Simplified Proxy Onboarding

[rjpmestre]

Warning

This PR is a work in progress. While the core functionality is in place, there are still multiple scenarios to address and details to refine. This PR is intended to gather early feedback on the current implementation, considering the known issues (listed at the end).

Overview

This PR implements a new feature that aims to simplify the proxy onboarding process (following discussions at https://github.com/SUSE/spacewalk/issues/24680 and https://github.com/SUSE/spacewalk/issues/23714).
Currently, setting up a proxy involves the following steps: onboarding the minion, creating a proxy configuration file, installing Podman and mgrpxy (provided by uyuni tools), and finally running mgrpxy install.

For this initial feature iteration, our goal is to streamline the process by extending the existing web UI functionality (Container Based Proxy Configuration). Once the user fills in the necessary information in a form, the system will automatically set up the minion as a proxy with minimal manual intervention.

Pre-requisites

• minion is onboarded
• minion is reachable
• minion has access to Uyuni Client Tools (via Software Channels/spacewalk-common-channels)
• minion can be convertible to a proxy* or has a proxy entitlement

Note

Whether a minion can be converted to a proxy depends on the running manager:

• SUSE Manager (SUMA) only allows transactional servers (for supportability reasons).
• Uyuni allows all minions.
• In both cases, the minion must not already be a proxy.

Base Setup

If an onboarded minion meets the prerequisites to become a proxy, the first step is to go to the minion's Overview page. From there:

1. Navigate to Details > Properties.
2. Add "Proxy" under Add-On System Types.
3. Click Update Properties.
   This action will make a new main tab, Proxy, visible.
   Alternatively, the user can achieve the same result by clicking Convert to Proxy in the top-right corner of the Overview page.
   The Proxy tab is intended to display data and provide operations related to the proxy. At this stage, it will only contain the form used to apply the proxy configurations to the minion.

WebUI Form

Name	Type	Values/Restrictions	Notes
Parent FQDN	Select	Running manager instance and all proxies
Proxy SSH port	Input (int)	Range 1 - 65535, default 8022
Max Squid cache size	Input (int)	Default 100	In GB
Proxy admin email	Input (string)
Certificates	Radio box	"Keep", "Replace"	"Replace" is the default value. Only visible if an existing configuration exists.
Root CA	File input		Disabled and pre-filled if certificate is set to "Keep"
Proxy certificate	File input		Disabled and pre-filled if certificate is set to "Keep"
Proxy SSL private key	File input		Disabled and pre-filled if certificate is set to "Keep"
Intermediate CAs	Multiple file input		Disabled and pre-filled if certificate is set to "Keep"
Source	Radio box	"Registry", "RPM"	Only displayed in SUMA. Uyuni users will always use "Registry".
Registry	Radio box	"Simple", "Advanced"	Visible only if "Registry" is selected
Registry URL	Input (string)		Visible and required only if "Simple" is selected
Registry Tag	Select		Visible and required only if "Simple" is selected. Options filled once "Registry URL" is validated.
HTTPD URL	Input (string)		Visible and required only if "Advanced" is selected
HTTPD Tag	Select		Visible and required only if "Advanced" is selected. Options filled once "HTTPD URL" is validated.
Salt Broker URL	Input (string)		Visible and required only if "Advanced" is selected
Salt Broker Tag	Select		Visible and required only if "Advanced" is selected. Options filled once "Salt Broker URL" is validated.
Squid URL	Input (string)		Visible and required only if "Advanced" is selected
Squid Tag	Select		Visible and required only if "Advanced" is selected. Options filled once "Squid URL" is validated.
SSH URL	Input (string)		Visible and required only if "Advanced" is selected
SSH Tag	Select		Visible and required only if "Advanced" is selected. Options filled once "SSH URL" is validated.
TFTPD URL	Input (string)		Visible and required only if "Advanced" is selected
TFTPD Tag	Select		Visible and required only if "Advanced" is selected. Options filled once "TFTPD URL" is validated.

