Bug 2024968

Summary: [RFE] Expose parameter trusted_proxies on satellite-installer
Product: Red Hat Satellite Reporter: Joniel Pasqualetto <jpasqual>
Component: InstallationAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Gaurav Talreja <gtalreja>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.9.0CC: dsinglet, ehelms, gtalreja
Target Milestone: 6.12.0Keywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-16 13:33:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joniel Pasqualetto 2021-11-19 15:38:30 UTC 
Description of problem:

After the removal of the setting remote_addr, customer that used that feature need to add the parameter trusted_proxies on /etc/foreman/settings.yaml.

This works, but there's no way to make that permanent and satellite-installer overwrites the settings.yaml on every execution.

Version-Release number of selected component (if applicable):


Actual results: 

Not being able to use this feature, some provisioning deployments involving capsules and user-data won't work due to Satellite not being able to identify the source IP of the VM.

Expected results:

A way to specify a list of trusted_proxies that may be forward requests to Satellite.

Additional info:
Comment 1 Eric Helms 2022-05-19 13:51:10 UTC 
This will be available when Satellite 6.11.0 is released.
Comment 2 Brad Buckingham 2022-07-18 23:45:01 UTC 
Based upon comment 1, aligning to 6.12.
Comment 3 Gaurav Talreja 2022-09-23 17:59:48 UTC 
Verified.

Tested on Satellite 6.12.0 Snap 11.0
Version: foreman-installer-3.3.0.3-1.el8sat.noarch

Steps:
1. # satellite-installer --foreman-trusted-proxies 127.0.0.1/8 --foreman-trusted-proxies ::1 --foreman-trusted-proxies <ip-address-of-eth0-on-capsule>

2. # cat /etc/foreman/settings.yaml | grep -A3 trusted
# List of trusted IPs / networks. Default: IPv4 and IPV6 localhost addresses.
# If overwritten, localhost addresses (127.0.0.1/8, ::1) need to be in trusted_proxies IP list.
# More details: https://api.rubyonrails.org/classes/ActionDispatch/RemoteIp.html
:trusted_proxies:
 - '127.0.0.1/8'
 - '::1'
 - '<ip-address-of-eth0-on-capsule>'

Observation:
satellite-installer includes following trusted_proxies in settings file after execution, which unblocks traffic through capsule for satellite provisioning.
Comment 7 errata-xmlrpc 2022-11-16 13:33:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8506