PoC to deploy with quadlets

manifests/artemis.pp

@@ -22,6 +22,13 @@
     group   => $candlepin::group,
   }
 
+  file { "${candlepin::tomcat_conf}/conf.d":
+    ensure => directory,
+    mode   => '0755',
+    owner  => $candlepin::user,
+    group  => $candlepin::group,
+  }
+
   file { "${candlepin::tomcat_conf}/login.config":
     ensure  => file,
     content => file('candlepin/tomcat/login.config'),

manifests/config.pp

@@ -78,4 +78,34 @@
   file { '/var/lib/candlepin/.puppet-candlepin-rpm-version':
     ensure => absent,
   }
+
+  if $candlepin::use_container {
+    file { $candlepin::tomcat_conf:
+      ensure => directory,
+      mode   => '0755',
+      owner  => 'root',
+      group  => $candlepin::group,
+    }
+
+    file { '/var/lib/candlepin':
+      ensure => directory,
+      mode   => '0755',
+      owner  => 'root',
+      group  => $candlepin::group,
+    }
+
+    file { '/var/log/candlepin':
+      ensure => directory,
+      mode   => '0755',
+      owner  => 'root',
+      group  => $candlepin::group,
+    }
+
+    file { '/var/log/tomcat':
+      ensure => directory,
+      mode   => '0755',
+      owner  => 'root',
+      group  => $candlepin::group,
+    }
+  }
 }

manifests/init.pp

@@ -174,6 +174,12 @@
 # @param db_manage_on_startup
 #   How to manage database migrations on startup.
 #
+# @param use_container
+#   If true, deploys systemd service using a container.
+#
+# @param container_image
+#   Specifies the container image to use when deploying via container.
+#
 # @example Set debug logging
 #   class { 'candlepin':
 #     loggers => {
@@ -238,6 +244,8 @@
   String $group = 'tomcat',
   Boolean $disable_fips = true,
   Enum['None', 'Report', 'Halt', 'Manage'] $db_manage_on_startup = 'Manage',
+  Boolean $use_container = false,
+  String[1] $container_image = 'quay.io/ehelms/candlepin:4.4.5-1',
 ) inherits candlepin::params {
   contain candlepin::service
 

manifests/install.pp

@@ -4,33 +4,37 @@
 class candlepin::install {
   assert_private()
 
-  $enable_pki_core = $facts['os']['release']['major'] == '8'
+  if !$candlepin::use_container {
+    $enable_pki_core = $facts['os']['release']['major'] == '8'
 
-  if $candlepin::java_package {
-    stdlib::ensure_packages([$candlepin::java_package])
-    Package[$candlepin::java_package] -> Package['candlepin']
-  }
-
-  if $enable_pki_core {
-    package { 'pki-core':
-      ensure      => installed,
-      enable_only => true,
-      provider    => 'dnfmodule',
-      before      => Package['candlepin'],
+    if $candlepin::java_package {
+      stdlib::ensure_packages([$candlepin::java_package])
+      Package[$candlepin::java_package] -> Package['candlepin']
     }
-  }
 
-  package { ['candlepin']:
-    ensure => $candlepin::version,
-  }
+    if $enable_pki_core {
+      package { 'pki-core':
+        ensure      => installed,
+        enable_only => true,
+        provider    => 'dnfmodule',
+        before      => Package['candlepin'],
+      }
+    }
 
-  if $facts['os']['selinux']['enabled'] {
-    package { ['candlepin-selinux']:
+    package { ['candlepin']:
       ensure => $candlepin::version,
     }
 
-    if $enable_pki_core {
-      Package['pki-core'] -> Package['candlepin-selinux']
+    if $facts['os']['selinux']['enabled'] {
+      package { ['candlepin-selinux']:
+        ensure => $candlepin::version,
+      }
+
+      if $enable_pki_core {
+        Package['pki-core'] -> Package['candlepin-selinux']
+      }
     }
+  } else {
+    stdlib::ensure_packages(['podman'])
   }
 }

manifests/service.pp

@@ -4,6 +4,21 @@
 class candlepin::service {
   assert_private()
 