Note: All visible inputs are mandatory, except the Intermediate CAs.

Flow

Once the user fills in the form and it is valid, the "Apply" button will be enabled. Clicking it will trigger the following flow:

• Validate Inputs: Ensure that all required inputs, including registry URLs, are provided and valid.
• Create Proxy Configuration Files (based on the Container-Based Proxy Configuration feature):
  • config.yaml
  • httpd.yaml
  • ssh.yaml
• Save Configuration to Pillars (with category = "proxy")
• Apply Salt State to:
  • determine the mgrpxy operation to execute (install or upgrade) and if it is a transactional server - eases following steps
  • confirm podman is installed and running;
  • confirm mgrpxy is installed;
  • copy configuration files to "/etc/uyuni/proxy";
  • if minion's local operating system is not transactional
    • execute mgrpxy install/ugrade command with custom registries if provided and log it into "/var/log/mgrpxy_install.log"
  • otherwise,
    • create a systemd "apply_mgrpxy.service" defined in "/etc/systemd/system/apply_mgrpxy.service" service file that should
      • execute mgrpxy install/ugrade command with custom registries if provided and log it into "/var/log/mgrpxy_install.log"
      • remove itself if the install/ugrade command was successful
    • enable "apply_mgrpxy.service"

Known issues

• Convert to Proxy button is not setting proxy entitlement;
• Applying a proxy configuration successfully isn't creating a proxy info (Convert to Proxy button is always visible);
• Previously saved registies/tags are not restored if toggling between Source or Registry Source options;
• When form is loaded and source is RPM, the Apply button is not enabled;
• Bearer token is not reused for same registry realms;
• Not meaningful fail messages back to the UI;
• Any updates on the form trigger validation over registry url fields (ie, repeated tag retrieval or catalog requests);
• No unit tests;
• Documentation;

[github-actions]

👋 Hello! Thanks for contributing to our project.
Acceptance tests will take some time (aprox. 1h), please be patient ☕
You can see the progress at the end of this page and at https://github.com/uyuni-project/uyuni/pull/9703/checks
Once tests finish, if they fail, you can check 👀 the cucumber report. See the link at the output of the action.
You can also check the artifacts section, which contains the logs at https://github.com/uyuni-project/uyuni/pull/9703/checks.

If you are unsure the failing tests are related to your code, you can check the "reference jobs". These are jobs that run on a scheduled time with code from master. If they fail for the same reason as your build, it means the tests or the infrastructure are broken. If they do not fail, but yours do, it means it is related to your code.

Reference tests:

• https://github.com/uyuni-project/uyuni/actions/workflows/acceptance_tests_secondary_parallel.yml?query=event%3Aschedule

• https://github.com/uyuni-project/uyuni/actions/workflows/acceptance_tests_secondary.yml?query=event%3Aschedule

KNOWN ISSUES

Sometimes the build can fail when pulling new jar files from download.opensuse.org . This is a known limitation. Given this happens rarely, when it does, all you need to do is rerun the test. Sorry for the inconvenience.

For more tips on troubleshooting, see the troubleshooting guide.

Happy hacking!
⚠️ You should not merge if acceptance tests fail to pass. ⚠️

[github-actions]

