Use proxy FQDN from config file for auth token (#9265)

AuthToken appended FQDN is used also for translating autoyast/ks server FQDN to proxy one. AuthToken thus has to use external FQDN and not internal pod hostname. This commit introduce this change and also fix for hairpin problem as AuthToken hostname was used for internal connection, which must be localhost (or internal pod hosname) for container scenario.
uyuni-project · Sep 24, 2024 · a49ad32 · a49ad32
1 parent 66c4d18
commit a49ad32
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 0 deletions.
diff --git a/containers/proxy-httpd-image/proxy-httpd-image.changes.oholecek.store_proxy_fqdn b/containers/proxy-httpd-image/proxy-httpd-image.changes.oholecek.store_proxy_fqdn
@@ -0,0 +1,2 @@
+- store proxy FQDN in the rhn.conf for auth token use
+  (bsc#1230255)
diff --git a/containers/proxy-httpd-image/uyuni-configure.py b/containers/proxy-httpd-image/uyuni-configure.py
@@ -167,6 +167,7 @@ def insert_under_line(file_path, line_to_match, line_to_insert):
         
         # Hostname of Uyuni, SUSE Manager Server or another proxy
         proxy.rhn_parent = {config['server']}
+        proxy.proxy_fqdn = {config['proxy_fqdn']}
         
         # Destination of all tracebacks, etc.
         traceback_mail = {config['email']}

diff --git a/proxy/proxy/broker/rhnBroker.py b/proxy/proxy/broker/rhnBroker.py
@@ -100,6 +100,10 @@ def __init__(self, req):
                     socket.herror, socket.timeout):
                 # hostname probably didn't exist, fine
                 pass
+        if not hostname and CFG.has_key('PROXY_FQDN'):
+            # Not resolvable hostname, check container config
+            log_debug(2, "Using PROXY_FQDN config %s" % CFG.PROXY_FQDN)
+            hostname = CFG.PROXY_FQDN
         if not hostname:
             # okay, that didn't work, let's do a reverse dns lookup on my
             # ip address

diff --git a/proxy/proxy/rhnShared.py b/proxy/proxy/rhnShared.py
@@ -126,11 +126,15 @@ def _connectToParent(self):
         # if this request is for an upstream server, use the original query string.
         # Otherwise, if it is for the local Squid instance, strip it so that
         # Squid will not keep multiple cached copies of the same resource
+        # Containers notes: when going for local proxy, use localhost as host to avoid
+        # hairpin problem.
         if self.httpProxy not in ['127.0.0.1:8080', 'localhost:8080']:
             if 'X-Suse-Auth-Token' in self.req.headers_in:
                 self.uri += '?%s' % self.req.headers_in['X-Suse-Auth-Token']
             elif query:
                 self.uri += '?%s' % query
+        else:
+            host = 'localhost'
 
         log_debug(3, 'Scheme:', scheme)
         log_debug(3, 'Host:', host)
@@ -172,6 +176,12 @@ def _create_connection(self):
             'host':   host,
             'port':   port,
         }
+
+        # Containers notes: when going for local proxy, use localhost as host to avoid
+        # hairpin problem.
+        if self.httpProxy in ['127.0.0.1:8080', 'localhost:8080']:
+            params['host'] = 'localhost'
+
         if CFG.has_key('timeout'):
             params['timeout'] = CFG.TIMEOUT
         if self.httpProxy:

diff --git a/proxy/proxy/spacewalk-proxy.changes.oholecek.fix_authtoken_hostname b/proxy/proxy/spacewalk-proxy.changes.oholecek.fix_authtoken_hostname
@@ -0,0 +1,2 @@
+- set proxy authtoken FQDN based on config file
+  (bsc#1230255)