+  if $candlepin::use_container {
+    $container_context = {
+      'image' => $candlepin::container_image,
+    }
+
+    file { '/etc/containers/systemd/tomcat.container':
+      ensure  => file,
+      content => epp('candlepin/candlepin.container.epp', $container_context),
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0440',
+      before  => Service['tomcat'],
+    }
+  }
+
   service { 'tomcat':
     ensure     => running,
     enable     => true,

spec/acceptance/basic_candlepin_spec.rb

@@ -3,7 +3,15 @@
 #TODO: Add Artemis listening test https://projects.theforeman.org/issues/29561
 
 describe 'candlepin works' do
-  include_examples 'the example', 'basic_candlepin.pp'
+  before(:all) do
+    cleanup_installation
+  end
+
+  it_behaves_like 'an idempotent resource' do
+    let(:manifest) do
+      basic_manifest(false)
+    end
+  end
 
   describe port(8443) do
     it { is_expected.to be_listening }

spec/acceptance/container_spec.rb

@@ -0,0 +1,58 @@
+require 'spec_helper_acceptance'
+
+#TODO: Add Artemis listening test https://projects.theforeman.org/issues/29561
+
+describe 'candlepin works as a container' do
+  before(:all) do
+    cleanup_installation
+  end
+
+  it_behaves_like 'an idempotent resource' do
+    let(:manifest) do
+      basic_manifest(true)
+    end
+  end
+
+  describe port(8443) do
+    it { is_expected.to be_listening }
+  end
+
+  describe package('candlepin') do
+    it { is_expected.not_to be_installed }
+  end
+
+  describe file("/etc/containers/systemd/tomcat.container") do
+    it { should be_file }
+    it { should be_mode 440 }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+  end
+
+  describe command('curl -k -s -o /dev/null -w \'%{http_code}\' https://localhost:8443/candlepin/status') do
+    its(:stdout) { should eq "200" }
+  end
+
+  describe command('nmap --script +ssl-enum-ciphers localhost -p 8443') do
+    # We don't enable TLSv1.3 by default yet. TLSv1.3 support was added in tomcat 7.0.92
+    # But tomcat 7.0.76 is the latest version available on EL7
+    its(:stdout) { should_not match(/TLSv1\.3/) }
+
+    # Test that TLSv1.2 is enabled
+    its(:stdout) { should match(/TLSv1\.2/) }
+
+    # Test that older TLS versions are disabled
+    its(:stdout) { should_not match(/TLSv1\.1/) }
+    its(:stdout) { should_not match(/TLSv1\.0/) }
+
+    # Test that the least cipher strength is "strong" or "A"
+    its(:stdout) { should match(/least strength: (A|strong)/) }
+  end
+
+  describe file("/etc/tomcat/cert-users.properties") do
+    it { should be_file }
+    it { should be_mode 640 }
+    it { should be_owned_by 'tomcat' }
+    it { should be_grouped_into 'tomcat' }
+    its(:content) { should eq("katelloUser=CN=ActiveMQ Artemis Deferred, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ\n") }
+  end
+end