Suggested tests to cover this Pull Request

• allcli_software_channels
• srv_channel_api
• srv_custom_system_info
• srv_virtual_host_manager
• allcli_action_chain
• srv_sync_products
• proxy_container_retail_mass_import
• srv_first_settings
• min_change_software_channel
• min_rhlike_ssh
• srv_cobbler_profile
• min_salt_user_states
• min_ansible_control_node
• min_salt_formulas_advanced
• srv_check_sync_source_packages
• allcli_overview_systems_details
• min_recurring_action
• srv_change_task_schedule
• min_salt_lock_packages
• min_salt_pkgset_beacon
• proxy_traditional_retail_mass_import
• min_docker_api
• srv_cobbler_distro
• srv_rename_hostname
• srv_wait_for_reposync
• min_empty_system_profiles
• srv_reportdb
• srv_organization_credentials
• srv_push_package
• min_deblike_monitoring
• min_deblike_remote_command
• srv_notifications
• srv_cobbler_buildiso
• srv_sync_fake_channels
• srv_enable_sync_products
• min_monitoring
• min_deblike_ssh
• srv_clone_channel_npn
• min_salt_install_with_staging
• min_salt_install_package
• proxy_cobbler_pxeboot
• srv_content_lifecycle
• min_salt_mgrcompat_state
• min_cve_audit
• srv_create_fake_repositories
• srv_check_channels_page
• min_virthost
• srv_logfile
• allcli_sanity
• allcli_config_channel
• srv_dist_channel_mapping
• srv_channels_add
• srv_scc_user_credentials
• min_activationkey
• srv_sync_channels
• srv_disable_local_repos_off
• srv_delete_channel_with_tool
• srv_menu
• min_salt_minion_details
• min_bootstrap_ssh_key
• buildhost_docker_build_image
• srv_handle_config_channels_with_ISS_v2
• allcli_update_activationkeys
• min_salt_minions_page
• srv_power_management_redfish
• srv_activationkey_api
• srv_create_repository
• min_cve_id_new_syntax
• minssh_bootstrap_api
• srv_monitoring
• srv_docker_advanced_content_management
• proxy_traditional_retail_pxeboot
• srv_power_management_api
• buildhost_bootstrap
• min_rhlike_monitoring
• srv_salt_download_endpoint
• proxy_traditional_cobbler_pxeboot
• srv_users
• proxy_retail_pxeboot_and_mass_import
• srv_salt
• srv_group_union_intersection
• srv_handle_software_channels_with_ISS_v2
• min_move_from_and_to_proxy
• proxy_traditional
• proxy_as_pod_basic_tests
• minssh_salt_install_package
• min_salt_openscap_audit
• sle_ssh_minion
• buildhost_docker_auth_registry
• srv_disable_scheduled_reposync
• srv_payg_ssh_connection
• min_action_chain
• srv_docker_cve_audit
• min_rhlike_remote_command
• proxy_container_cobbler_pxeboot
• min_rhlike_openscap_audit
• min_bootstrap_reactivation
• srv_add_rocky8_repositories
• proxy_register_as_minion_with_script
• srv_user_api
• allcli_reboot
• srv_create_activationkey
• min_ssh_tunnel
• srv_create_fake_channels
• min_salt_software_states
• proxy_container
• minssh_action_chain
• srv_power_management
• min_rhlike_salt_install_package_and_patch
• proxy_container_branch_network
• srv_user_preferences
• srv_task_status_engine
• min_deblike_salt_install_with_staging
• min_config_state_channel
• min_rhlike_salt
• min_bootstrap_negative
• min_check_patches_install
• min_retracted_patches
• min_deblike_salt_install_package
• sle_minion
• allcli_system_group
• srv_advanced_search
• proxy_container_retail_pxeboot
• min_bootstrap_script
• srv_check_reposync
• min_config_state_channel_api
• srv_mainpage
• srv_manage_channels_page
• srv_datepicker
• min_salt_formulas
• minkvm_guests
• srv_delete_channel_from_ui
• srv_distro_cobbler
• min_project_lotus
• srv_change_password
• minssh_ansible_control_node
• proxy_branch_network
• min_deblike_openscap_audit
• srv_user_configuration_salt_states
• min_timezone
• srv_patches_page
• min_config_state_channel_subscriptions
• allcli_software_channels_dependencies
• srv_cobbler_sync
• buildhost_osimage_build_image
• srv_docker
• min_bootstrap_api
• min_custom_pkg_download_endpoint
• srv_restart
• srv_osimage
• min_deblike_salt
• srv_maintenance_windows
• minssh_tunnel
• min_salt_migration
• minssh_move_from_and_to_proxy
• srv_manage_activationkey
• srv_errata_api