Make deploying client bundle certificate optional

[ehelms]

Currently we deploy this certificate in all deployments but it should only be deployed onto a foreman-proxy where reverse proxy is present. It is useless and unused on a Foreman deployment. This keeps the default behaviour by defaulting to 'present' but provides a way to set this to false in puppet-foreman_proxy_content (PR to follow).

[ehelms]

The puppet-foreman_proxy_content module includes certs::foreman_proxy in multiple locations (https://github.com/search?q=repo%3Atheforeman%2Fpuppet-foreman_proxy_content+certs%3A%3Aforeman_proxy&type=code) which from my early testing makes it difficult to include this change. As I need to switch to using class { 'certs::foreman_proxy:} in order to set this new parameter somewhere and I encounter duplicate class declarations.

[ekohl]

Currently we deploy this certificate in all deployments but it should only be deployed onto a foreman-proxy where reverse proxy is present.

That's https://github.com/theforeman/puppet-foreman_proxy_content/blob/master/manifests/reverse_proxy.pp#L54

I always had questions about this. Why is the reverse proxy configured with a private key? That just screams potential security holes to me.

Quoting https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile

This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers.

Why do we need that?

[ehelms]

Why do we need that?

I believe this is used to perform re-encryption because SSL was being terminated in Apache on the Capsule and we then need to proxy the communication while preserving the SSL client certificate header (https://github.com/theforeman/puppet-foreman_proxy_content/blob/master/manifests/reverse_proxy.pp#L62).

[ekohl]

My expectation is that it would simply result in a different SSL client certificate header. The one belongs to the certificate & private key provided in the bundle.

[ehelms]

My understanding is that without setting this, the proxy cannot present a valid certificate to the Apache on Foreman. While this appears to work without SSLProxyMachineCertificateFile, there are errors within the log:

AH02268: Proxy client certificate callback: (<hostname>:443) downstream server wanted client certificate but none are configured

In all cases, the client certificate information has to be extracted and put into a new header that is sent along, this line (https://github.com/theforeman/puppet-foreman_proxy_content/blob/master/manifests/reverse_proxy.pp#L62) because the client certificates cannot be passed along.