spec/support/acceptance/basic.rb

@@ -0,0 +1,63 @@
+def basic_manifest(container = true)
+  return <<-MANIFEST
+    $keydir = '/etc/candlepin/certs'
+    $keystore = "${keydir}/keystore"
+    $keystore_password = 'secret'
+    $truststore = "${keydir}/truststore"
+    $truststore_password = 'secret'
+    $ca_key = "${keydir}/candlepin-ca.key"
+    $ca_cert = "${keydir}/candlepin-ca.crt"
+
+    exec { "/bin/mkdir -p ${keydir}":
+      creates => $keydir,
+    } ->
+    exec { 'Create CA key':
+      command => "/usr/bin/openssl genrsa -out '${ca_key}' 2048",
+      creates => $ca_key,
+      notify  => Service['tomcat'],
+    } ->
+    exec { 'Create CA certficate':
+      command => "/usr/bin/openssl req -new -x509 -key '${ca_key}' -out '${ca_cert}' -nodes -x509 -subj '/C=US/ST=North Carolina/L=Raleigh/O=CustomKatelloCA/CN=${facts['networking']['fqdn']}'",
+      creates => $ca_cert,
+      notify  => Service['tomcat'],
+    } ->
+    exec { 'Create keystore':
+      command => "/usr/bin/openssl pkcs12 -export -in '${ca_cert}' -inkey '${ca_key}' -out '${keystore}' -name tomcat -CAfile '${ca_cert}' -caname root -password 'pass:${keystore_password}'",
+      creates => $keystore,
+      notify  => Service['tomcat'],
+    } ->
+    package { ['java']: } ->
+    exec { 'Create truststore':
+      command => "/usr/bin/keytool -import -v -keystore ${truststore} -alias candlepin-ca -file ${ca_cert} -noprompt -storepass ${truststore_password} -storetype pkcs12",
+      creates => $truststore,
+    } ->
+    file { $ca_key:
+      mode  => '0440',
+      group => 'tomcat',
+    } ->
+    file { $ca_cert:
+      mode  => '0440',
+      group => 'tomcat',
+    } ->
+    file { $keystore:
+      mode  => '0440',
+      group => 'tomcat',
+    } ->
+    file { $truststore:
+      mode  => '0440',
+      group => 'tomcat',
+    } ->
+    class { 'candlepin':
+      ca_key              => $ca_key,
+      ca_cert             => $ca_cert,
+      keystore_file       => $keystore,
+      keystore_password   => $keystore_password,
+      truststore_file     => $truststore,
+      truststore_password => $truststore_password,
+      java_package        => 'java-17-openjdk',
+      java_home           => '/usr/lib/jvm/jre-17',
+      artemis_client_dn   => Deferred('pick', ['', 'CN=ActiveMQ Artemis Deferred, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ']),
+      use_container       => #{container},
+    }
+  MANIFEST
+end

spec/support/acceptance/cleanup.rb

@@ -0,0 +1,5 @@
+def cleanup_installation
+  on default, 'dnf -y remove candlepin candlepin-selinux pki-*'
+  on default, 'rm -rf /etc/tomcat /etc/candlepin'
+  on default, 'rm -rf /etc/containers/systemd/tomcat.container'
+end

templates/candlepin.container.epp

@@ -0,0 +1,27 @@
+<%- |
+  String[1] $image,
+| -%>
+### File managed with puppet ###
+## Module: '<%= $module_name %>'
+[Unit]
+Description=Candlepin
+After=local-fs.target
+
+[Install]
+WantedBy=multi-user.target default.target
+
+[Container]
+Image=<%= $image %>
+PodmanArgs=--cgroups=enabled
+LogDriver=journald
+Network=host
+
+Volume=/etc/tomcat/server.xml:/etc/tomcat/server.xml:Z
+Volume=/etc/tomcat/login.config:/etc/tomcat/login.config:Z
+Volume=/etc/tomcat/cert-roles.properties:/etc/tomcat/cert-roles.properties:Z
+Volume=/etc/tomcat/cert-users.properties:/etc/tomcat/cert-users.properties:Z
+Volume=/etc/tomcat/conf.d/jaas.conf:/etc/tomcat/conf.d/jaas.conf:Z
+Volume=/etc/tomcat/tomcat.conf:/etc/tomcat/tomcat.conf:Z
+Volume=/etc/candlepin:/etc/candlepin:Z
+Volume=/var/log/candlepin:/var/log/candlepin:Z
+Volume=/var/log/tomcat:/var/log/tomcat:Z