Create a taskomatic job to refresh the trusted root CAs in ISSv3

[CDellaGiusta]

What does this PR change?

When onboarding a peripheral or a hub, a root certificate might be needed if the two servers do not share a common one. The certificate is transferred during the registration process and stored in the database.

However, this does not alter the system trust configuration. This step cannot be implemented from the web UI/API backend, as Tomcat does not run with the required root privileges.

Therefore, we need to implement a Taskomatic job that checks if new certificates have been added or updated and stores them accordingly in the trusted certificate path

GUI diff

No difference.

• DONE

Documentation

• No documentation needed: only internal and user invisible changes
• DONE

Test coverage

• Unit tests were added
• DONE

Links

Issue(s): https://github.com/SUSE/spacewalk/issues/26180
Port(s):

• DONE

Changelogs

• No changelog needed

Re-run a test

• Re-run test "changelog_test"
• Re-run test "backend_unittests_pgsql" (Test skipped, there are no changes to test)
• Re-run test "java_pgsql_tests"
• Re-run test "schema_migration_test_pgsql"
• Re-run test "susemanager_unittests"
• Re-run test "javascript_lint"
• Re-run test "spacecmd_unittests" (Test skipped, there are no changes to test)

[github-actions]

👋 Hello! Thanks for contributing to our project.
Acceptance tests will take some time (aprox. 1h), please be patient ☕
You can see the progress at the end of this page and at https://github.com/uyuni-project/uyuni/pull/9660/checks
Once tests finish, if they fail, you can check 👀 the cucumber report. See the link at the output of the action.
You can also check the artifacts section, which contains the logs at https://github.com/uyuni-project/uyuni/pull/9660/checks.

If you are unsure the failing tests are related to your code, you can check the "reference jobs". These are jobs that run on a scheduled time with code from master. If they fail for the same reason as your build, it means the tests or the infrastructure are broken. If they do not fail, but yours do, it means it is related to your code.

Reference tests:

• https://github.com/uyuni-project/uyuni/actions/workflows/acceptance_tests_secondary_parallel.yml?query=event%3Aschedule

• https://github.com/uyuni-project/uyuni/actions/workflows/acceptance_tests_secondary.yml?query=event%3Aschedule

KNOWN ISSUES

Sometimes the build can fail when pulling new jar files from download.opensuse.org . This is a known limitation. Given this happens rarely, when it does, all you need to do is rerun the test. Sorry for the inconvenience.

For more tips on troubleshooting, see the troubleshooting guide.

Happy hacking!
⚠️ You should not merge if acceptance tests fail to pass. ⚠️

[github-actions]

Suggested tests to cover this Pull Request

• sle_ssh_minion
• min_salt_migration
• min_salt_install_with_staging
• srv_create_repository
• proxy_register_as_minion_with_script
• min_deblike_salt
• allcli_overview_systems_details
• min_salt_formulas
• min_project_lotus
• srv_docker_cve_audit
• minssh_move_from_and_to_proxy
• min_salt_install_package
• srv_monitoring
• min_salt_openscap_audit
• minkvm_guests
• min_monitoring
• min_recurring_action
• min_salt_minion_details
• srv_restart
• min_rhlike_openscap_audit
• srv_distro_cobbler
• srv_payg_ssh_connection
• min_salt_minions_page
• srv_enable_sync_products
• min_deblike_salt_install_package
• min_empty_system_profiles
• min_cve_id_new_syntax
• min_ssh_tunnel
• allcli_sanity
• min_move_from_and_to_proxy
• srv_cobbler_sync
• min_ansible_control_node
• min_bootstrap_script
• allcli_update_activationkeys
• min_rhlike_monitoring
• srv_channel_api
• srv_menu
• allcli_software_channels_dependencies
• srv_add_rocky8_repositories
• srv_check_sync_source_packages
• srv_change_task_schedule
• min_cve_audit
• srv_task_status_engine
• min_salt_mgrcompat_state
• min_config_state_channel
• srv_reportdb
• srv_delete_channel_from_ui
• buildhost_bootstrap
• minssh_salt_install_package
• allcli_reboot
• minssh_bootstrap_api
• proxy_retail_pxeboot_and_mass_import
• min_rhlike_salt_install_package_and_patch
• min_deblike_monitoring
• srv_wait_for_reposync
• min_deblike_salt_install_with_staging
• srv_sync_channels
• min_check_patches_install
• srv_cobbler_distro
• min_rhlike_salt
• min_salt_lock_packages
• srv_rename_hostname
• proxy_branch_network
• min_bootstrap_api
• minssh_ansible_control_node
• srv_channels_add
• srv_virtual_host_manager
• srv_first_settings
• allcli_action_chain
• min_salt_formulas_advanced
• min_config_state_channel_api
• srv_power_management
• srv_clone_channel_npn
• min_salt_user_states
• allcli_config_channel
• srv_sync_products
• min_virthost
• min_deblike_openscap_audit
• min_action_chain
• min_config_state_channel_subscriptions
• buildhost_docker_auth_registry
• srv_handle_software_channels_with_ISS_v2
• min_timezone
• buildhost_osimage_build_image
• srv_advanced_search
• min_activationkey
• allcli_software_channels
• min_bootstrap_reactivation
• srv_maintenance_windows
• min_salt_pkgset_beacon
• proxy_as_pod_basic_tests
• buildhost_docker_build_image
• sle_minion
• min_deblike_ssh
• min_salt_software_states
• min_rhlike_ssh
• minssh_action_chain
• min_custom_pkg_download_endpoint
• allcli_system_group
• proxy_cobbler_pxeboot
• srv_manage_channels_page
• min_bootstrap_ssh_key
• min_retracted_patches
• min_change_software_channel
• srv_disable_scheduled_reposync
• srv_create_fake_repositories
• srv_sync_fake_channels
• proxy_container
• proxy_container_branch_network
• minssh_tunnel
• proxy_container_cobbler_pxeboot
• srv_push_package
• proxy_container_retail_pxeboot
• proxy_container_retail_mass_import

[mcalmer]

We could treat an empty rootCaCertContent as a request to remove the certificate.
Instead of having a file with 0 byte content, we should remove it (if it exist)

[mcalmer]

As this task run in taskomatic, I wonder if we need to call with via taskomatic API.
I think your idea was already to put the logic into CertificateUtils and call if from here and from RootCaCertUpdateTask.
What has changed your mind?

[CDellaGiusta]

Taskomatic API: you're right, my fault. I created a public entry in RootCaCertUpdateTask (saveAndUpdateCaCertificates) and call the stuff from there.
The reason I did not put the logic in CertificateUtils is because updating the certificates calls "executeExtCmd" which is a method of RhnJob class.

[mcalmer]

The reason I did not put the logic in CertificateUtils is because updating the certificates calls "executeExtCmd" which is a method of RhnJob class.

Ahh, right. Let's see if there is a way without going over the network.

[CDellaGiusta]

I tried to move all I could to CertificateUtils class. Unfortunately updateCaCertificates uses "executeExtCmd" (from RhnJavaJob) and hence it could not be moved. The same happens in PaygUpdateHostsTask.loadHttpsCertificates. Any suggestion is welcome.

[mcalmer]

Ok

[mcalmer]

The code looks good. But we should fix the tests before we merge.
To fix them, we need to rebase the issv3 branch and after that your branch.
Let's organize this.

[cbbayburt]

XMLRPC looks fine 👍