise is that the capsule can communicate with the Satellite.  We really don't want to go down this road.
Comment 8 David O'Brien 2015-06-16 05:50:28 UTC 
Does this still require a rel note for 6.1 and if so has it changed at all from what's listed here?

thanks
Comment 9 Bryan Kearney 2016-02-16 18:26:47 UTC 
We are not planning to fix this. If this is an issue, please feel free to re-open with a specific business justification.